cbcvebase.
CVE-2023-50868
published 2024-02-14

CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU…

high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Affected

60 ranges· showing 25
VendorProductVersion rangeFixed in
cz.nicknot-resolver>= 0 < 5.6.0-1+deb12u15.6.0-1+deb12u1
cz.nicknot-resolver>= 0 < 5.7.1-15.7.1-1
cz.nicknot-resolver>= 0 < 5.7.1-15.7.1-1
debianbind9< bind9 1:9.18.24-1 (bookworm)bind9 1:9.18.24-1 (bookworm)
debiandebian_linux
debiandebian_linux
debiandnsjava< bind9 1:9.18.24-1 (bookworm)bind9 1:9.18.24-1 (bookworm)
debiandnsmasq< bind9 1:9.18.24-1 (bookworm)bind9 1:9.18.24-1 (bookworm)
debianknot-resolver< bind9 1:9.18.24-1 (bookworm)bind9 1:9.18.24-1 (bookworm)
debianpdns-recursor< bind9 1:9.18.24-1 (bookworm)bind9 1:9.18.24-1 (bookworm)
debiansystemd< bind9 1:9.18.24-1 (bookworm)bind9 1:9.18.24-1 (bookworm)
debianunbound< bind9 1:9.18.24-1 (bookworm)bind9 1:9.18.24-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
iscbind>= 9.0.0 < 9.16.489.16.48
iscbind>= 9.18.0 < 9.18.249.18.24
iscbind>= 9.18.11 < 9.18.249.18.24
iscbind>= 9.19.0 < 9.19.219.19.21
iscbind>= 9.9.3 < 9.16.489.16.48
iscbind9>= 0 < 1:9.16.48-11:9.16.48-1
iscbind9>= 0 < 1:9.18.24-11:9.18.24-1
iscbind9>= 0 < 1:9.19.21-11:9.19.21-1
iscbind9>= 0 < 1:9.19.21-11:9.19.21-1
iscbind9>= 0 < 1:9.16.48-0ubuntu0.20.04.11:9.16.48-0ubuntu0.20.04.1
iscbind9>= 0 < 1:9.18.18-0ubuntu0.22.04.21:9.18.18-0ubuntu0.22.04.2

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH