|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Andre Frech's comments on CVE CERT candidate cluster
All: Below are comments by Andre Frech on the CERT cluster. Thanks, Andre! I will pose a summary of all comments tomorrow. While less than half of the Editorial Board has responded so far, I intend to move the non-controversial (all accepted) CERT candidates into the Interim Decision phase, then propose the VEN candidate cluster (which will be split into smaller, more "logical" sub-clusters, per Adam Shostack's suggestion). - Steve From: "Andre Frech" <afrech@iss.net> To: "'Steven M. Christey'" <coley@linus.mitre.org> Subject: CVE1 candidate cluster comments Date: Wed, 16 Jun 1999 13:47:35 -0400 Message-ID: <000401beb820$51e307d0$b00415d0@sprawl.iss.net> ------------------------------------------ Candidate: CAN-1999-0003 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.11.tooltalk Reference: NAI:NAI-29 Reference: SGI:19981101-01-A Reference: SGI:19981101-01-PX Execute commands as root via buffer overflow in Tooltalk database server (rpc.ttdbserverd) MODIFY: Reference: XF:aix-ttdbserver Reference: XF:tooltalk ------------------------------------------ Candidate: CAN-1999-0004 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.10.mime_buffer_overflows Reference: XF:outlook-long-name Reference: SUN:00175 MIME buffer overflows in mail/news clients, e.g. Solaris mailtool. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0005 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.09.imapd Reference: XF:imap-authenticate-bo Reference: SUN:00177 Arbitrary command execution via IMAP buffer overflow, as in CERT:CA-98.09.imapd. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0006 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.08.qpopper_vul Reference: SGI:19980801-01-I Reference: AUSCERT:AA-98.01 Reference: XF:qpopper-pass-overflow Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0007 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.07.PKCS Reference: XF:nt-ssl-fix Information from SSL-encrypted sessions via PKCS #1 ACCEPT. ------------------------------------------ Candidate: CAN-1999-0008 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.06.nisd Reference: SUN:00170 Reference: ISS:June10,1998 Reference: XF:nisd-bo-check Buffer overflow in NIS+, in Sun's rpc.nisd program ACCEPT. ------------------------------------------ Candidate: CAN-1999-0013 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.03.ssh-agent Reference: NAI:NAI-24 Reference: XF:ssh-agent Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0014 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-98.02.CDE Reference: SUN:00185 Unauthorized privileged access or denial of service via dtappgather program in CDE. MODIFY: Reference: XF:cde-dtappgather ------------------------------------------ Candidate: CAN-1999-0017 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.27.FTP_bounce Reference: XF:ftp-bounce Reference: XF:ftp-privileged-port FTP bounce attack to connect to arbitrary ports on machines other than the FTP client. MODIFY: Reference: XF:iis-check-enable-port-attack (INTERNAL)(Port Attack = enabled on FTP server) ------------------------------------------ Candidate: CAN-1999-0018 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.26.statd Reference: XF:statd Reference: AUSCERT:AA-97.29 Root privileges via statd, as in CERT:CA-97.26.statd, due to buffer overflow. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0019 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.09.rpc.statd Reference: XF:rpc-stat Reference: SUN:00135 Delete or create a file via rpc.statd, due to invalid information. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0021 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.24.Count_cgi Reference: XF:http-cgi-count Arbitrary command execution via buffer overflow in Count.cgi (wwwcount) cgi-bin program. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0022 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.23.rdist Reference: XF:rdist-bo3 Reference: XF:rdist-sept97 Local user gains root privileges via buffer overflow in rdist, via expstr() function. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0023 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.14.rdist_vul Reference: XF:rdist-bo Reference: XF:rdist-bo2 Local user gains root privileges via buffer overflow in rdist, via lookup() function. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0024 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.22.bind Reference: XF:bind Reference: NAI:NAI-11 DNS cache poisoning via BIND, by predictable query IDs. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0032 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.19.bsdlp Reference: AUSCERT:AA-96.12 Reference: XF:bsd-lprbo2 Reference: CIAC:I-042 Reference: SGI:19980402-01-PX Command execution in BSD-based lpr package (lp) due to buffer overflow. MODIFY: References: XF:bsd-lprbo References: XF:lpr-bo ------------------------------------------ Candidate: CAN-1999-0033 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.18.at Reference: SUN:00160 Reference: XF:sun-atbo Command execution in Sun systems via buffer overflow in the at program RECAST: This vulnerability also manifests itself for the following = platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, please add the = following: Reference: XF:at-bo ------------------------------------------ Candidate: CAN-1999-0034 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.17.sperl Reference: XF:perl-suid Buffer overflow in suidperl (sperl), Perl 4.x and 5.x ACCEPT. ------------------------------------------ Candidate: CAN-1999-0035 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.16.ftpd Reference: AUSCERT:AA-97.03 Race condition in signal handling routine in ftpd, allowing read/write arbitrary files MODIFY: Reference: XF:ftp-ftpd ------------------------------------------ Candidate: CAN-1999-0036 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.15.sgi_login Reference: AUSCERT:AA-97.12 Reference: SGI:19970508-02-PX Reference: XF:sgi-lockout IRIX login program with a nonzero LOCKOUT parameter allows creation or damage to files. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0038 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.13.xlock Reference: XF:xlock-bo Buffer overflow in xlock program allows local users to execute commands as root. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0039 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.12.webdist Reference: AUSCERT:AA-97.14 Reference: SGI:19970501-02-PX Reference: XF:http-sgi-webdist Arbitrary command execution using webdist CGI program in IRIX. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0040 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.11.libXt Reference: XF:libXt-bo Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0041 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.10.nls Reference: XF:nls-bo Buffer overflow in NLS (Natural Language Service) ACCEPT. ------------------------------------------ Candidate: CAN-1999-0043 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.08.innd Reference: XF:inn-controlmsg Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0045 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.07.nph-test-cgi_script Reference: XF:http-cgi-nph List of arbitrary files on Web host via nph-test-cgi script ACCEPT. ------------------------------------------ Candidate: CAN-1999-0046 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.06.rlogin-term Reference: XF:bsdi-rlogind Buffer overflow of rlogin program using TERM environmental variable MODIFY: Remove reference to bsdi-rlogind (I don't think bsdi-rlogind explicitly = refers to TERM, while rlogin-termbo does.) Reference: XF:rlogin-termbo ------------------------------------------ Candidate: CAN-1999-0049 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.03.csetup Csetup under IRIX allows arbitrary file creation or overwriting. MODIFY: Reference: XF:sgi-csetup ------------------------------------------ Candidate: CAN-1999-0050 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.02.hp_newgrp Reference: AUSCERT:AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability Reference: XF:hp-newgrpbo Buffer overflow in HP-UX newgrp program ACCEPT. ------------------------------------------ Candidate: CAN-1999-0051 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-97.01.flex_lm Reference: AUSCERT:AA-96.03 Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX. MODIFY: Reference: XF:sgi-licensemanager ------------------------------------------ Candidate: CAN-1999-0067 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.06.cgi_example_code Reference: XF:http-cgi-phf CGI phf program allows remote command execution ACCEPT. ------------------------------------------ Candidate: CAN-1999-0073 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95:14.Telnetd_Environment_Vulnerability Reference: XF:linkerbug Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0078 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.08.pcnfsd Reference: XF:rpc-pcnfsd Reference: XF:nfs-pcnfsd pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0080 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95:16.wu-ftpd.vul Reference: XF:ftp-execdotdot wu-ftp FTP server allows root access via "site exec" command. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0099 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95.13.syslog.vul Reference: XF:smtp-syslog A buffer overflow in the syslog utility allows remote execution through Sendmail. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0117 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-92:07.AIX.passwd.vulnerability AIX passwd allows local users to gain root access. MODIFY: Reference: XF:ibm-passwd ------------------------------------------ Candidate: CAN-1999-0128 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.26.ping Oversized ICMP ping packets can result in a denial of service, e.g. from the Ping o' Death exploit. MODIFY: Reference: XF:ping-death Reference: XF:openbsd-ping-bo Reference: XF:sun-ping ------------------------------------------ Candidate: CAN-1999-0129 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.25.sendmail_groups Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. PENDING. NEEDS RESEARCH. ------------------------------------------ Candidate: CAN-1999-0130 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.24.sendmail.daemon.mode Local users can start Sendmail in daemon mode and gain root privileges. MODIFY: Reference: XF:sendmail-daemon-mode ------------------------------------------ Candidate: CAN-1999-0131 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.20.sendmail_vul Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users. MODIFY: Reference: XF:smtp-875bo ------------------------------------------ Candidate: CAN-1999-0132 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.19.expreserve Reference: XF:expreserve Expreserve, used in vi and ex, allows local users to overwrite arbitrary files and gain root access. MODIFY: Reference: XF:expreserve ------------------------------------------ Candidate: CAN-1999-0133 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.18.fm_fls Reference: XF:fmaker-logfile fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0134 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.17.Solaris_vold_vul Reference: AUSCERT:AL-96.04 vold in Solaris 2.x allows local users to gain root access MODIFY: Reference: XF:sol-voldtmp ------------------------------------------ Candidate: CAN-1999-0135 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.16.Solaris_admintool_vul Reference: AUSCERT:AL-96.03 admintool in Solaris allows a local user to write to arbitrary files and gain root access. MODIFY: Reference: XF:sun-admintool ------------------------------------------ Candidate: CAN-1999-0136 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: AUSCERT:AL-96.02 Reference: CERT:CA-96.15.Solaris_KCMS_vul Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access. MODIFY: Reference: XF:sol-KCMSvuln ------------------------------------------ Candidate: CAN-1999-0137 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.13.dip_vul Reference: XF:dip-bo The dip program on many Linux systems allows local users to gain root access via a buffer overflow. MODIFY: Reference: XF:linux-dipbo ------------------------------------------ Candidate: CAN-1999-0141 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.07.java_bytecode_verifier Reference: SUN:00134 Java Bytecode Verifier allowed malicious applets to execute arbitrary commands as the user of the applet. MODIFY: Reference: XF:http-java-applet ------------------------------------------ Candidate: CAN-1999-0142 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.05.java_applet_security_mgr Java Applet Security Manager allows an applet to connect to arbitrary hosts. MODIFY: Reference: XF:http-java-appletsecmgr ------------------------------------------ Candidate: CAN-1999-0143 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.03.kerberos_4_key_server Reference: XF:kerberos-bf Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys. ACCEPT. ------------------------------------------ Candidate: CAN-1999-0155 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95.10.ghostscript The ghostscript command with the -dSAFER option allows remote attackers to execute commands. MODIFY: Reference: XF:gscript-dsafer ------------------------------------------ Candidate: CAN-1999-0164 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: AUSCERT:AA-95.07 Reference: CERT:CA-95.09.Solaris.ps.vul A race condition in the Solaris ps command allows an attacker to overwrite critical files. MODIFY: Reference: XF:sol-pstmprace ------------------------------------------ Candidate: CAN-1999-0207 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: XF:majordomo-exe Reference: CERT:CA-94.11.majordomo.vulnerabilities Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. PENDING. NEEDS RESEARCH. ------------------------------------------ Candidate: CAN-1999-0208 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95.17.rpc.ypupdated.vul rpc.ypupdated (NIS) allowed remote users to execute arbitrary commands. MODIFY: Reference: XF:rpc-update ------------------------------------------ Candidate: CAN-1999-0209 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-90.05.sunselection.vulnerability The SunView (SunTools) selection_svc facility allows remote users to read files. MODIFY: Reference: XF:selsvc ------------------------------------------ Candidate: CAN-1999-0267 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-95.04.NCSA.http.daemon.for.unix.vulnerability Buffer overflow in NCSA HTTP daemon v1.3 allowed remote command = execution. MODIFY: Reference: XF:http-port ------------------------------------------ Candidate: CAN-1999-0277 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-96.23.workman_vul The WorkMan program can be used to overwrite any file to get root = access. MODIFY: Reference: XF:workman ------------------------------------------ Candidate: CAN-1999-0334 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: XF:sol-startup Reference: CERT:CA-93.19.Solaris.Startup.vulnerability In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access. MODIFY: Reference: XF:sol-startup ------------------------------------------ Candidate: CAN-1999-0337 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: CERT:CA-94.10.IBM.AIX.bsh.vulnerability.html Reference: XF:ibm-bsh AIX batch queue (bsh) allows local and remote users to gain additional privileges when network printing is enabled. MODIFY: Reference: XF:ibm-bsh ------------------------------------------ Candidate: CAN-1999-0338 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: SF Reference: XF:ibm-perf-tools Reference: CERT:CA-94.03.AIX.performance.tools AIX Licensed Program Product performance tools allow local users to gain root access. MODIFY: Reference: XF:ibm-perf-tools ------------------------------------------ Candidate: CAN-1999-0513 Proposer: 001 Assigned: 19990607 Announced: 19990607 Category: CF Reference: CERT:CA-98.01.smurf Reference: FreeBSD:FreeBSD-SA-98:06 Reference: XF:smurf ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service. ACCEPT.
|
||||
