Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
digitalcourage.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Diese Instanz wird betrieben von Digitalcourage e.V. für die Allgemeinheit. Damit wir das nachhaltig tun können, erheben wir einen jährlichen Vorausbeitrag von 1€/Monat per SEPA-Lastschrifteinzug.

Administered by:

Server stats:

823
active users

digitalcourage.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

Public *
Christian Pietsch (old acct.)

Reading about the recent SMTP and SSH vulnerabilities, I get the impression that open source projects, proprietary vendors and government agencies such as @certbund don't know how to talk to each other. They should at least have something like a red phone.

Please comment here if you have a constructive idea on how to improve the situation! seems to assume that everyone uses , a CMU service I had never heard of.

:
sec-consult.com/blog/detail/sm
postfix.org/smtp-smuggling.htm

:
terrapin-attack.com/patches.ht

screenshot from the SEC Consult website: … As documented in the timeline of the blog post, the vulnerabilities were initially identified in June 2023 and after further internal research we contacted the specific, affected vendors (Microsoft, Cisco, GMX/Ionos). GMX and Microsoft fixed the issues promptly. But after receiving some feedback from Cisco, that our identified vulnerability is just a feature of the software and not a bug/vulnerability, we contacted CERT/CC on 17th August to get some help for further discussion with Cisco and involve other potentially affected vendors (such as sendmail) through the VINCE communication platform. There, we submitted all our research details and explained the case to the vendors involved. We received feedback from Cisco that our identified research is not a vulnerability, but a feature and that they will not change the default configuration nor inform their customers. Other vendors did not respond in VINCE but were contacted by CERT/CC. Based on this feedback and as multiple other vendors were included in this discussion through the CERT/CC VINCE platform without objecting, we wrongly assessed the broader impact of the SMTP smuggling research. Because of this assumption, we asked CERT/CC end of November regarding publication of the details and received confirmation to proceed. As our research was accepted at this year's 37C3 conference (info received on 3rd December) and we still thought that Cisco users should be warned about …
screenshot from the Postfix website: SMTP Smuggling [An updated version of this text may be found at https://www.postfix.org/smtp-smuggling.html] Author: Wietse Venema Last update: December 23, 2023 Summary Days before a 10+ day holiday break and associated production change freeze, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>. Unfortunately, criticial information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to postpone publication until after people had a chance to update their Postfix systems. …
screenshot from the Terrapin website: … Aside from the SSH implementations marked with an asterisk, we included the following implementations, vendors, and CERTs in our responsible disclosure process. Due to the lack of proper security contacts and response, we were not able to disclose our findings to some of them. AbsoluteTelnet (Celestial Software) Amazon AWS CERT-Bund Cisco Ericsson Microsoft Mikrotik Partnered CERTs of CERT-Bund (via CERT-Bund) SSH Server for Windows (Georgia Softworks) Tectia SSH (SSH Communications Security, Inc.) Termius (Termius Corporation) The selection of SSH implementations contacted during responsible disclosure was based on several factors. We aimed to achieve a decent coverage of "strict kex" on public disclosure by focusing on the underlying SSH implementations. We gathered all SSH implementations listed in publicly available resources (Wikipedia SSH clients, Wikipedia SSH servers, Quendi SSH implementation comparison) as a baseline. …
#SMTPsmuggling#Terrapin#ITsec
Public
Lurkars

@chpietsch @certbund maybe I misunderstood something, but the terrapin stuff seems a good approach: taking list of implementations and contact them. Took me < 10 seconds from SMTP Wikipedia to Software list en.m.wikipedia.org/wiki/List_o of course this is an extra workload, but acting responsible is always more work, otherwise anyone would always act responsible.

en.m.wikipedia.orgList of mail server software - Wikipedia
Christian Pietsch (old acct.)

@Lurkars Yes, they tried hard but still were not able to contact some important actors. From the screenshot:

“Due to the lack of proper security contacts and response, we were not able to disclose our findings to some of them.

AbsoluteTelnet (Celestial Software)
Amazon AWS
CERT-Bund
Cisco
Ericsson
Microsoft
Mikrotik
Partnered CERTs of CERT-Bund (via CERT-Bund)
SSH Server for Windows (Georgia Softworks)
Tectia SSH (SSH Communications Security, Inc.)
Termius (Termius Corporation)”

/cc @certbund

Dec 24, 2023, 12:32 PM·Public
0boosts·1favorite
Public *
Lurkars

@chpietsch @certbund haha okay, yes than I misunderstood/misread. Thought they contacted them AND the list. Of course those are still two different problems:
- who to contact
- how to contact/reach e.g. how to act if not reachable

Thanks for clarification.

ExploreLive feeds
About