Hi Tim, On VINCE questions: There is the software VINCE and CERT/CC own instance, so for all the relevant details of our workflow and communication you may find the VINCE FAQ more valuable.
https://vuls.cert.org/confluence/display/VIN/Frequently+Asked+Questions We are still learning ways to have a better coordination workflow, especially when handling multivendor (libraries, comprehension Maven) and complex disclosure (RFCs, Standards bodies, Forums and Framework). Most open source projects have distinct contacts, workflows and “Embargo” (time period for private communications) expectations. Some open source projects find VINCE cumbersome, so we have done a few things like added API https://vuls.cert.org/confluence/display/VIN/VINCE+API , attempted integration with GitHub, created some email workflows / automation. We struggle sometimes with outreach as broader outreach (email all about vulnerability to a distributed list) may end up in a “leak” - but asking vendors to come to a portal may end up in more keyboard time for people who are already busy running projects sometime solo. So the long answer, we are happy to help projects like Postfix and researchers trying to reach vendors. Right now Wietse is in our platform, we will try to get information next time as timely as possible perhaps. Amazingly Wietse is so responsive.. Not sure how he keeps up. Thanks Vijay ________________________________ From: Tim Weber <scy+postfix-us...@scy.name> Sent: Saturday, December 23, 2023 11:48:56 AM To: Vijay S Sarvepalli <vssarvepa...@cert.org>; Postfix users <postfix-users@postfix.org> Subject: [pfx] Re: SMTP Smuggling disclosure process & VINCE Warning: External Sender - do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Vijay, thank you very much for this detailed explanation. I found it especially useful to learn about CERT/CC's workflow, since people like me, who are neither security researchers nor maintainers of well-known software projects, have little insight into this. While I was able to reach VINCE's source code repository very fast, I was not able to find a good explanation on how the communication using it actually works, and what kind of information is shared by whom, and with whom. So, in summary, I understood that from the initial description given by SEC, a) the way the attack works, b) the potential impact of spoofing SPF/DMARC, and above all c) that one might need to combine several different software products to perform the exploit, was not communicated explicitly enough, and thus the attack did not receive the attention that might have been warranted. According to SEC's timeline, this was still months before the release of their blog article, and therefore it's reasonable to assume that SEC themselves might not have fully explored the extent of the vulnerability they had discovered, or the degree to which FLOSS projects like Postfix or Sendmail were actually affected. Maybe they only learned about this later, when compiling their article. On Saturday, 2023-12-23 02:30+01:00, Vijay S Sarvepalli <vssarvepa...@cert.org> wrote: > Retrospectively, the most valuable thing we could have had is a Preview of > the Blog privately to all vendors impacted before releasing it. This is > something SEC could have done (or CERT/CC requested) that may have brought > more clarity for what exactly SEC Consult is talking about (or how much > bigger the research had become) and potentially delayed the disclosure to > give Vendors more time. I think this is a very good way to look at it, and a helpful lesson from this situation. Especially since, reading the article as it was published, it is obvious that SEC must have known the impact to Postfix and Sendmail. I understand their urge to notify Cisco customers about the problematic default configuration, but this was just bad timing and caused unnecessary stress for the Postfix maintainers and admins. Thanks again, and best regards Tim.
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
