CVE-2023-50868

Name
CVE-2023-50868
Description
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
cve@mitre.org https://datatracker.ietf.org/doc/html/rfc5155
cve@mitre.org https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
cve@mitre.org https://kb.isc.org/docs/cve-2023-50868
cve@mitre.org https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
cve@mitre.org https://www.isc.org/blogs/2024-bind-security-release/
cve@mitre.org https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
cve@mitre.org https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
cve@mitre.org https://access.redhat.com/security/cve/CVE-2023-50868
cve@mitre.org https://bugzilla.suse.com/show_bug.cgi?id=1219826
mailing-list http://www.openwall.com/lists/oss-security/2024/02/16/2
mailing-list http://www.openwall.com/lists/oss-security/2024/02/16/3
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
mailing-list https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
cve@mitre.org https://security.netapp.com/advisory/ntap-20240307-0008/
mailing-list https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html
af854a3a-2127-422b-91ae-364da2661108 https://lists.debian.org/debian-lts-announce/2024/11/msg00035.html
af854a3a-2127-422b-91ae-364da2661108 https://lists.debian.org/debian-lts-announce/2024/09/msg00001.html
af854a3a-2127-422b-91ae-364da2661108 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
af854a3a-2127-422b-91ae-364da2661108 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
af854a3a-2127-422b-91ae-364da2661108 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/

Match rules

CPE URI Source package Min version Max version
n/a == n/a == n/a
cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* bind >= 9.0.0 < 9.16.48
cpe:2.3:a:isc:bind:*:*:*:*:supported_preview:*:*:* bind >= 9.9.3 < 9.16.48
cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* bind >= 9.18.0 < 9.18.24
cpe:2.3:a:isc:bind:*:s1:*:*:supported_preview:*:*:* bind >= 9.18.11 < 9.18.24
cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:* bind >= 9.19.0 < 9.19.21

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
unbound edge-main 1.19.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
unbound 3.22-main 1.19.1-r0 None fixed
unbound 3.21-main 1.19.1-r0 None fixed
unbound 3.20-main 1.19.1-r0 None fixed
unbound 3.19-main 1.19.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
unbound 3.18-main 1.19.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
unbound 3.17-main 1.19.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
pdns-recursor edge-community 5.0.2-r0 Peter van Dijk <peter.van.dijk@powerdns.com> fixed
pdns-recursor 3.22-community 5.0.2-r0 None fixed
pdns-recursor 3.21-community 5.0.2-r0 None fixed
pdns-recursor 3.20-community 5.0.2-r0 None fixed
pdns-recursor 3.19-community 4.9.3-r0 Peter van Dijk <peter.van.dijk@powerdns.com> fixed
knot-resolver edge-community 5.7.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
knot-resolver 3.22-community 5.7.1-r0 None fixed
knot-resolver 3.21-community 5.7.1-r0 None fixed
knot-resolver 3.20-community 5.7.1-r0 None fixed
knot-resolver 3.19-community 5.7.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
dnsmasq edge-main 2.90-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
dnsmasq 3.22-main 2.90-r0 None fixed
dnsmasq 3.21-main 2.90-r0 None fixed
dnsmasq 3.20-main 2.90-r0 None fixed
dnsmasq 3.19-main 2.90-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
dnsmasq 3.18-main 2.90-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
dnsmasq 3.17-main 2.90-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
bind edge-main 9.18.24-r0 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.21-r0 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.19-r1 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.19-r0 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.18-r0 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.17-r0 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.16-r0 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.14-r4 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.14-r3 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.14-r2 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.14-r0 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.13-r2 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.13-r1 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.13-r0 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.11-r0 Mike Crute <mike@crute.us> fixed
bind edge-main 9.18.10-r0 None fixed
bind edge-main 9.18.9-r0 None fixed
bind edge-main 9.18.8-r0 None fixed
bind edge-main 9.18.7-r0 None fixed
bind edge-main 9.18.5-r0 None fixed
bind edge-main 9.18.4-r3 None fixed
bind edge-main 9.18.4-r2 None fixed
bind edge-main 9.18.3-r2 None fixed
bind edge-main 9.18.3-r1 None fixed
bind edge-main 9.18.3-r0 None fixed
bind edge-main 9.16.29-r0 None fixed
bind edge-main 9.16.28-r0 None fixed
bind edge-main 9.16.27-r0 None fixed
bind edge-main 9.16.25-r0 None fixed
bind edge-main 9.16.24-r0 None fixed
bind edge-main 9.16.22-r5 None fixed
bind edge-main 9.16.22-r4 None fixed
bind edge-main 9.16.22-r0 None fixed
bind edge-main 9.16.20-r4 None fixed
bind edge-main 9.16.20-r3 None fixed
bind edge-main 9.16.20-r2 None fixed
bind edge-main 9.16.20-r1 None fixed
bind edge-main 9.16.20-r0 None fixed
bind edge-main 9.16.19-r0 None fixed
bind edge-main 9.16.18-r3 None fixed
bind edge-main 9.16.18-r2 None fixed
bind edge-main 9.16.15-r0 None fixed
bind edge-main 9.16.11-r2 None fixed
bind edge-main 9.16.6-r0 None fixed
bind edge-main 9.16.4-r0 None fixed
bind edge-main 9.14.12-r0 None fixed
bind edge-main 9.14.8-r0 None fixed
bind edge-main 9.14.7-r0 None fixed
bind edge-main 9.14.4-r0 None fixed
bind edge-main 9.14.1-r0 None fixed
bind edge-main 9.12.3_p4-r0 None fixed
bind edge-main 9.12.2_p1-r0 None fixed
bind edge-main 9.12.1_p2-r0 None fixed
bind edge-main 9.11.2_p1-r0 None fixed
bind edge-main 9.11.0_p5-r0 None fixed
bind edge-main 9.10.4_p5-r0 None fixed
bind 3.22-main 9.18.24-r0 None fixed
bind 3.22-main 9.18.19-r0 None fixed
bind 3.22-main 9.18.11-r0 None fixed
bind 3.22-main 9.18.7-r0 None fixed
bind 3.22-main 9.16.27-r0 None fixed
bind 3.22-main 9.16.22-r0 None fixed
bind 3.22-main 9.16.20-r0 None fixed
bind 3.22-main 9.16.15-r0 None fixed
bind 3.22-main 9.16.11-r2 None fixed
bind 3.22-main 9.16.6-r0 None fixed
bind 3.22-main 9.16.4-r0 None fixed
bind 3.22-main 9.14.12-r0 None fixed
bind 3.22-main 9.14.8-r0 None fixed
bind 3.22-main 9.14.7-r0 None fixed
bind 3.22-main 9.14.4-r0 None fixed
bind 3.22-main 9.14.1-r0 None fixed
bind 3.22-main 9.12.3_p4-r0 None fixed
bind 3.22-main 9.12.2_p1-r0 None fixed
bind 3.22-main 9.12.1_p2-r0 None fixed
bind 3.22-main 9.11.2_p1-r0 None fixed
bind 3.22-main 9.11.0_p5-r0 None fixed
bind 3.22-main 9.10.4_p5-r0 None fixed
bind 3.21-main 9.18.24-r0 None fixed
bind 3.21-main 9.18.19-r0 None fixed
bind 3.21-main 9.18.11-r0 None fixed
bind 3.21-main 9.18.7-r0 None fixed
bind 3.21-main 9.16.27-r0 None fixed
bind 3.21-main 9.16.22-r0 None fixed
bind 3.21-main 9.16.20-r0 None fixed
bind 3.21-main 9.16.15-r0 None fixed
bind 3.21-main 9.16.11-r2 None fixed
bind 3.21-main 9.16.6-r0 None fixed
bind 3.21-main 9.16.4-r0 None fixed
bind 3.21-main 9.14.12-r0 None fixed
bind 3.21-main 9.14.8-r0 None fixed
bind 3.21-main 9.14.7-r0 None fixed
bind 3.21-main 9.14.4-r0 None fixed
bind 3.21-main 9.14.1-r0 None fixed
bind 3.21-main 9.12.3_p4-r0 None fixed
bind 3.21-main 9.12.2_p1-r0 None fixed
bind 3.21-main 9.12.1_p2-r0 None fixed
bind 3.21-main 9.11.2_p1-r0 None fixed
bind 3.21-main 9.11.0_p5-r0 None fixed
bind 3.21-main 9.10.4_p5-r0 None fixed
bind 3.20-main 9.18.24-r0 None fixed
bind 3.20-main 9.18.19-r0 None fixed
bind 3.20-main 9.18.11-r0 None fixed
bind 3.20-main 9.18.7-r0 None fixed
bind 3.20-main 9.16.27-r0 None fixed
bind 3.20-main 9.16.22-r0 None fixed
bind 3.20-main 9.16.20-r0 None fixed
bind 3.20-main 9.16.15-r0 None fixed
bind 3.20-main 9.16.11-r2 None fixed
bind 3.20-main 9.16.6-r0 None fixed
bind 3.20-main 9.16.4-r0 None fixed
bind 3.20-main 9.14.12-r0 None fixed
bind 3.20-main 9.14.8-r0 None fixed
bind 3.20-main 9.14.7-r0 None fixed
bind 3.20-main 9.14.4-r0 None fixed
bind 3.20-main 9.14.1-r0 None fixed
bind 3.20-main 9.12.3_p4-r0 None fixed
bind 3.20-main 9.12.2_p1-r0 None fixed
bind 3.20-main 9.12.1_p2-r0 None fixed
bind 3.20-main 9.11.2_p1-r0 None fixed
bind 3.20-main 9.11.0_p5-r0 None fixed
bind 3.20-main 9.10.4_p5-r0 None fixed
bind 3.19-main 9.18.24-r0 None fixed
bind 3.19-main 9.18.19-r1 Mike Crute <mike@crute.us> fixed
bind 3.19-main 9.18.19-r0 None fixed
bind 3.19-main 9.18.11-r0 None fixed
bind 3.19-main 9.18.7-r0 None fixed
bind 3.19-main 9.16.27-r0 None fixed
bind 3.19-main 9.16.22-r0 None fixed
bind 3.19-main 9.16.20-r0 None fixed
bind 3.19-main 9.16.15-r0 None fixed
bind 3.19-main 9.16.11-r2 None fixed
bind 3.19-main 9.16.6-r0 None fixed
bind 3.19-main 9.16.4-r0 None fixed
bind 3.19-main 9.14.12-r0 None fixed
bind 3.19-main 9.14.8-r0 None fixed
bind 3.19-main 9.14.7-r0 None fixed
bind 3.19-main 9.14.4-r0 None fixed
bind 3.19-main 9.14.1-r0 None fixed
bind 3.19-main 9.12.3_p4-r0 None fixed
bind 3.19-main 9.12.2_p1-r0 None fixed
bind 3.19-main 9.12.1_p2-r0 None fixed
bind 3.19-main 9.11.2_p1-r0 None fixed
bind 3.19-main 9.11.0_p5-r0 None fixed
bind 3.19-main 9.10.4_p5-r0 None fixed
bind 3.18-main 9.18.24-r0 Mike Crute <mike@crute.us> fixed
bind 3.17-main 9.18.24-r0 None fixed