possible rsync validation dos vuln

Nick Hilliard nick at foobar.org
Fri Oct 29 09:26:53 UTC 2021

Randy Bush wrote on 29/10/2021 02:03:
> received this vuln notice four days before these children intend to
> disclose.  so you can guess how inclined to embargo.

The position doesn't seem to be compatible with e.g.

> https://www.first.org/global/sigs/vulnerability-coordination/multiparty/FIRST-Multiparty-Vulnerability-Coordination.pdf

At the top of the FIRST list:

> 1. Establish a strong foundation of processes and relationships
> 2. Maintain clear and consistent communications
> 2.1. All parties should clearly and securely communicate and negotiate expectations and timelines.

Because this didn't happen, we now get to look forward to a weekend of 
elevated risk, followed by people upending their calendars to handle 
un-coordinated upgrades on monday morning.

Vulnerability researchers perform a valuable service, but enthusiasm 
needs to be tempered with an understanding that there are real life 
consequences to not handling this sort of thing in a well-structured 
way.  It doesn't need to be said that: "1. we screwed up with your email 
address, and 2. we're disclosing in 4 days and aren't telling you what 
the problem is unless you agree to our terms" is not an appropriate way 
of handling anything, whatever about claiming to speak on behalf of an NCSC.

This won't be the last time a screw-up of this form happens, so maybe 
NCSC-NL's takeaway should be to ensure that co-ordinated vuln management 
and disclosure happens in a reasonable way when engaging with all parties?

As a separate thing, software authors also need to have clearly defined 
security notification points and vulnerability management policies. 
Most have in this situation, but not all.


> randy
> From: Koen van Hove <k.w.vanhove at student.utwente.nl>
> Subject: CVD: Vulnerabilities in RPKI Validators
> To: randy at psg.com, sra at hactrn.net
> Cc: cert at ncsc.nl
> Date: Wed, 27 Oct 2021 14:59:21 -0700
> Dear Randy Bush and Rob Austein,
> Apologies, this email was previously sent to the wrong email address.
> On behalf of the University of Twente and the National Cyber Security
> Centre of the Netherlands (NCSC-NL) we want to notify you of a Coordinated
> Vulnerability Disclosure for RPKI vulnerabilities that also impact rcynic
> developed by Dragon Research Labs.
> The vulnerabilities were discovered by scientific research on the
> implementation of RPKI validators.
> Together with you, the NCSC-NL, the University of Twente, and multiple
> other parties, we would like to come to a timely solution before the
> results of this research will be made public. More information about
> Coordinated Vulnerability Disclosure can be found here [1].
> The vulnerabilities are classified as a denial of service vulnerability and
> impact multiple implementations of RPKI validators including rcynic. Since
> RPKI is of international interest we hope that you will work together with
> us on this CVD.
> The goal is to have fixes available before 1 November which will also be
> the date that the results of this research will become public. Before 1
> November the information in the CVD, or the fact that a CVD is taking
> place, is to be kept strictly confidential. The fixes are to be released
> collectively on 1 November.
> Please let us know whether you agree to these terms, and want to
> participate in this CVD. If so, we will send you the details. We hope to
> hear from you.
> If there are any further questions, please let us know.
> Yours sincerely,
> Koen van Hove
> University of Twente
> [1] https://english.ncsc.nl/contact/reporting-a-vulnerability-cvd
> - --
> Koen van Hove
> Version: FlowCrypt Email Encryption 8.1.5
> Comment: Seamlessly send and receive encrypted email
> wsDzBAEBCgAGBQJhecu4ACEJEPnqm/++VTh9FiEE5Q3GCKqW0RQyUpA/+eqb
> /75VOH1CjwwAq8Hd0psDhfj6mL4X9ybLGogONpzFKYp9Okv9/CKzQvG4AkLR
> Cvrz3vHlQRKJP8I2PYSLZvtG9D/HXjjKcU+m24jjl2qbKKuSwprqQhLAqabN
> Md+RZFjQGve5Z4vtJsfhXKc4PhaAzMujVc4Mh5Mdbs4sFEdrub1hSnYKlcQV
> PvS/O9SpCYU0E0IC1I455HXxSXUtme+KHtzbGIWQe/mz4KpnZD2Me/Cr1LvG
> Od9izri0Qx5vF+kdpR51PEiwHgN+QkmnUP6Gkrca8TSC2x3ta9B1/ZprdCoZ
> ZYQ7QUFUAkfV+tKCMaBECNOrnDjw8E9GonvzmqpDHBtKBZ3LaxjZX/sxuuTC
> +Ele5nVeWW0ZFqrbanbPy9y1q04tFQd8ewdSN40iXdTj7Ha8GadUhcdSLWqJ
> cLmf71qUAvdwpp0Bt1nhExpU/bEtAaxfnEcTRDX43yUkZXSqV5BxYEyneSLj
> IvFV9AUi56Cx45ESkGRR1ASuCzoc8FCjRH7KOWnaL3fl

More information about the NANOG mailing list