Re: Protocol-level attacks? from Ryan Barrett on 2024-07-06 (public-swicg@w3.org from July 2024)

From: Ryan Barrett <public@ryanb.org>
Date: Sat, 6 Jul 2024 10:44:32 -0700
To: Daiki Mizukami <tesaguriguma@gmail.com>
Cc: Johannes Ernst <johannes.ernst@dazzlelabs.net>, public-swicg@w3.org
Message-ID: <CA+caGh8ADU-JYk3+rVkGchCA8XekHi5KB6Ots=B6-qi-Rnm2QQ@mail.gmail.com>

This kind of work is important and valuable! ...but it feels pretty far
outside the scope of compliance and interop testing tools like FediTest.
Security researchers or red team members might look at compliance test
results as one source of initial leads for their investigations, but
personally I wouldn't try to do the inverse and build broad security or
defense evaluation into FediTest, beyond maybe testing for specific,
existing known vulnerabilities.

On Sat, Jul 6, 2024 at 9:34 AM Daiki Mizukami <tesaguriguma@gmail.com>
wrote:

> This year saw (re-)outbreaks of a couple of classes of vulnerability
> that have affected multiple Fediverse implementations:
>
> ## Type confusion attack
>
> - Pleroma:
> <https://git.pleroma.social/pleroma/pleroma/-/issues/1948#note_67278>
> - Mastodon (CVE-2024-25623):
> <
> https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36
> >
> - Misskey (CVE-2024-25636):
> <
> https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32
> >
>
> In addition to the impersonation and account takeover attacks described
> in the linked advisories, this allows potentially malicious
> user-uploaded Activity Streams documents on arbitrary HTTP servers like
> GitHub to be accepted by ActivityPub servers.
>
> Although the ActivityPub spec's recommendation against this class of
> attack hasn't been published yet
> (<https://github.com/w3c/activitypub/issues/432>), the current common
> practice is to check the `Content-Type` of remote documents.
>
> ## Spoofing attack against Linked Data Signatures
>
> - Mastodon (CVE-2022-24307):
> <https://nvd.nist.gov/vuln/detail/CVE-2022-24307>
> - Misskey (CVE-2024-32983):
> <
> https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj
> >
> - PeerTube:
> <
> https://github.com/Chocobozzz/PeerTube/commit/b8635c260694fe9207a2db2be25135dcfada67f3
> >
>
> See <https://github.com/mastodon/mastodon/pull/17733> for Mastodon's
> test case. The current practice is to apply the JSON-LD compaction
> algorithm to incoming signed activities.
>
> Also, I have a PoC for Misskey's CVE-2024-32983, but I haven't disclosed
> it yet. I've been considering disclosing it soon-ish, as it's been more
> than a month since the patch was released.
>
> That said, I'd argue that new Fediverse implementations shouldn't
> implement Linked Data Signatures, since it's an old spec superseded by
> Verifiable Credentials Data Integrity. Though, the old spec is still
> useful for compatibility with Mastodon today.
>
> On 2024/07/06 8:38, Johannes Ernst wrote:
> > Is anybody aware of any protocol-level attacks against ActivityPub
> > and/or the rest of the protocol stack constituting the fediverse?
> >
> > If you were to be on team red, how would you go about it?
> >
> > While I don’t want to create more work for ourselves :-) I am
> > wondering from the FediTest.org <http://FediTest.org> perspective: is
> > there something we should be testing to assess “resilience against
> > attack”?
> >
> > Brainstorm ideas welcome.
> >
> > Cheers,
> >
> >
> >
> > Johannes.
> >
> >
> >
> > Johannes Ernst
> >
> > Fediforum <https://fediforum.org/>
> > Dazzle Labs <https://dazzlelabs.net/>
> >
> >
>
> --
> Daiki "tesaguri" Mizukami
> <mailto:tesaguriguma@gmail.com>
> Fediverse: @tesaguri@fedibird.com <https://fedibird.com/@tesaguri>
> Matrix: @tesaguri:matrix.org <https://matrix.to/#/@tesaguri:matrix.org>
> GitHub: <https://github.com/tesaguri>
> Keybase: <https://keybase.io/tesaguri>
> OpenPGP: <openpgp4fpr:293ada14a1cb0b1c2313310110478e598b944aa2>
>
>

-- 
https://snarfed.org/

Received on Saturday, 6 July 2024 17:45:16 UTC