CVE-2023-7008: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in systemd-resolved (CVE-2023-7008) that allows the component to accept records of DNSSEC-signed domains even when they have no signature. This vulnerability was disclosed on December 23, 2023, affecting systemd-resolved component in systemd versions up to 256. The issue impacts systems where DNSSEC validation is enabled (NVD, Debian Tracker).

The vulnerability exists in systemd-resolved's DNSSEC validation mechanism. When DNSSEC=yes is set and querying a DNSSEC-enabled domain, systemd-resolved incorrectly accepts unsigned records from DNSSEC-signed domains, failing to properly validate the authenticity of DNS responses. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD, GitHub Issue).

When exploited, this vulnerability allows man-in-the-middle attackers or compromised upstream DNS resolvers to manipulate DNS records of DNSSEC-signed domains by stripping signatures and providing arbitrary values. This undermines the security guarantees that DNSSEC is designed to provide, potentially leading to the redirection of traffic to malicious servers (GitHub Issue, Debian Tracker).

The vulnerability has been fixed in multiple versions of systemd: v256, v255.2, v254.8, v253.15, v252.21, v251.20, v250.14, v249.17, and v248.13. System administrators are advised to update to the fixed versions. For systems that cannot be immediately updated, it's important to note that DNSSEC is typically disabled by default, which prevents exploitation (Debian Tracker, Red Hat Advisory).