Re: New CWE for DNS domain normalization/canonicalization with trailing dot

2022-01-24 Thread Kurt Seifried
Can I suggest making sure to use both "canonicalization" and
"normalization" to aid searchability?



On Mon, Jan 24, 2022 at 10:23 AM Steven M Christey  wrote:

> We’ve noted this request to add a new entry to CWE.  MITRE’s content
> submission guidelines at
> https://cwe.mitre.org/community/submissions/guidelines.html
> 
> note that minimum expectations for content submissions should include Name,
> Summary, Extended Description, Modes of Introduction, Potential
> Mitigations, Common Consequences, Applicable Platforms, Demonstrative
> Examples, Observed Examples, Relationships, and References.  Incomplete
> submissions are frequently a cause of delays for integration into CWE.
>
>
>
> Regarding this specific weakness, I agree that CWE-20 and CWE-180 are not
> ideal. It is probably better placed under CWE-706: Use of
> Incorrectly-Resolved Name or Reference, where an identifier can be provided
> that points to an unexpected resource. Common examples are pathname
> equivalence CWE-42 for a trailing “.”, CWE-52 with a trailing slash, and
> CWE-58 for Windows 8.3 format filenames.
>
>
>
> CWE probably does not use the “canonicalization” term as often as it
> should, which hurts the ability for users to discover this. Changes will
> need to be made to CWE content to make this kind of problem easier for CWE
> users to find.
>
>
>
> Given how extensively DNS names are used, it seems reasonable for
> including this entry as a variant.
>
>
>
> Thanks,
>
> Steve
>
>
>
>
>
>
>
> *From:* Kurt Seifried 
> *Sent:* Monday, January 24, 2022 11:50 AM
> *To:* CWE Research Discussion 
> *Subject:* New CWE for DNS domain normalization/canonicalization with
> trailing dot
>
>
>
> New CWE for DNS domain normalization/canonicalization with trailing dot
>
>
>
> So we have:
>
> https://cwe.mitre.org/data/definitions/20.html
>
> https://cwe.mitre.org/data/definitions/180.html
>
>
>
> which are both, broadly speaking, catch-all buckets too broad to be of
> much help.
>
>
>
> I would like to propose a CWE for "Failure to properly handle DNS names
> with or without a trailing dot", e.g.:
>
>
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0832
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4963
>
>
>
> and Sweden accidentally broke DNS for .se back in 2009 with a dot:
>
>
> https://www.computerworld.com/article/2529045/missing-dot-drops-sweden-off-the-internet.html
>
>
>
> And various projects having issues with this spanning many years:
>
> https://bugs.python.org/issue31997
>
> https://github.com/openssl/openssl/issues/11560
>
>
>
>
> --
>
> Kurt Seifried (He/Him)
> k...@seifried.org
>


-- 
Kurt Seifried (He/Him)
k...@seifried.org


RE: New CWE for DNS domain normalization/canonicalization with trailing dot

2022-01-24 Thread Steven M Christey
We’ve noted this request to add a new entry to CWE.  MITRE’s content submission 
guidelines at 
https://cwe.mitre.org/community/submissions/guidelines.html
 note that minimum expectations for content submissions should include Name, 
Summary, Extended Description, Modes of Introduction, Potential Mitigations, 
Common Consequences, Applicable Platforms, Demonstrative Examples, Observed 
Examples, Relationships, and References.  Incomplete submissions are frequently 
a cause of delays for integration into CWE.

Regarding this specific weakness, I agree that CWE-20 and CWE-180 are not 
ideal. It is probably better placed under CWE-706: Use of Incorrectly-Resolved 
Name or Reference, where an identifier can be provided that points to an 
unexpected resource. Common examples are pathname equivalence CWE-42 for a 
trailing “.”, CWE-52 with a trailing slash, and CWE-58 for Windows 8.3 format 
filenames.

CWE probably does not use the “canonicalization” term as often as it should, 
which hurts the ability for users to discover this. Changes will need to be 
made to CWE content to make this kind of problem easier for CWE users to find.

Given how extensively DNS names are used, it seems reasonable for including 
this entry as a variant.

Thanks,
Steve



From: Kurt Seifried 
Sent: Monday, January 24, 2022 11:50 AM
To: CWE Research Discussion 
Subject: New CWE for DNS domain normalization/canonicalization with trailing dot

New CWE for DNS domain normalization/canonicalization with trailing dot

So we have:
https://cwe.mitre.org/data/definitions/20.html
https://cwe.mitre.org/data/definitions/180.html

which are both, broadly speaking, catch-all buckets too broad to be of much 
help.

I would like to propose a CWE for "Failure to properly handle DNS names with or 
without a trailing dot", e.g.:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4963

and Sweden accidentally broke DNS for .se back in 2009 with a dot:
https://www.computerworld.com/article/2529045/missing-dot-drops-sweden-off-the-internet.html

And various projects having issues with this spanning many years:
https://bugs.python.org/issue31997
https://github.com/openssl/openssl/issues/11560


--
Kurt Seifried (He/Him)
k...@seifried.org