Headline
Microsoft, Late to the Game on Dangerous DNSSEC Zero-Day Flaw
Why the company took so long to address the issue is not known given that most other stakeholders had a fix out for the issue months ago.
Source: Robert K. Chin via Alamy Stock Photo
Among the more dangerous of the flaws for which Microsoft released a patch this week on Patch Tuesday is a denial-of-service (DoS) vulnerability publicly disclosed back in February in the Domain Name System Security Extensions (DNSSEC) protocol.
The vulnerability, identified as CVE-2023-50868 exists in a third-party DNSSEC mechanism called Next Secure Hash 3 (NSEC3) for proving that a non-existent domain truly doesn’t exist, thereby protecting against malicious cataloging of signed DNS zones. The vulnerability gives attackers a way to craft DNS packets that would cause the DNS resolver to essentially exhaust its computing resources in trying to respond.
It affects several different vendors and projects, including Unbound, BIND, dnsmasq, PowerDNS, various Linux distros, and others, who released patches well before Microsoft did. A list of advisories can be found here.
DNSSEC Resource Exhaustion Flaws
CVE-2023-50868 is actually one of two serious DNSSEC flaws that researchers from the German National Research Center for Applied Cybersecurity ATHENE quietly informed industry stakeholders about last year.
The other is CVE-2023-50387, or “KeyTrap,” a similar though more serious DNSSEC resource exhaustion bug that researchers believed would have allowed attackers to bring down large swathes of the Internet had it remained unmitigated. What made KeyTrap so dangerous is that it gave attackers a way to use a single packet to exhaust the processing capacity of a vulnerable DNS Server, essentially rendering it offline says Tom Marsland, vice president of technology at Cloud Range. “It does this by tricking those servers into performing extra calculations that overload their CPU.” He estimates that some 31% of all DNS servers were vulnerable to the attack.
CVE-2023-50868 is similar in that it gives attackers a way to exhaust a DNS resolvers CPU cycles and cause it to become unresponsive.
Tyler Reguly, associate director, security R&D at Fortra says one of the biggest problems with protocol-level flaws such as CVE-2023-50868 is that they give attackers a way to tie up the server and get it to slow down or stop responding altogether.
“Once the denial-of-service slows down the DNS server’s responsiveness, the amount of time that an attacker has to perform DNS cache poisoning increases drastically,” he says. “What’s interesting with this flaw is that the very technology designed to make DNS cache poisoning for non-existent domains harder has made cache poisoning easier for attackers.”
Microsoft’s Lonely Zero-Day World
Several major providers of DNS resolution services publicly released details of both DNSSEC flaws in a coordinated disclosure in February after they had developed mitigations for the threat. Microsoft too issued a patch for KeyTrap at the time, but waited till this week to announce a fix for CVE-2023-50868 — making the bug a zero-day threat at least from a Microsoft standpoint.
And indeed, it’s somewhat surprising that Microsoft took so long to get to it, Reguly notes. He suspects one reason could be that most organizations rely on other services for external DNS, and Microsoft felt the risk associated with Microsoft’s DNS resolution services wasn’t all that significant.
“We’ve seen vendors work together on big ticket items in the past when protocol flaws are in the mix, and it always impresses me that the vendor community is able to come together and work so well to fix these issues without any major leaks,” Reguly says. “Why Microsoft dropped the ball on this CVE is unknown to me, but I’d love to see them address why it took them so much longer than the other vendors to release this fix.”
Lionel Litty, chief security architect at Menlo Security, says another issue is that algorithmic complex vulnerability such as the two DNSSEC resource exhaustion flaws can be challenging to fix.
“Fixing this type of issue may require rethinking how algorithms are implemented and deciding when not to adhere to the specification because doing so would require an unreasonable amount of computation,” Litty says. “It can also lead to more fundamental redesigns of how requests are prioritized by the server so that no one client can prevent others from getting their requests answered in a timely manner.” In this light, it is not surprising that fixing this issue might have taken some vendors more time, he says.
Cross-Industry Collaboration
CVE-2023-50868 and CVE-2023-50387 are among several bugs in recent years that have forced an industry-wide response because they have existed at the protocol level or in foundational Internet technologies. The so-called Heartbleed vulnerability in the OpenSSL protocol from 2014 remains one of the most notable. But there have been others as well.
Relatively recent examples include one in the Bluetooth protocol (CVE-2023-45866), another in the UPnP Plug and Play protocol dubbed CallStranger and a vulnerability in the GTP protocol that threatened mobile networks.
Jason Soroko, senior vice president at Sectigo, sees a mixed record in the patching of such cross-vendor issues.
“While some vendors have improved their responsiveness and coordination, others have lagged behind,” he says. “The coordination between different vendors and security researchers has generally improved, with more collaborative efforts to address and mitigate vulnerabilities promptly. However, the speed and efficiency of patching still vary significantly across the industry.”
About the Author(s)
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.
Related news
The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could be exploited to trigger a denial-of-service (DoS) condition. "A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition," the U.S. Cybersecurity and
Red Hat Security Advisory 2024-3877-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-3877-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-2821-03 - An update for bind and dhcp is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-2821-03 - An update for bind and dhcp is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-1803-03 - Updates for bind and bind-dyndb-ldap are now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Security Advisory 2024-1801-03 - An update for unbound is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Security Advisory 2024-1801-03 - An update for unbound is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Security Advisory 2024-1789-03 - An update for bind is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-1789-03 - An update for bind is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-1648-03 - An update for bind9.16 is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Red Hat Security Advisory 2024-1648-03 - An update for bind9.16 is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Red Hat Security Advisory 2024-1543-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Security Advisory 2024-1543-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Security Advisory 2024-1522-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Security Advisory 2024-1522-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Ubuntu Security Notice 6642-1 - Shoham Danino, Anat Bremler-Barr, Yehuda Afek, and Yuval Shavitt discovered that Bind incorrectly handled parsing large DNS messages. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service. Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered that Bind incorrectly handled validating DNSSEC messages. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service.
Ubuntu Security Notice 6642-1 - Shoham Danino, Anat Bremler-Barr, Yehuda Afek, and Yuval Shavitt discovered that Bind incorrectly handled parsing large DNS messages. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service. Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered that Bind incorrectly handled validating DNSSEC messages. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service.
Debian Linux Security Advisory 5626-1 - It was discovered that malformed DNSSEC records within a DNS zone could result in denial of service against PDNS Recursor, a resolving name server.
Debian Linux Security Advisory 5626-1 - It was discovered that malformed DNSSEC records within a DNS zone could result in denial of service against PDNS Recursor, a resolving name server.
Gentoo Linux Security Advisory 202401-3 - Multiple vulnerabilities have been discovered in Bluez, the worst of which can lead to privilege escalation. Versions greater than or equal to 5.70-r1 are affected.
Debian Linux Security Advisory 5584-1 - It was reported that the BlueZ's HID profile implementation is not inline with the HID specification which mandates the use of Security Mode 4. The HID profile configuration option ClassicBondedOnly now defaults to "true" to make sure that input connections only come from bonded device connections.
Apple Security Advisory 12-11-2023-4 - macOS Sonoma 14.2 addresses code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 12-11-2023-2 - iOS 17.2 and iPadOS 17.2 addresses code execution and spoofing vulnerabilities.
Apple on Monday released security patches for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to address multiple security flaws, in addition to backporting fixes for two recently disclosed zero-days to older devices. This includes updates for 12 security vulnerabilities in iOS and iPadOS spanning AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2. An app may be able to access sensitive user data.
By Waqas Another day, another Bluetooth vulnerability impacting billions of devices worldwide! This is a post from HackRead.com Read the original post: Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS
Ubuntu Security Notice 6540-1 - It was discovered that BlueZ did not properly restrict non-bonded devices from injecting HID events into the input subsystem. This could allow a physically proximate attacker to inject keystrokes and execute arbitrary commands whilst the device is discoverable.
A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices. Tracked as CVE-2023-45866, the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim. "Multiple Bluetooth stacks have authentication bypass
In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.