March 26, 2024 at 04:29AM
Two DNSSEC vulnerabilities, KeyTrap (CVE-2023-50387) and NSEC3-encloser (CVE-2023-50868), were disclosed with similar descriptions and a severity score of 7.5 out of 10. However, a study by the ATHENE team finds NSEC3-encloser is less severe than KeyTrap, contrary to MITRE’s assessment. This has led to concerns about the accuracy and quality control of vulnerability assessments by MITRE and the NIST-run National Vulnerability Database.
After reviewing the meeting notes, it seems there is a discrepancy in the severity assessment of the two DNSSEC vulnerabilities, named KeyTrap (CVE-2023-50387) and NSEC3-encloser (CVE-2023-50868). The meeting notes highlighted concerns raised by Haya Schulmann, a professor of computer science at Goethe University Frankfurt, regarding the accuracy and quality control of the severity assessments conducted by MITRE and the NIST-run National Vulnerability Database.
Schulmann’s team conducted an analysis and published findings in a paper titled “Attacking with Something That Does Not Exist: Low-Rate Flood with ‘Proof of Non-Existence’ Can Exhaust DNS Resolver CPU,” indicating that the NSEC3-encloser vulnerability is significantly less severe in terms of CPU exhaustion compared to KeyTrap.
Additionally, there are concerns raised about MITRE’s response, which indicates differing perspectives on vulnerability severity and the potential impact on assessments and report accuracy.
Schulmann argues for a more exacting and transparent vulnerability evaluation process, emphasizing the need for MITRE to maintain professionalism and neutrality to ensure public reliance on their assessment information.
It seems there is a need for clarification and reassessment of the severity of the two vulnerabilities to ensure accurate and consistent reporting. This may also involve revisiting the documentation and analysis used to assign the severity ratings for these vulnerabilities.