Microsoft, Late to the Game on Dangerous DNSSEC Zero-Day Flaw

Why the company took so long to address the issue is not known given that most other stakeholders had a fix out for the issue months ago.

Among the more dangerous of the flaws for which Microsoft released a patch this week on Patch Tuesday is a denial-of-service (DoS) vulnerability publicly disclosed back in February in the Domain Name System Security Extensions (DNSSEC) protocol.
The vulnerability, identified as
CVE-2023-50868
exists in a third-party DNSSEC mechanism called Next Secure Hash 3 (
NSEC3
) for proving that a non-existent domain truly doesnt exist, thereby protecting against malicious cataloging of signed DNS zones. The vulnerability gives attackers a way to craft DNS packets that would cause the DNS resolver to essentially exhaust its computing resources in trying to respond.
It affects several different vendors and projects, including Unbound, BIND, dnsmasq, PowerDNS, various Linux distros, and others, who released patches well before Microsoft did. A list of advisories
can be found here
.
CVE-2023-50868 is actually one of two serious DNSSEC flaws that researchers from the German National Research Center for Applied Cybersecurity ATHENE quietly informed industry stakeholders about last year.
The other is
CVE-2023-50387
, or KeyTrap, a similar though more serious DNSSEC resource exhaustion bug that researchers believed would have allowed attackers to
bring down large swathes of the Internet
had it remained unmitigated. What made KeyTrap so dangerous is that it gave attackers a way to use a single packet to exhaust the processing capacity of a vulnerable DNS Server, essentially rendering it offline says Tom Marsland, vice president of technology at Cloud Range. It does this by tricking those servers into performing extra calculations that overload their CPU. He estimates that some 31% of all DNS servers were vulnerable to the attack.
CVE-2023-50868 is similar in that it gives attackers a way to exhaust a DNS resolvers CPU cycles and cause it to become unresponsive.
Tyler Reguly, associate director, security R&D at Fortra says one of the biggest problems with protocol-level flaws such as CVE-2023-50868 is that they give attackers a way to tie up the server and get it to slow down or stop responding altogether.
Once the denial-of-service slows down the DNS servers responsiveness, the amount of time that an attacker has to perform DNS cache poisoning increases drastically, he says. Whats interesting with this flaw is that the very technology designed to make DNS cache poisoning for non-existent domains harder has made cache poisoning easier for attackers.
Several major providers of DNS resolution services publicly released details of both DNSSEC flaws in a coordinated disclosure in February after they had developed mitigations for the threat. Microsoft too
issued a patch
for KeyTrap at the time, but waited till this week to announce a fix for CVE-2023-50868 — making the bug a zero-day threat at least from a Microsoft standpoint.
And indeed, its somewhat surprising that Microsoft took so long to get to it, Reguly notes. He suspects one reason could be that most organizations rely on other services for external DNS, and Microsoft felt the risk associated with Microsofts DNS resolution services wasnt all that significant.
Weve seen vendors work together on big ticket items in the past when protocol flaws are in the mix, and it always impresses me that the vendor community is able to come together and work so well to fix these issues without any major leaks, Reguly says. Why Microsoft dropped the ball on this CVE is unknown to me, but Id love to see them address why it took them so much longer than the other vendors to release this fix.
Lionel Litty, chief security architect at Menlo Security, says another issue is that algorithmic complex vulnerability such as the two DNSSEC resource exhaustion flaws can be challenging to fix.
Fixing this type of issue may require rethinking how algorithms are implemented and deciding when not to adhere to the specification because doing so would require an unreasonable amount of computation, Litty says. It can also lead to more fundamental redesigns of how requests are prioritized by the server so that no one client can prevent others from getting their requests answered in a timely manner. In this light, it is not surprising that fixing this issue might have taken some vendors more time, he says.
CVE-2023-50868 and CVE-2023-50387 are among several bugs in recent years that have forced an industry-wide response because they have existed at the protocol level or in foundational Internet technologies. The so-called
Heartbleed vulnerability
in the OpenSSL protocol from 2014 remains one of the most notable. But there have been others as well.
Relatively recent examples include one in the Bluetooth protocol (
CVE-2023-45866
), another in the UPnP Plug and Play protocol dubbed
CallStranger
and a vulnerability in the GTP protocol that threatened mobile networks.
Jason Soroko, senior vice president at Sectigo, sees a mixed record in the patching of such cross-vendor issues.
While some vendors have improved their responsiveness and coordination, others have lagged behind, he says. The coordination between different vendors and security researchers has generally improved, with more collaborative efforts to address and mitigate vulnerabilities promptly. However, the speed and efficiency of patching still vary significantly across the industry.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft, Late to the Game on Dangerous DNSSEC Zero-Day Flaw