Microsoft addressed a critical flaw in the Domain Name System Security Extensions (DNSSEC) protocol during this week’s Patch Tuesday. The vulnerability, known as CVE-2023-50868, affects a third-party DNSSEC mechanism called Next Secure Hash 3 (NSEC3). This vulnerability allows attackers to overload a DNS resolver’s computing resources by sending crafted DNS packets. Various vendors and projects were affected by this flaw, and patches had been released prior to Microsoft’s announcement.
What made this vulnerability particularly dangerous is its potential to cause denial-of-service attacks by exhausting the CPU cycles of DNS resolvers. Researchers from the German National Research Center for Applied Cybersecurity ATHENE discovered this flaw along with another serious DNSSEC vulnerability, CVE-2023-50387 (KeyTrap), which posed a greater risk of disrupting large portions of the Internet. KeyTrap allowed attackers to disable vulnerable DNS servers with a single packet, rendering them offline by overloading the CPU.
Tyler Reguly, from Fortra, pointed out that flaws like CVE-2023-50868 provide attackers with an opportunity to slow down or completely halt a DNS server’s responsiveness. This delay increases the likelihood of DNS cache poisoning, a technique used by malicious actors to divert traffic to fake websites. Reguly expressed surprise at Microsoft’s delayed response to this issue, especially considering the collaborative effort from other vendors in addressing similar vulnerabilities promptly.
Lionel Litty, chief security architect at Menlo Security, highlighted the difficulty in resolving algorithmic complex vulnerabilities like the DNSSEC resource exhaustion flaws. Addressing these issues often requires substantial changes in how algorithms are implemented, potentially leading to fundamental redesigns of server prioritization for requests.
Cross-industry collaboration has been crucial in responding to protocol-level vulnerabilities like CVE-2023-50868 and CVE-2023-50387. These flaws, along with historical vulnerabilities like Heartbleed in OpenSSL, demonstrate the industry-wide impact of such issues. While progress has been made in improving responsiveness and coordination among vendors and security researchers, there is still room for improvement in the speed and efficiency of patch deployment across the industry.
In conclusion, the recent DNSSEC vulnerabilities serve as a reminder of the ongoing challenges in securing foundational Internet technologies. Collaboration and swift action are essential in mitigating the impact of such vulnerabilities and protecting the stability of the Internet infrastructure.