CVE-2023-50868 Information

Description

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack aka the \NSEC3\ issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Reference

https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html https://www.isc.org/blogs/2024-bind-security-release/ https://datatracker.ietf.org/doc/html/rfc5155 https://kb.isc.org/docs/cve-2023-50868 https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html