Hi Tim,

On VINCE questions:
There is the software VINCE and CERT/CC own instance, so for all the relevant 
details of our workflow and communication you may find the VINCE FAQ more 
valuable.

https://vuls.cert.org/confluence/display/VIN/Frequently+Asked+Questions

We are still learning ways to have a better coordination workflow, especially 
when handling multivendor (libraries, comprehension Maven) and complex 
disclosure (RFCs, Standards bodies, Forums and Framework).  Most open source 
projects have distinct contacts, workflows and “Embargo” (time period for 
private communications) expectations.  Some open source projects find VINCE 
cumbersome, so we have done a few things like added API   
https://vuls.cert.org/confluence/display/VIN/VINCE+API , attempted integration 
with GitHub, created some email workflows / automation.  We struggle sometimes 
with outreach as broader outreach (email all about vulnerability to a 
distributed list) may end up in a “leak” - but asking vendors to come to a 
portal may end up in more keyboard time for people who are already busy running 
projects sometime solo.

So the long answer, we are happy to help projects like Postfix and researchers 
trying to reach vendors.  Right now Wietse is in our platform, we will try to 
get information next time as timely as possible perhaps. Amazingly Wietse is so 
responsive.. Not sure how he keeps up.

Thanks
Vijay
________________________________
From: Tim Weber <scy+postfix-us...@scy.name>
Sent: Saturday, December 23, 2023 11:48:56 AM
To: Vijay S Sarvepalli <vssarvepa...@cert.org>; Postfix users 
<postfix-users@postfix.org>
Subject: [pfx] Re: SMTP Smuggling disclosure process & VINCE

Warning: External Sender - do not click links or open attachments unless you 
recognize the sender and know the content is safe.


Hi Vijay,

thank you very much for this detailed explanation. I found it especially useful 
to learn about CERT/CC's workflow, since people like me, who are neither 
security researchers nor maintainers of well-known software projects, have 
little insight into this. While I was able to reach VINCE's source code 
repository very fast, I was not able to find a good explanation on how the 
communication using it actually works, and what kind of information is shared 
by whom, and with whom.

So, in summary, I understood that from the initial description given by SEC, a) 
the way the attack works, b) the potential impact of spoofing SPF/DMARC, and 
above all c) that one might need to combine several different software products 
to perform the exploit, was not communicated explicitly enough, and thus the 
attack did not receive the attention that might have been warranted.

According to SEC's timeline, this was still months before the release of their 
blog article, and therefore it's reasonable to assume that SEC themselves might 
not have fully explored the extent of the vulnerability they had discovered, or 
the degree to which FLOSS projects like Postfix or Sendmail were actually 
affected. Maybe they only learned about this later, when compiling their 
article.

On Saturday, 2023-12-23 02:30+01:00, Vijay S Sarvepalli <vssarvepa...@cert.org> 
wrote:
> Retrospectively, the most valuable thing we could have had is a Preview of 
> the Blog privately to all vendors impacted before releasing it. This is 
> something SEC could have done (or CERT/CC requested) that may have brought 
> more clarity for what exactly SEC Consult is talking about (or how much 
> bigger the research had become) and potentially delayed the disclosure to 
> give Vendors more time.

I think this is a very good way to look at it, and a helpful lesson from this 
situation. Especially since, reading the article as it was published, it is 
obvious that SEC must have known the impact to Postfix and Sendmail. I 
understand their urge to notify Cisco customers about the problematic default 
configuration, but this was just bad timing and caused unnecessary stress for 
the Postfix maintainers and admins.

Thanks again, and best regards

   Tim.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to