Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://were.social/objects/cfe6a3fd-17d5-439f-b81a-7d750baca280">arcanicanis (arcanicanis@were.social)'s status on Friday, 16-Feb-2024 01:19:14 JST</a><a href="https://were.social/users/arcanicanis" title="arcanicanis@were.social"><img src="https://gnusocial.jp/avatar/10459-48-20220918060352.webp" width="48" height="48" alt="arcanicanis" style="position: absolute; left: 0; top: 0;">arcanicanis</a></section><article><p>So here’s an example of one of the maliciously-crafted payloads that resulted in a 9.8 severity CVE (CVE-2024-23832) against Mastodon:</p>{
  "@context": ["https://www.w3.org/ns/activitystreams"],
  "id": "https://mastodon.social/users/Gargron/posts/123456",
  "type": "Note",
  "actor": "https://mastodon.social/users/Gargron",
  "attributedTo": "https://mastodon.social/users/Gargron",
  "content": "Well, this is an extremely concerning vulnerability I should have accounted for.",
  "to": [ "https://www.w3.org/ns/activitystreams#Public" ],
  "cc": [ "https://mastodon.social/users/Gargron/followers" ],
  "published": "2024-01-28T22:00:00Z"
}<p>I have previously double-checked with one of the Mastodon developers (while CC’ing the Mastodon Security email) to confirm that I’m free to release the details at this scheduled time (Feb 15th 15:00 UTC). According to the current observed metrics on FediDB, &gt;73.6% of Mastodon instances are patched against CVE-2024-23832, as manually tabulated.</p><p>For more details on the vulnerability, the original security report as it was submitted on Github is available at: <a href="https://arcanican.is/excerpts/cve-2024-23832/">https://arcanican.is/excerpts/cve-2024-23832/</a></p><p>My recount of events (as well as unsolicited commentary and criticisms on the vulnerability, ecosystem, etc; when I get around to finishing it): <a href="https://arcanican.is/excerpts/cve-2024-23832/discovery.htm">https://arcanican.is/excerpts/cve-2024-23832/discovery.htm</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2720016#notice-5396164">In conversation</a><time datetime="2024-02-16T01:19:14+09:00" title="Friday, 16-Feb-2024 01:19:14 JST">about 9 months ago</time> <span>from <span><a href="https://were.social/objects/cfe6a3fd-17d5-439f-b81a-7d750baca280" rel="external" title="Sent from were.social via ActivityPub">were.social</a></span></span><a href="https://were.social/objects/cfe6a3fd-17d5-439f-b81a-7d750baca280">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/51294">Untitled attachment</a></label><br></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/61551">Untitled attachment</a></label><br></li><li><article><header><div>Domain not in remote thumbnail source whitelist: files.mastodon.social</div><h5><a href="https://mastodon.social/@Gargron">Eugen ? (@Gargron@mastodon.social)</a></h5><div></div></header><div>72.7K Posts, 320 Following, 211K Followers · Founder, CEO and lead developer @Mastodon, Germany.</div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/2263006">Screenshot of @Gargron@mastodon.social post history as seen from a vulnerable Mastodon instance in a test lab, where an impersonated post has been injected onto the server in the test lab, where the impersonated post reads "Well, this is an extremely major vulnerability I should have accounted for."</a></label><br><a href="https://were.social/media/6ff54bdc52e5011feb9b11a715a0e4206060a10b523d864814345a3fc7f9734c.png" rel="external">https://were.social/media/6ff54bdc52e5011feb9b11a715a0e4206060a10b523d864814345a3fc7f9734c.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/2263007">Screenshot of @Gargron@mastodon.social profile from a vulnerable Mastodon instance in a test lab, where an a profile field has been overwritten on the server in the test lab</a></label><br><a href="https://were.social/media/c0bf24a97dec84fbbc9c22244334160c7b056d29b03ab180bae6d2bb57455441.png" rel="external">https://were.social/media/c0bf24a97dec84fbbc9c22244334160c7b056d29b03ab180bae6d2bb57455441.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/2263008">Untitled attachment</a></label><br></li><li><article><header><div>Domain not in remote thumbnail source whitelist: files.mastodon.social</div><h5><a href="https://mastodon.social/@Gargron/followers">Mastodon</a></h5><div></div></header><div>76.1K Posts, 512 Following, 344K Followers · Founder of @Mastodon. Film photography, prog metal, Dota 2.</div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/2263010">Untitled attachment</a></label><br></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://arcanican.is/excerpts/cve-2024-23832/discovery.htm">Remote User Impersonation and Takeover via Cache Poisoning</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
arcanicanis (arcanicanis@were.social)'s status on Friday, 16-Feb-2024 01:19:14 JST arcanicanis
So here’s an example of one of the maliciously-crafted payloads that resulted in a 9.8 severity CVE (CVE-2024-23832) against Mastodon:
{ "@context": ["https://www.w3.org/ns/activitystreams"], "id": "https://mastodon.social/users/Gargron/posts/123456", "type": "Note", "actor": "https://mastodon.social/users/Gargron", "attributedTo": "https://mastodon.social/users/Gargron", "content": "Well, this is an extremely concerning vulnerability I should have accounted for.", "to": [ "https://www.w3.org/ns/activitystreams#Public" ], "cc": [ "https://mastodon.social/users/Gargron/followers" ], "published": "2024-01-28T22:00:00Z" }
I have previously double-checked with one of the Mastodon developers (while CC’ing the Mastodon Security email) to confirm that I’m free to release the details at this scheduled time (Feb 15th 15:00 UTC). According to the current observed metrics on FediDB, >73.6% of Mastodon instances are patched against CVE-2024-23832, as manually tabulated.
For more details on the vulnerability, the original security report as it was submitted on Github is available at: https://arcanican.is/excerpts/cve-2024-23832/
My recount of events (as well as unsolicited commentary and criticisms on the vulnerability, ecosystem, etc; when I get around to finishing it): https://arcanican.is/excerpts/cve-2024-23832/discovery.htm
In conversationabout 9 months ago from were.socialpermalink
Attachments
1. Untitled attachment
2. Untitled attachment
3. Domain not in remote thumbnail source whitelist: files.mastodon.social
  Eugen ? (@Gargron@mastodon.social)
  72.7K Posts, 320 Following, 211K Followers · Founder, CEO and lead developer @Mastodon, Germany.
4. Screenshot of @Gargron@mastodon.social post history as seen from a vulnerable Mastodon instance in a test lab, where an impersonated post has been injected onto the server in the test lab, where the impersonated post reads "Well, this is an extremely major vulnerability I should have accounted for."
  https://were.social/media/6ff54bdc52e5011feb9b11a715a0e4206060a10b523d864814345a3fc7f9734c.png
5. Screenshot of @Gargron@mastodon.social profile from a vulnerable Mastodon instance in a test lab, where an a profile field has been overwritten on the server in the test lab
  https://were.social/media/c0bf24a97dec84fbbc9c22244334160c7b056d29b03ab180bae6d2bb57455441.png
6. Untitled attachment
7. Domain not in remote thumbnail source whitelist: files.mastodon.social
  Mastodon
  76.1K Posts, 512 Following, 344K Followers · Founder of @Mastodon. Film photography, prog metal, Dota 2.
8. Untitled attachment
9. No result found on File_thumbnail lookup.
  Remote User Impersonation and Takeover via Cache Poisoning