CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack)

grarpamp grarpamp at
Thu Jul 4 02:51:12 UTC 2019


>> discussion around disclosure policies

> In today's world of parallel discovery, leaks, sec org infiltration by
> adversary, surveillance, no crypto, rapid automated exploit, etc...
> to wait for patch, polish, and press release advert, to not disclose,
> afford users local action up to immediate offlining for safety and wait,
> to draw upon entire community pool that has time*ability factor to fix... is
> thought by many [users] as irresponsible to users. There is no tone. And
> of course this one isn't currently a remote or local root. But what if it
> was...
> For those interested or new, there's lots of historical discussion with
> and without tone that can be found on any seclist, yet is no universal..
A recent Firefox zero-day that has made headlines across the tech news
world this week was actually used in attacks against Coinbase
employees, and not the company's users. Furthermore, the attacks used
not one, but two Firefox zero-days, according to Philip Martin, a
member of the Coinbase security team, which reported the attacks to
Mozilla. One was an RCE reported by a Google Project Zero security
researcher to Mozilla in April, and the second was a sandbox escape
that was spotted in the wild by the Coinbase team together with the
RCE, on Monday.
The question here is how an attacker managed to get hold of the
details for the RCE vulnerability and use it for his attacks after the
vulnerability was privately reported to Mozilla by Google. The
attacker could have found the Firefox RCE on his own, he could have
bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and
viewed details about the RCE, or hacked Mozilla's bug tracker, like
another attacker did in 2015.

> The charter last marked current 2002... is there any actual and
> posted mandatory timeliness disclosure trigger component?
> One that gets overall reviewed for user input say every N-years?
> Perhaps something more security focused than the general...

More information about the freebsd-security mailing list