Date: Wed, 2 Dec 2015 12:13:16 -0500 (EST) From: cve-assign@...re.org To: andrea@...ersepath.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: shellinabox - DNS rebinding attack due to HTTP fallback -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > https://github.com/shellinabox/shellinabox/issues/355 As far as we can tell, "Stephen Roettger from the Google Security Team reported to us" means that the report was sent to you in your role as a maintainer of usbarmory, not in anyone's role as a maintainer of shellinabox. The case for considering this a shellinabox vulnerability report (rather than a shellinabox improvement suggestion) may be marginal. We decided to assign CVE-2015-8400 for a vulnerability in shellinabox. This same CVE ID can be used by anyone (such as usbarmory) who makes a security announcement in direct response to the vulnerability, regardless of whether the announcement is about removing the package or changing the package. The basic rationale is that 'allows HTTP fallback, even when configured for HTTPS, via the "/plain" URL' is apparently undocumented (and has the stated security risk). If there had been something in https://github.com/shellinabox/shellinabox/wiki/shellinaboxd_man or even a source-code comment saying why the behavior had been chosen despite the risk, the outcome may have been different. There are various other choices in shellinaboxd that may seem unusual to people unfamiliar with the product's use cases, e.g., Unless SSL certificates can be found in the current directory, the daemon will automatically generate suitable self-signed certificates. ... the use of auto-generated self-signed certificates is intended for testing or in intranet deployments (Someone could conceivably argue that "automatically generate" should not be a default behavior.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWXyYvAAoJEL54rhJi8gl5HHIQALCaT0oJcosS7cuES5nBei+1 gAakY0/tDSun231wnkRbG0D8r4OIYB9rsQRwCe8uJgompSkVpt3EvwQKwwkyOoQx EqqXELBUNjeGo08XX9g4QDJ0Vi0rNm6XFQBvXqhAkIHcy12QLQ5uAS2h9oRPn6gA /IT4KaIVxclvHTfYcTImBCWL3AS4WEcRNw2Ws0Ua8i4ZUCRZ2nq0VCztEV358JvX 4Rmw/0ZoudB2LUFFCOwCFohksyGvvct24e1aXz9m5jhxL5+yzrhAH3g50o8imzhI jHm+LZz8T4MGQfQ8zw5dnMtJwL4BymZQKODmrjzgJZKk/URBvTRi7CjX6kR2f51C gMABfQhOKKsF/ttOz2etKPvGQA47rIVnlsEmBYX62jZoRR6DcJURsXyw0qYMmzms q0L/QAUKpy8OonZGQrxPcYa1DjVU47cbkew4iCuKYeyIcMFcflek3HU8Q+OxYk56 InyfFgXoU8VCG2+WQCglKRnkdOPU0RSaZqFDsWz2lAx2nVC4fkoZVnrLM7TPg4ua 0mqD46TSvoOM6sOwT6WXmO7PBP0DsiHPZqtHmnh0+bOTMjnSIEYgd+nw4GA2drSt GOzMfxkf18YW9SgCvRPb97vomQuQykF6Om8jtlFQxOyVDk5UKYkmHpnHttp6n80o dP0FvxlIGCMoiTJJA+24 =fFkK -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.