NVD脆弱性詳細

CVE-2023-50868

概要	The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
公表日	2024年2月15日1:15
登録日	2024年2月15日10:00
最終更新日	2024年11月21日17:37

関連情報、対策とツール

No	URL	refsource	タグ
1	http://www.openwall.com/lists/oss-security/2024/02/16/2
2	http://www.openwall.com/lists/oss-security/2024/02/16/2
3	http://www.openwall.com/lists/oss-security/2024/02/16/3
4	http://www.openwall.com/lists/oss-security/2024/02/16/3
5	https://access.redhat.com/security/cve/CVE-2023-50868
6	https://access.redhat.com/security/cve/CVE-2023-50868
7	https://bugzilla.suse.com/show_bug.cgi?id=1219826
8	https://bugzilla.suse.com/show_bug.cgi?id=1219826
9	https://datatracker.ietf.org/doc/html/rfc5155
10	https://datatracker.ietf.org/doc/html/rfc5155
11	https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
12	https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
13	https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
14	https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
15	https://kb.isc.org/docs/cve-2023-50868
16	https://kb.isc.org/docs/cve-2023-50868
17	https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
18	https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
19	https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html
20	https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html
21	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/
22	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/
23	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
24	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
25	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
26	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
27	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/
28	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/
29	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
30	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
31	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
32	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
33	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/
34	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/
35	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/
36	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/
37	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/
38	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/
39	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
40	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
41	https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
42	https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
43	https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
44	https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
45	https://security.netapp.com/advisory/ntap-20240307-0008/
46	https://security.netapp.com/advisory/ntap-20240307-0008/
47	https://www.isc.org/blogs/2024-bind-security-release/
48	https://www.isc.org/blogs/2024-bind-security-release/

共通脆弱性一覧

JVN脆弱性情報

DNSSECのNSEC3に関するSHA-1多重計算によるサービス拒否攻撃を可能にする脆弱性

タイトル	DNSSECのNSEC3に関するSHA-1多重計算によるサービス拒否攻撃を可能にする脆弱性
概要	DNSプロトコルのClosest Encloser Proofの側面（RFC 5155で、RFC 9276の指針が無視された場合）では、リモートの攻撃者がランダムサブドメイン攻撃によるDNSSEC応答を利用して、サービス拒否（SHA-1計算によるCPU消費）を引き起こす可能性があります。この問題は「NSEC3」問題とも呼ばれます。RFC 5155の仕様では、特定の状況でハッシュ関数のアルゴリズムが数千回反復実行されなければならないことが示唆されています。
想定される影響	当該ソフトウェアが扱う情報について、外部への漏えいは発生しません。また、当該ソフトウェアが扱う情報について、書き換えは発生しません。さらに、当該ソフトウェアが完全に停止する可能性があります。そして、この脆弱性を悪用した攻撃の影響は、他のソフトウェアには及びません。
対策	正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2024年2月14日0:00
登録日	2025年12月25日17:18
最終更新日	2025年12月25日17:18

影響を受けるシステム

レッドハット

Red Hat Enterprise Linux 6.0

Red Hat Enterprise Linux 7.0

Red Hat Enterprise Linux 8.0

Red Hat Enterprise Linux 8.2

Red Hat Enterprise Linux 8.4

ISC, Inc.

BIND 9.0.0 から 9.16.48 未満

BIND 9.18.0 から 9.18.24 未満

BIND 9.18.11 から 9.18.24 未満

BIND 9.19.0 から 9.19.21 未満

BIND 9.9.3 から 9.16.48 未満

Debian

Debian GNU/Linux 10.0

Debian GNU/Linux 11.0

Fedora Project

Fedora 38

Fedora 39

NetApp

Active IQ Unified Manager

Bootstrap OS

NetApp HCI Baseboard Management Controller

PowerDNS

PowerDNS Recursor 4.8.5 未満

PowerDNS Recursor 4.9.0 から 4.9.3 未満

PowerDNS Recursor 5.0.0 から 5.0.2 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2023-50868	https://www.cve.org/CVERecord?id=CVE-2023-50868
Knowledge Base
2	CVE-2023-50868	https://kb.isc.org/docs/cve-2023-50868
National Vulnerability Database (NVD)
3	CVE-2023-50868	https://nvd.nist.gov/vuln/detail/CVE-2023-50868
Red Hat Customer Portal
4	CVE-2023-50868 - Red Hat Customer Portal	https://access.redhat.com/security/cve/CVE-2023-50868

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-400	https://cwe.mitre.org/data/definitions/400.html

ベンダー情報

No	名前	URL
Debian Mailing Lists
1	[SECURITY] [DLA 3736-1] unbound security update	https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
2	[SECURITY] [DLA 3816-1] bind9 security update	https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html
3	[SECURITY] [DLA 3859-1] systemd security update	https://lists.debian.org/debian-lts-announce/2024/09/msg00001.html
4	[SECURITY] [DLA 3974-1] dnsmasq security update	https://lists.debian.org/debian-lts-announce/2024/11/msg00035.html
Fedora mailing-lists
5	[SECURITY] Fedora 38 Update: bind-dyndb-ldap-11.10-23.fc38 - package-announce - Fedora mailing-lists (ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R)	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
6	[SECURITY] Fedora 38 Update: bind-dyndb-ldap-11.10-23.fc38 - package-announce - Fedora mailing-lists (ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R)	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
7	[SECURITY] Fedora 38 Update: bind9-next-9.19.21-1.fc38 - package-announce - Fedora mailing-lists (HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ)	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
8	[SECURITY] Fedora 38 Update: bind9-next-9.19.21-1.fc38 - package-announce - Fedora mailing-lists (HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ)	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
9	[SECURITY] Fedora 38 Update: dnsmasq-2.90-1.fc38 - package-announce - Fedora mailing-lists	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/
10	[SECURITY] Fedora 38 Update: pdns-recursor-4.8.6-1.fc38 - package-announce - Fedora mailing-lists	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/
11	[SECURITY] Fedora 38 Update: unbound-1.19.1-1.fc38 - package-announce - Fedora mailing-lists	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/
12	[SECURITY] Fedora 39 Update: bind-dyndb-ldap-11.10-24.fc39 - package-announce - Fedora mailing-lists	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
13	[SECURITY] Fedora 39 Update: bind9-next-9.19.21-1.fc39 - package-announce - Fedora mailing-lists	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
14	[SECURITY] Fedora 39 Update: dnsmasq-2.90-1.fc39 - package-announce - Fedora mailing-lists (BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI)	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
15	[SECURITY] Fedora 39 Update: dnsmasq-2.90-1.fc39 - package-announce - Fedora mailing-lists (BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI)	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
16	[SECURITY] Fedora 39 Update: pdns-recursor-4.9.3-1.fc39 - package-announce - Fedora mailing-lists	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/
17	[SECURITY] Fedora 39 Update: unbound-1.19.1-2.fc39 - package-announce - Fedora mailing-lists	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/
NetApp Advisory
18	NetApp Product Security	https://security.netapp.com/advisory/ntap-20240307-0008/
Security Advisory
19	PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor — PowerDNS Recursor documentation	https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html

その他

No	名前	URL
関連文書
1	1219826 (CVE-2023-50868) VUL-0: CVE-2023-50868: unbound, bind, pdns, dnsmasq: Denial Of Service while trying to validate specially crafted DNSSEC responses	https://bugzilla.suse.com/show_bug.cgi?id=1219826
2	BIND 9 Security Release and Multi-Vendor Vulnerability Handling, CVE-2023-50387 and CVE-2023-50868 - ISC	https://www.isc.org/blogs/2024-bind-security-release/
3	NLnet Labs - News - Unbound 1.19.1 released	https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
4	oss-security - Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities (http://www.openwall.com/lists/oss-security/2024/02/16/2)	http://www.openwall.com/lists/oss-security/2024/02/16/2
5	oss-security - Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities (http://www.openwall.com/lists/oss-security/2024/02/16/3)	http://www.openwall.com/lists/oss-security/2024/02/16/3
6	RFC 5155 - DNS Security (DNSSEC) Hashed Authenticated Denial of Existence	https://datatracker.ietf.org/doc/html/rfc5155
7	v5.7.1 Knot projects / Knot Resolver GitLab	https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
8	[Dnsmasq-discuss] Announce: dnsmasq-2.90.	https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html

変更履歴

No	変更内容	変更日
1	[2025年12月25日] 掲載	2025年12月25日17:18