CVE-2023-50868
Published: 14 February 2024
Summary
CVE-2023-50868 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Isc Bind. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a denial-of-service condition in the Closest Encloser Proof mechanism defined by RFC 5155 for DNSSEC when the guidance in RFC 9276 is not applied. It affects DNS implementations that perform NSEC3 processing, where an attacker-supplied response can force repeated SHA-1 iterations, resulting in high CPU consumption. The issue is tracked as CWE-400 and carries a CVSS 3.1 score of 7.5 with network attack vector and high availability impact.
Remote unauthenticated attackers can exploit the flaw by sending specially crafted DNSSEC responses as part of a random subdomain attack, causing the target resolver or authoritative server to expend excessive CPU resources validating NSEC3 records. Because the specification permits thousands of hash iterations in certain cases, even modest query volumes can degrade service availability without requiring authentication or user interaction.
Advisories published by Red Hat, SUSE, and the oss-security mailing list reference the original IETF specification in RFC 5155 and note the availability of configuration or code changes that limit NSEC3 iteration counts.
EPSS for the CVE rose from low values to a peak of 0.4388 on 2025-12-11 before receding to the current 0.1211, indicating a clear increase in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-55601
Vulnerability details
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack,…
more
aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
The team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses.
Timely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks.