CVE-2023-50868 — HIGH (7.5)

Q: How severe is CVE-2023-50868?

CVE-2023-50868 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-50868?

Check the references section above for vendor advisories and patch information. Affected products include: Isc Bind, Fedoraproject Fedora, Debian Debian Linux, Redhat Enterprise Linux, Powerdns Recursor.

Vulnerability Description

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Isc	Bind	>= 9.0.0, < 9.16.48
Fedoraproject	Fedora	38
Debian	Debian Linux	10.0
Redhat	Enterprise Linux	6.0
Powerdns	Recursor	< 4.8.5
Netapp	Bootstrap Os	-
Netapp	Hci Compute Node	-
Netapp	Active Iq Unified Manager	-
Netapp	Hci Baseboard Management Controller	-
Netapp	H300S	-
Netapp	H410C	-
Netapp	H410S	-
Netapp	H500S	-
Netapp	H700S	-

Related Weaknesses (CWE)

CWE-400

References

http://www.openwall.com/lists/oss-security/2024/02/16/2Issue TrackingMailing List
http://www.openwall.com/lists/oss-security/2024/02/16/3Issue TrackingMailing List
https://access.redhat.com/security/cve/CVE-2023-50868Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1219826Issue Tracking
https://datatracker.ietf.org/doc/html/rfc5155Technical Description
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01Vendor Advisory
https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1Release Notes
https://kb.isc.org/docs/cve-2023-50868Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/02/msg00006.htmlVendor AdvisoryMailing List
https://lists.debian.org/debian-lts-announce/2024/05/msg00011.htmlVendor AdvisoryMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproVendor AdvisoryMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproVendor AdvisoryMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproVendor AdvisoryMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproVendor AdvisoryMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproVendor AdvisoryMailing List

FAQ

What is CVE-2023-50868?

CVE-2023-50868 is a vulnerability with a CVSS score of 7.5 (HIGH). The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via ...

How severe is CVE-2023-50868?

CVE-2023-50868 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-50868?

Check the references section above for vendor advisories and patch information. Affected products include: Isc Bind, Fedoraproject Fedora, Debian Debian Linux, Redhat Enterprise Linux, Powerdns Recursor.