CVE-2023-50868 in DNS Protocolinfo

Summary

by MITRE • 02/14/2024

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 12/23/2025

The vulnerability identified as CVE-2023-50868 represents a critical denial of service weakness within the DNS security infrastructure, specifically affecting implementations of DNSSEC NSEC3 records. This flaw manifests when DNS servers process DNSSEC responses containing NSEC3 records without properly implementing the guidance outlined in RFC 9276, creating a scenario where attackers can exploit the computational overhead associated with SHA-1 hash calculations. The vulnerability operates through a random subdomain attack pattern where malicious actors can craft specific DNS queries that trigger excessive CPU utilization during the processing of DNSSEC responses.

The technical root cause of this vulnerability stems from the implementation of RFC 5155's Closest Encloser Proof mechanism, which requires specific hash function iterations to validate DNSSEC records. When systems fail to implement the recommended security measures from RFC 9276, they become susceptible to attacks that can cause substantial computational overhead through repeated SHA-1 computations. This occurs because the NSEC3 record processing requires thousands of hash iterations in certain validation scenarios, creating a resource exhaustion condition that can be triggered by carefully crafted DNS responses.

The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire DNS infrastructure availability. Attackers can exploit this weakness to consume excessive CPU cycles on authoritative and recursive DNS servers, leading to significant performance degradation or complete service unavailability. The attack vector is particularly concerning because it requires minimal resources to execute and can be amplified through DNS resolution patterns, making it a scalable threat to DNS infrastructure. This vulnerability affects systems that implement DNSSEC without proper rate limiting or computational resource controls for NSEC3 processing.

Security professionals should implement immediate mitigations including rate limiting mechanisms for DNSSEC response processing, implementing proper CPU time limits for hash computation operations, and ensuring compliance with RFC 9276 recommendations for NSEC3 implementation. Organizations should also consider deploying DNS security solutions that can detect and block malicious NSEC3 processing patterns, while monitoring for unusual CPU utilization patterns during DNSSEC validation. The vulnerability aligns with CWE-778 (Insufficient Logging) and CWE-400 (Uncontrolled Resource Consumption) categories, and represents a technique that could be categorized under ATT&CK tactic TA0043 (Resource Hijacking) through the use of computational resources for malicious purposes. Implementation of proper NSEC3 iteration limits and computational resource monitoring can significantly reduce the attack surface and prevent exploitation of this vulnerability.

Reservation

12/14/2023

Disclosure

02/14/2024

Moderation

accepted

Entry

2

Relate

show

CPE

ready

EPSS

0.81729

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!