Row breaks out over true severity of two DNSSEC flaws

2024-03-26 08:24

Two DNSSEC vulnerabilities were disclosed last month with similar descriptions and the same severity score, but they are not the same issue.

The CVEs for KeyTrap and NSEC3-encloser each suggest the vulnerabilities can be exploited to conduct denial of service attacks.

The two vulnerabilities are not comparable in terms of severity, according to Haya Schulmann, a professor of computer science at Goethe University Frankfurt, one of the ATHENE academics behind the KeyTrap research.

By email, Schulmann told The Register that experiments indicate no denial of service through CPU exhaustion is possible with NSEC3 vulnerability.

"The response of MITRE implies that there are different perspectives on the vulnerability, encouraging the interested parties to read the entire technical report to understand that the description of MITRE is incorrect," she wrote.

According to Schulmann, the two CVEs show there's reason to doubt the correctness and quality control of MITRE vulnerability assessments and the NIST-run National Vulnerability Database that stores such information.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/03/26/software_risk_scores/