chpietsch,

Reading about the recent SMTP and SSH vulnerabilities, I get the impression that open source projects, proprietary vendors and government agencies such as @certbund don't know how to talk to each other. They should at least have something like a red phone.

Please comment here if you have a constructive idea on how to improve the situation! #SECconsulting seems to assume that everyone uses #VINCE, a CMU service I had never heard of.

#SMTP:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://www.postfix.org/smtp-smuggling.html

#SSH:
https://terrapin-attack.com/patches.html

#SMTPsmuggling #Terrapin #ITsec #37c3

screenshot from the Postfix website: SMTP Smuggling [An updated version of this text may be found at https://www.postfix.org/smtp-smuggling.html] Author: Wietse Venema Last update: December 23, 2023 Summary Days before a 10+ day holiday break and associated production change freeze, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than . Unfortunately, criticial information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to postpone publication until after people had a chance to update their Postfix systems. …
screenshot from the Terrapin website: … Aside from the SSH implementations marked with an asterisk, we included the following implementations, vendors, and CERTs in our responsible disclosure process. Due to the lack of proper security contacts and response, we were not able to disclose our findings to some of them. AbsoluteTelnet (Celestial Software) Amazon AWS CERT-Bund Cisco Ericsson Microsoft Mikrotik Partnered CERTs of CERT-Bund (via CERT-Bund) SSH Server for Windows (Georgia Softworks) Tectia SSH (SSH Communications Security, Inc.) Termius (Termius Corporation) The selection of SSH implementations contacted during responsible disclosure was based on several factors. We aimed to achieve a decent coverage of "strict kex" on public disclosure by focusing on the underlying SSH implementations. We gathered all SSH implementations listed in publicly available resources (Wikipedia SSH clients, Wikipedia SSH servers, Quendi SSH implementation comparison) as a baseline. …

waldi,
@waldi@chaos.social avatar

@chpietsch They comminicated through a clothing store? Okay, with the name "VINCE" nothing shows up. And wow does this site show much use. 13 public entries this year.

chpietsch,

@waldi Obviously, Vince was the name of an artficial human-like agent I helped build at #citec.

This VINCE however is located at https://kb.cert.org/vince/ .

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • DreamBathrooms
  • everett
  • InstantRegret
  • magazineikmin
  • thenastyranch
  • rosin
  • GTA5RPClips
  • Durango
  • Youngstown
  • slotface
  • khanakhh
  • kavyap
  • ngwrru68w68
  • tacticalgear
  • JUstTest
  • osvaldo12
  • tester
  • cubers
  • cisconetworking
  • mdbf
  • ethstaker
  • modclub
  • Leos
  • anitta
  • normalnudes
  • megavids
  • provamag3
  • lostlight
  • All magazines
    •