Описание
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| bind9 | fixed | 1:9.19.21-1 | package | |
| dnsmasq | fixed | 2.90-1 | package | |
| dnsmasq | fixed | 2.90-4~deb12u1 | bookworm | package |
| knot-resolver | fixed | 5.7.1-1 | package | |
| knot-resolver | ignored | bullseye | package | |
| knot-resolver | ignored | buster | package | |
| pdns-recursor | fixed | 4.9.3-1 | package | |
| pdns-recursor | end-of-life | bullseye | package | |
| unbound | fixed | 1.19.1-1 | package | |
| systemd | fixed | 255.4-1 | package | |
| systemd | fixed | 252.23-1~deb12u1 | bookworm | package |
| systemd | no-dsa | buster | package | |
| dnsjava | fixed | 3.6.2-1 | package | |
| dnsjava | no-dsa | bookworm | package | |
| dnsjava | no-dsa | bullseye | package |
Примечания
https://kb.isc.org/docs/cve-2023-50868
https://downloads.isc.org/isc/bind9/9.16.48/patches/0005-CVE-2023-50387-CVE-2023-50868.patch
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html
https://github.com/CZ-NIC/knot-resolver/commit/e966b7fdb167add0ec37c56a954c2d847f627985 (v5.7.1)
https://github.com/CZ-NIC/knot-resolver/commit/eccb8e278c1cde0548cc570eac619feaa290cede (v5.7.1)
https://github.com/CZ-NIC/knot-resolver/commit/b5051ac26f34358b40f9115f977fe1f54e8f581e (v5.7.1)
https://github.com/CZ-NIC/knot-resolver/commit/24699e9f206a8f957b516cad22a8e5790d226836 (v5.7.1)
https://github.com/CZ-NIC/knot-resolver/commit/a05cf1d379d1af0958587bd111f791b72f404364 (v5.7.1)
https://github.com/CZ-NIC/knot-resolver/commit/9b421cdf91f987e0254a06ff2c4e8fbf76dc2b58 (v5.7.1)
https://github.com/CZ-NIC/knot-resolver/commit/5e80624b18d40ae44be704751d3b22943edf287f
https://github.com/CZ-NIC/knot-resolver/commit/f9ba52e6f54bc1db122870df50cb364cb977436e (v5.7.1)
https://github.com/CZ-NIC/knot-resolver/commit/b044babbee358dc305d770a1dab3a877c49468a7 (v5.7.1)
https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released
Fixed by: https://github.com/PowerDNS/pdns/pull/13781
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt
Fixed by: https://github.com/NLnetLabs/unbound/commit/92f2a1ca690a44880f4c4fa70a4b5a4b029aaf1c (release-1.19.1)
https://github.com/systemd/systemd/issues/31413
https://github.com/systemd/systemd/commit/67d0ce8843d612a2245d0966197d4f528b911b66 (v256)
https://github.com/systemd/systemd/commit/eba291124bc11f03732d1fc468db3bfac069f9cb (v256)
https://github.com/systemd/systemd-stable/commit/1ebdb19ff194120109b08bbf888bdcc502f83211 (v255.4)
https://github.com/systemd/systemd-stable/commit/572692f0bdd6a3fabe3dd4a3e8e5565cc69b5e14 (v255.4)
https://github.com/systemd/systemd-stable/commit/2f5edffa8ffd5210165ebe7604f07d23f375fe9a (v254.10)
https://github.com/systemd/systemd-stable/commit/9899281c59a91f19c8b39362d203e997d2faf233 (v254.10)
https://github.com/systemd/systemd-stable/commit/7886eea2425fe7773cc012da0b2e266e33d4be12 (v253.17)
https://github.com/systemd/systemd-stable/commit/156e519d990a5662c719a1cbe80c6a02a2b9115f (v253.17)
https://github.com/systemd/systemd-stable/commit/7633d969f3422f9ad380a512987d398e54764817 (v252.23)
https://github.com/systemd/systemd-stable/commit/b43bcb51ebf9aea21b1e280e1872056994e3f53d (v252.23)
systemd: DNSSEC is default to off in systemd-resolved
https://github.com/advisories/GHSA-mmwx-rj87-vfgr
https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116 (v3.6.0)
EPSS
Связанные уязвимости
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
EPSS