Re: New CWE for DNS domain normalization/canonicalization with trailing dot
Can I suggest making sure to use both "canonicalization" and "normalization" to aid searchability? On Mon, Jan 24, 2022 at 10:23 AM Steven M Christey wrote: > We’ve noted this request to add a new entry to CWE. MITRE’s content > submission guidelines at > https://cwe.mitre.org/community/submissions/guidelines.html > <https://cwe.mitre.org/community/submissions/guidelines.html#problems> > note that minimum expectations for content submissions should include Name, > Summary, Extended Description, Modes of Introduction, Potential > Mitigations, Common Consequences, Applicable Platforms, Demonstrative > Examples, Observed Examples, Relationships, and References. Incomplete > submissions are frequently a cause of delays for integration into CWE. > > > > Regarding this specific weakness, I agree that CWE-20 and CWE-180 are not > ideal. It is probably better placed under CWE-706: Use of > Incorrectly-Resolved Name or Reference, where an identifier can be provided > that points to an unexpected resource. Common examples are pathname > equivalence CWE-42 for a trailing “.”, CWE-52 with a trailing slash, and > CWE-58 for Windows 8.3 format filenames. > > > > CWE probably does not use the “canonicalization” term as often as it > should, which hurts the ability for users to discover this. Changes will > need to be made to CWE content to make this kind of problem easier for CWE > users to find. > > > > Given how extensively DNS names are used, it seems reasonable for > including this entry as a variant. > > > > Thanks, > > Steve > > > > > > > > *From:* Kurt Seifried > *Sent:* Monday, January 24, 2022 11:50 AM > *To:* CWE Research Discussion > *Subject:* New CWE for DNS domain normalization/canonicalization with > trailing dot > > > > New CWE for DNS domain normalization/canonicalization with trailing dot > > > > So we have: > > https://cwe.mitre.org/data/definitions/20.html > > https://cwe.mitre.org/data/definitions/180.html > > > > which are both, broadly speaking, catch-all buckets too broad to be of > much help. > > > > I would like to propose a CWE for "Failure to properly handle DNS names > with or without a trailing dot", e.g.: > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0832 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4963 > > > > and Sweden accidentally broke DNS for .se back in 2009 with a dot: > > > https://www.computerworld.com/article/2529045/missing-dot-drops-sweden-off-the-internet.html > > > > And various projects having issues with this spanning many years: > > https://bugs.python.org/issue31997 > > https://github.com/openssl/openssl/issues/11560 > > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > -- Kurt Seifried (He/Him) k...@seifried.org
RE: New CWE for DNS domain normalization/canonicalization with trailing dot
We’ve noted this request to add a new entry to CWE. MITRE’s content submission guidelines at https://cwe.mitre.org/community/submissions/guidelines.html<https://cwe.mitre.org/community/submissions/guidelines.html#problems> note that minimum expectations for content submissions should include Name, Summary, Extended Description, Modes of Introduction, Potential Mitigations, Common Consequences, Applicable Platforms, Demonstrative Examples, Observed Examples, Relationships, and References. Incomplete submissions are frequently a cause of delays for integration into CWE. Regarding this specific weakness, I agree that CWE-20 and CWE-180 are not ideal. It is probably better placed under CWE-706: Use of Incorrectly-Resolved Name or Reference, where an identifier can be provided that points to an unexpected resource. Common examples are pathname equivalence CWE-42 for a trailing “.”, CWE-52 with a trailing slash, and CWE-58 for Windows 8.3 format filenames. CWE probably does not use the “canonicalization” term as often as it should, which hurts the ability for users to discover this. Changes will need to be made to CWE content to make this kind of problem easier for CWE users to find. Given how extensively DNS names are used, it seems reasonable for including this entry as a variant. Thanks, Steve From: Kurt Seifried Sent: Monday, January 24, 2022 11:50 AM To: CWE Research Discussion Subject: New CWE for DNS domain normalization/canonicalization with trailing dot New CWE for DNS domain normalization/canonicalization with trailing dot So we have: https://cwe.mitre.org/data/definitions/20.html https://cwe.mitre.org/data/definitions/180.html which are both, broadly speaking, catch-all buckets too broad to be of much help. I would like to propose a CWE for "Failure to properly handle DNS names with or without a trailing dot", e.g.: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0832 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4963 and Sweden accidentally broke DNS for .se back in 2009 with a dot: https://www.computerworld.com/article/2529045/missing-dot-drops-sweden-off-the-internet.html And various projects having issues with this spanning many years: https://bugs.python.org/issue31997 https://github.com/openssl/openssl/issues/11560 -- Kurt Seifried (He/Him) k...@seifried.org<mailto:k...@seifried.org>
New CWE for DNS domain normalization/canonicalization with trailing dot
New CWE for DNS domain normalization/canonicalization with trailing dot So we have: https://cwe.mitre.org/data/definitions/20.html https://cwe.mitre.org/data/definitions/180.html which are both, broadly speaking, catch-all buckets too broad to be of much help. I would like to propose a CWE for "Failure to properly handle DNS names with or without a trailing dot", e.g.: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0832 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4963 and Sweden accidentally broke DNS for .se back in 2009 with a dot: https://www.computerworld.com/article/2529045/missing-dot-drops-sweden-off-the-internet.html And various projects having issues with this spanning many years: https://bugs.python.org/issue31997 https://github.com/openssl/openssl/issues/11560 -- Kurt Seifried (He/Him) k...@seifried.org
