https://advisory.silicon.moe/advisory/Recent content in Advisories on SiliconForest AdvisoryHugo -- gohugo.ioen-usFri, 29 Dec 2023 00:41:50 +0100https://advisory.silicon.moe/advisory/sif-2023-003/Fri, 29 Dec 2023 00:41:50 +0100https://advisory.silicon.moe/advisory/sif-2023-003/Authors Description RESERVED ENTRY Affected software / version Severity Detailed information Proof-of-Concept code Possible mitigation Disclosure timelinehttps://advisory.silicon.moe/advisory/sif-2023-002/Mon, 04 Dec 2023 19:09:31 +0900https://advisory.silicon.moe/advisory/sif-2023-002/Authors @yunochi*, @perillamint* Description Misskey’s missing signature validation allows arbitrary users to impersonate any remote user. Affected software/version Misskey version below 2023.11.1-beta.1 Firefish version below 1.0.5-rc CherryPick version below 4.5.1 Severity CVSS v4.0 score: 7.1 (High) Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N CVSS v3.1 score: 9.3 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N Detailed information When Misskey has to verify the remote actor is eligible to POST into the inbox, it only validates its HTTP message signature.https://advisory.silicon.moe/advisory/sif-2023-001/Wed, 18 Oct 2023 18:36:48 +0900https://advisory.silicon.moe/advisory/sif-2023-001/Authors perillamint Description Denial of Service attack through Mastodon HTTP signature validation. Affected software / version All currently supported Mastodon version (suspects) Severity CVSS v3.1 score: 7.5 (High) Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Detailed information When Mastodon has to verify the actor is eligible to fetch the status, Mastodon parses the request header and Tries to retrieve the signing key from the remote actor Validate the actor through Webfinger request During this process, maliciously crafted servers intentionally delay communication to the victim server and can hold the connection for up to 20 seconds by delaying both responses right before timeout.