moparisthebesthaha yes rather rough meeting for Ge0rG :P
jonas’… and do not bring us into temptation …
moparisthebestas a related aside, do you all have experience creating CVEs and know what to put in various boxes like "vendor" etc ?
Ge0rGI've pulled a bunch of those numbers over the years, and it was a different process each time
Ge0rGIIRC there wasn't even anything formal the last times
SamVendor is just whomever makes it (I forget the specific problem you were having the other day though, so apologies if I'm restating this); if it's an XEP, it would be the XSF. If it's something else, look up the company or use the name of the project. It might help to look up other CVEs for the same thing and see what's listed
jonas’Ge0rG, moparisthebest, the last CVE I pulled (in january) worked via a webform with mitre again
moparisthebestI got stuck on https://cveform.mitre.org/ "vendor" it has a link to a list of vendors that is broken...
moparisthebestso is vendor "gajim" or "ubuntu, debian, redhat, etc etc" ?
jonas’I think I put in "Prosody" (in january)
jonas’and that was ok
jonas’or did I
moparisthebestI guess I can try that and they can just reject it
jonas’actually it was eventually assigned by distros@, I'm not sure
SamThey won't reject it for a minor problem with the vendor. It's just informational stuff, this part doesn't even really matter. Just put the name of whomever makes the thing.
SamThe vendor would be Gajim, not every possible distro that repackages it if Gajim is the software the vulnerability is in.
moparisthebestI'll give it another shot thank you all :)
moparisthebest> An attacker who can spoof DNS responses can MITM connections to XMPP servers undetectable because the target domain was validated for the wrong domain name in the certificate.
moparisthebestcan anyone help on this language? it doesn't sound quite right...
moparisthebestfor the suggested CVE text
jonas’moparisthebest, CWE things are typically a handy reference for this
Ge0rG> An attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain.✎
Ge0rG> An attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. ✏
moparisthebestso much better, thanks very much Ge0rG
Ge0rGmoparisthebest: you're welcome. Years of writing vulnerability reports finally pay off! :D
SamMine probably isn't detailed enough, and yours sounds fine to me, but feel free to steal from it: https://nvd.nist.gov/vuln/detail/CVE-2022-24968
Ge0rGSam: fine and concise
moparisthebestoof I probably should have put a link to that CVE in references...
SamYou can update it whenever, doesn't need to be perfect on first submission
moparisthebestah and yours is specific to WebSocket while gajim (depending on version) and libpurple (always) uses BOSH
SamYah, transport doesn't matter though; it's the same issue.
Sammore or less.
moparisthebestyep, and it lets an attacker mitm *any* connection attempt even if your server doesn't support xep-156 or websocket or bosh
moparisthebestactually with a small change my xmpp-proxy will let you do this kind of MITM easily...