We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

    • Tech/Science

    Microsoft Addresses Dangerous DNSSEC Flaws

    Jhon Posted on

    Microsoft recently addressed a dangerous DNSSEC zero-day flaw that had been publicly disclosed back in February, despite other stakeholders having released fixes months earlier. The vulnerability, known as CVE-2023-50868, affects a third-party DNSSEC mechanism called Next Secure Hash 3 (NSEC3). This flaw allows attackers to craft DNS packets that overload the DNS resolver’s computing resources, causing it to become unresponsive.

    Various vendors and projects, including Unbound, BIND, dnsmasq, PowerDNS, and several Linux distributions, had already released patches for the vulnerability before Microsoft. This delay in addressing the issue raised questions about why Microsoft took so long to release a fix.

    In addition to CVE-2023-50868, researchers also identified another serious DNSSEC flaw, CVE-2023-50387, known as ‘KeyTrap.’ This flaw could have potentially brought down large portions of the Internet if left unmitigated. KeyTrap allows attackers to use a single packet to overwhelm vulnerable DNS servers, rendering them offline by overloading their CPU with extra calculations.

    Tom Marsland, vice president of technology at Cloud Range, highlighted the severity of KeyTrap, noting that it could impact up to 31% of all DNS servers. The flaw essentially tricks servers into performing excessive calculations, leading to CPU overload and server unresponsiveness.

    CVE-2023-50868 shares similarities with KeyTrap in that it allows attackers to exhaust a DNS resolver’s CPU cycles, causing it to become unresponsive. Tyler Reguly, associate director of security R&D at Fortra, emphasized that protocol-level flaws like CVE-2023-50868 provide attackers with the means to slow down or stop DNS servers’ responsiveness, ultimately facilitating DNS cache poisoning.

    Reguly explained that as the denial-of-service attack hampers the DNS server’s responsiveness, attackers gain increased opportunities for DNS cache poisoning. This flaw underscores the irony that the technology intended to enhance DNS security against cache poisoning for non-existent domains inadvertently makes cache poisoning easier for malicious actors.

    Tagged:

    LEAVE A RESPONSE

    Your email address will not be published. Required fields are marked *

    Jhon
    View all posts

    You Might Also Like