Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20151202171316.74D4C52E0AA@smtpvbsrv1.mitre.org>
Date: Wed,  2 Dec 2015 12:13:16 -0500 (EST)
From: cve-assign@...re.org
To: andrea@...ersepath.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: shellinabox - DNS rebinding attack due to HTTP fallback

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/shellinabox/shellinabox/issues/355

As far as we can tell, "Stephen Roettger from the Google Security Team
reported to us" means that the report was sent to you in your role as
a maintainer of usbarmory, not in anyone's role as a maintainer of
shellinabox. The case for considering this a shellinabox vulnerability
report (rather than a shellinabox improvement suggestion) may be
marginal.

We decided to assign CVE-2015-8400 for a vulnerability in shellinabox.
This same CVE ID can be used by anyone (such as usbarmory) who makes a
security announcement in direct response to the vulnerability,
regardless of whether the announcement is about removing the package
or changing the package.

The basic rationale is that 'allows HTTP fallback, even when
configured for HTTPS, via the "/plain" URL' is apparently undocumented
(and has the stated security risk). If there had been something in
https://github.com/shellinabox/shellinabox/wiki/shellinaboxd_man or
even a source-code comment saying why the behavior had been chosen
despite the risk, the outcome may have been different. There are
various other choices in shellinaboxd that may seem unusual to people
unfamiliar with the product's use cases, e.g.,

  Unless SSL certificates can be found in the current directory, the
  daemon will automatically generate suitable self-signed
  certificates. ... the use of auto-generated self-signed certificates
  is intended for testing or in intranet deployments

(Someone could conceivably argue that "automatically generate" should
not be a default behavior.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWXyYvAAoJEL54rhJi8gl5HHIQALCaT0oJcosS7cuES5nBei+1
gAakY0/tDSun231wnkRbG0D8r4OIYB9rsQRwCe8uJgompSkVpt3EvwQKwwkyOoQx
EqqXELBUNjeGo08XX9g4QDJ0Vi0rNm6XFQBvXqhAkIHcy12QLQ5uAS2h9oRPn6gA
/IT4KaIVxclvHTfYcTImBCWL3AS4WEcRNw2Ws0Ua8i4ZUCRZ2nq0VCztEV358JvX
4Rmw/0ZoudB2LUFFCOwCFohksyGvvct24e1aXz9m5jhxL5+yzrhAH3g50o8imzhI
jHm+LZz8T4MGQfQ8zw5dnMtJwL4BymZQKODmrjzgJZKk/URBvTRi7CjX6kR2f51C
gMABfQhOKKsF/ttOz2etKPvGQA47rIVnlsEmBYX62jZoRR6DcJURsXyw0qYMmzms
q0L/QAUKpy8OonZGQrxPcYa1DjVU47cbkew4iCuKYeyIcMFcflek3HU8Q+OxYk56
InyfFgXoU8VCG2+WQCglKRnkdOPU0RSaZqFDsWz2lAx2nVC4fkoZVnrLM7TPg4ua
0mqD46TSvoOM6sOwT6WXmO7PBP0DsiHPZqtHmnh0+bOTMjnSIEYgd+nw4GA2drSt
GOzMfxkf18YW9SgCvRPb97vomQuQykF6Om8jtlFQxOyVDk5UKYkmHpnHttp6n80o
dP0FvxlIGCMoiTJJA+24
=fFkK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.