Microsoft, Late to the Game on Dangerous DNSSEC Zero-Day Flaw

Among the more dangerous of the flaws for which Microsoft released a patch this week on Patch Tuesday is a denial-of-service (DoS) vulnerability publicly disclosed back in February in the Domain Name System Security Extensions (DNSSEC) protocol.

The vulnerability, identified as CVE-2023-50868 exists in a third-party DNSSEC mechanism called Next Secure Hash 3 (NSEC3) for proving that a non-existent domain truly doesn't exist, thereby protecting against malicious cataloging of signed DNS zones. The vulnerability gives attackers a way to craft DNS packets that would cause the DNS resolver to essentially exhaust its computing resources in trying to respond.

It affects several different vendors and projects, including Unbound, BIND, dnsmasq, PowerDNS, various Linux distros, and others, who released patches well before Microsoft did. A list of advisories can be found here.

DNSSEC Resource Exhaustion Flaws

CVE-2023-50868 is actually one of two serious DNSSEC flaws that researchers from the German National Research Center for Applied Cybersecurity ATHENE quietly informed industry stakeholders about last year.

The other is CVE-2023-50387, or "KeyTrap," a similar though more serious DNSSEC resource exhaustion bug that researchers believed would have allowed attackers to bring down large swathes of the Internet had it remained unmitigated. What made KeyTrap so dangerous is that it gave attackers a way to use a single packet to exhaust the processing capacity of a vulnerable DNS Server, essentially rendering it offline says Tom Marsland, vice president of technology at Cloud Range. "It does this by tricking those servers into performing extra calculations that overload their CPU." He estimates that some 31% of all DNS servers were vulnerable to the attack.

CVE-2023-50868 is similar in that it gives attackers a way to exhaust a DNS resolvers CPU cycles and cause it to become unresponsive.

Tyler Reguly, associate director, security R&D at Fortra says one of the biggest problems with protocol-level flaws such as CVE-2023-50868 is that they give attackers a way to tie up the server and get it to slow down or stop responding altogether.

"Once the denial-of-service slows down the DNS server's responsiveness, the amount of time that an attacker has to perform DNS cache poisoning increases drastically," he says. "What's interesting with this flaw is that the very technology designed to make DNS cache poisoning for non-existent domains harder has made cache poisoning easier for attackers."

Microsoft's Lonely Zero-Day World

Several major providers of DNS resolution services publicly released details of both DNSSEC flaws in a coordinated disclosure in February after they had developed mitigations for the threat. Microsoft too issued a patch for KeyTrap at the time, but waited till this week to announce a fix for CVE-2023-50868 — making the bug a zero-day threat at least from a Microsoft standpoint.

And indeed, it's somewhat surprising that Microsoft took so long to get to it, Reguly notes. He suspects one reason could be that most organizations rely on other services for external DNS, and Microsoft felt the risk associated with Microsoft's DNS resolution services wasn't all that significant.

 "We've seen vendors work together on big ticket items in the past when protocol flaws are in the mix, and it always impresses me that the vendor community is able to come together and work so well to fix these issues without any major leaks," Reguly says. "Why Microsoft dropped the ball on this CVE is unknown to me, but I'd love to see them address why it took them so much longer than the other vendors to release this fix."

Lionel Litty, chief security architect at Menlo Security, says another issue is that algorithmic complex vulnerability such as the two DNSSEC resource exhaustion flaws can be challenging to fix.

"Fixing this type of issue may require rethinking how algorithms are implemented and deciding when not to adhere to the specification because doing so would require an unreasonable amount of computation," Litty says. "It can also lead to more fundamental redesigns of how requests are prioritized by the server so that no one client can prevent others from getting their requests answered in a timely manner." In this light, it is not surprising that fixing this issue might have taken some vendors more time, he says.

Cross-Industry Collaboration

CVE-2023-50868 and CVE-2023-50387 are among several bugs in recent years that have forced an industry-wide response because they have existed at the protocol level or in foundational Internet technologies. The so-called Heartbleed vulnerability in the OpenSSL protocol from 2014 remains one of the most notable. But there have been others as well.

Relatively recent examples include one in the Bluetooth protocol (CVE-2023-45866), another in the UPnP Plug and Play protocol dubbed CallStranger and a vulnerability in the GTP protocol that threatened mobile networks.

Jason Soroko, senior vice president at Sectigo, sees a mixed record in the patching of such cross-vendor issues.

"While some vendors have improved their responsiveness and coordination, others have lagged behind," he says. "The coordination between different vendors and security researchers has generally improved, with more collaborative efforts to address and mitigate vulnerabilities promptly. However, the speed and efficiency of patching still vary significantly across the industry."