The erroneous equating of criticality of threats caused dissatisfaction of researchers.
Last month, two DNSSEC vulnerabilities were made public with similar descriptions and the same severity rating. Many administrators might have thought that this was the same problem, but in fact these are two completely different vulnerabilities. Next, we will consider their differences in more detail.
One of the vulnerabilities, dubbed KeyTrap (CVE-2023-50387) and identified by the German National Research Center for Applied Cybersecurity (ATHENE), was described by Akamai executive Director Sved Dummer as "one of the worst ever discovered", as it could be used to disable large sections of the Internet.
The vulnerability allows just one DNS packet to interrupt service, exhausting the CPU resources of machines running DNSSEC-verified services, such as those provided by Google and Cloudflare.
The second DNSSEC vulnerability, named NSEC3 (CVE-2023-50868), was found by Piotr Szpacek of the Internet Systems Consortium (ISC) and was also designated as running out of CPU resources. However, according to an analysis conducted by the ATHENE team, it turned out to be significantly less dangerous.
Both vulnerabilities received a 7.5 out of 10 severity rating from the CVSS vulnerability assessment system from the non-profit security organization MITRE.
Haya Schulman, a professor of computer science at Goethe University Frankfurt who participated in the KeyTrap study, believes that the two vulnerabilities are not comparable in severity. According to her, experiments show that with the NSEC3 vulnerability, in practice, it is impossible to conduct a DoS attack by exhausting CPU resources.
Schulman claims that the MITRE assessment that assigned these CVEs contradicts the processes established by the National Institute of Standards and Technology (NIST), which requires analysts to use any available information to determine the severity of the vulnerability.
Schulman calls on MITRE and other organizations involved in spreading information about vulnerabilities to be more accurate in their assessments, even if this causes dissatisfaction with suppliers.
A lack of transparency and reliance on a "preferred perspective" can not only undermine trust between participants, but also damage overall security, Schulman added.
After the release, NIST commented that the baseline CVSS estimates are based on the submitted CVE and CVSSv3 specification, but these estimates may need to be refined based on context, usage, acceptable risk, and threat models at the local level.
Last month, two DNSSEC vulnerabilities were made public with similar descriptions and the same severity rating. Many administrators might have thought that this was the same problem, but in fact these are two completely different vulnerabilities. Next, we will consider their differences in more detail.
One of the vulnerabilities, dubbed KeyTrap (CVE-2023-50387) and identified by the German National Research Center for Applied Cybersecurity (ATHENE), was described by Akamai executive Director Sved Dummer as "one of the worst ever discovered", as it could be used to disable large sections of the Internet.
The vulnerability allows just one DNS packet to interrupt service, exhausting the CPU resources of machines running DNSSEC-verified services, such as those provided by Google and Cloudflare.
The second DNSSEC vulnerability, named NSEC3 (CVE-2023-50868), was found by Piotr Szpacek of the Internet Systems Consortium (ISC) and was also designated as running out of CPU resources. However, according to an analysis conducted by the ATHENE team, it turned out to be significantly less dangerous.
Both vulnerabilities received a 7.5 out of 10 severity rating from the CVSS vulnerability assessment system from the non-profit security organization MITRE.
Haya Schulman, a professor of computer science at Goethe University Frankfurt who participated in the KeyTrap study, believes that the two vulnerabilities are not comparable in severity. According to her, experiments show that with the NSEC3 vulnerability, in practice, it is impossible to conduct a DoS attack by exhausting CPU resources.
Schulman claims that the MITRE assessment that assigned these CVEs contradicts the processes established by the National Institute of Standards and Technology (NIST), which requires analysts to use any available information to determine the severity of the vulnerability.
Schulman calls on MITRE and other organizations involved in spreading information about vulnerabilities to be more accurate in their assessments, even if this causes dissatisfaction with suppliers.
A lack of transparency and reliance on a "preferred perspective" can not only undermine trust between participants, but also damage overall security, Schulman added.
After the release, NIST commented that the baseline CVSS estimates are based on the submitted CVE and CVSSv3 specification, but these estimates may need to be refined based on context, usage, acceptable risk, and threat models at the local level.
