Microsoft recently addressed a dangerous DNSSEC zero-day flaw that had been publicly disclosed back in February, despite other stakeholders having released fixes months earlier. The vulnerability, known as CVE-2023-50868, affects a third-party DNSSEC mechanism called Next Secure Hash 3 (NSEC3). This flaw allows attackers to craft DNS packets that overload the DNS resolver’s computing resources, causing it to become unresponsive.

Various vendors and projects, including Unbound, BIND, dnsmasq, PowerDNS, and several Linux distributions, had already released patches for the vulnerability before Microsoft. This delay in addressing the issue raised questions about why Microsoft took so long to release a fix.

In addition to CVE-2023-50868, researchers also identified another serious DNSSEC flaw, CVE-2023-50387, known as ‘KeyTrap.’ This flaw could have potentially brought down large portions of the Internet if left unmitigated. KeyTrap allows attackers to use a single packet to overwhelm vulnerable DNS servers, rendering them offline by overloading their CPU with extra calculations.

Tom Marsland, vice president of technology at Cloud Range, highlighted the severity of KeyTrap, noting that it could impact up to 31% of all DNS servers. The flaw essentially tricks servers into performing excessive calculations, leading to CPU overload and server unresponsiveness.

CVE-2023-50868 shares similarities with KeyTrap in that it allows attackers to exhaust a DNS resolver’s CPU cycles, causing it to become unresponsive. Tyler Reguly, associate director of security R&D at Fortra, emphasized that protocol-level flaws like CVE-2023-50868 provide attackers with the means to slow down or stop DNS servers’ responsiveness, ultimately facilitating DNS cache poisoning.

Reguly explained that as the denial-of-service attack hampers the DNS server’s responsiveness, attackers gain increased opportunities for DNS cache poisoning. This flaw underscores the irony that the technology intended to enhance DNS security against cache poisoning for non-existent domains inadvertently makes cache poisoning easier for malicious actors.