Описание
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
A flaw was found in bind9. By flooding a DNSSEC resolver with responses coming from a DNSEC-signed zone using NSEC3, an attacker can lead the targeted resolver to a CPU exhaustion, further leading to a Denial of Service on the targeted host.
This vulnerability applies only for systems where DNSSEC validation is enabled.
Отчет
The vulnerability in BIND9 that leads to CPU exhaustion through a flood of DNSSEC responses with NSEC3 signatures is a important severity issue due to its potential to induce a Denial of Service (DoS) condition on affected resolvers. By exploiting this flaw, an attacker can overwhelm a DNSSEC-enabled resolver with computationally intensive tasks, depleting CPU resources and disrupting normal DNS operations. This can result in significant service outages, affecting the resolver's ability to process legitimate DNS queries and thereby compromising network availability and reliability. The impact is exacerbated in high-traffic environments or where DNSSEC validation is extensively employed, making prompt remediation essential to prevent operational disruptions and maintain DNS infrastructure integrity.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | dnsmasq | Not affected | ||
| Red Hat Enterprise Linux 9 | dhcp | Not affected | ||
| Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION | bind | Fixed | RHSA-2025:0039 | 06.01.2025 |
| Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION | bind-dyndb-ldap | Fixed | RHSA-2025:0039 | 06.01.2025 |
| Red Hat Enterprise Linux 7 | bind | Fixed | RHSA-2024:3741 | 10.06.2024 |
| Red Hat Enterprise Linux 7 | bind-dyndb-ldap | Fixed | RHSA-2024:3741 | 10.06.2024 |
| Red Hat Enterprise Linux 7 | dhcp | Fixed | RHSA-2024:3741 | 10.06.2024 |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | unbound | Fixed | RHSA-2024:11003 | 12.12.2024 |
| Red Hat Enterprise Linux 8 | unbound | Fixed | RHSA-2024:0965 | 26.02.2024 |
| Red Hat Enterprise Linux 8 | dnsmasq | Fixed | RHSA-2024:1335 | 14.03.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 whe ...
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
EPSS
7.5 High
CVSS3