|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] INTERIM DECISION: ACCEPT 10 VEN-ROUTER candidates (Final 7/12)
I have made an Interim Decision to ACCEPT all the candidates from this cluster. A Final Decision is scheduled for July 12. Observe CAN-1999-0060 which could be affected by the Same Codebase content decision. It identifies two different series of Ascend routers, which to me is sufficient information to indicate that they probably share the same codebase, and thus should not be split. If you object to this decision and have evidence that they are not the same codebase, please speak up. References were added as noted. I have removed myself from all votes in the cases where I propose the candidates. However, I reserve the right to change my mind and continue to MODIFY, REJECT, or REVIEW my candidates where appropriate. ;-) - Steve Least controversial candidates are listed first. Voters: Frech ACCEPT(3) MODIFY(7) Hill ACCEPT(10) Northcutt ACCEPT(10) ************************* ACCEPT ************************* ================================= Candidate: CAN-1999-0060 Published: Final-Decision: Interim-Decision: 19990712 Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: NAI:NAI-26 Reference: XF:ascend-config-kill Reference: ASCEND:http://www.ascend.com/2695.html Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool. VOTES: ACCEPT(3) Northcutt, Hill, Frech ================================= Candidate: CAN-1999-0160 Published: Final-Decision: Interim-Decision: 19990712 Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: CISCO:http://www.cisco.com/warp/public/770/chapvuln-pub.shtml Reference: XF:cisco-chap Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. VOTES: ACCEPT(3) Northcutt, Hill, Frech ================================= Candidate: CAN-1999-0161 Published: Final-Decision: Interim-Decision: 19990712 Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: CISCO:http://www.cisco.com/warp/public/707/1.html Reference: XF:cisco-acl-tacacs In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering. VOTES: ACCEPT(3) Northcutt, Hill, Frech ************************* MODIFY ************************* ================================= Candidate: CAN-1999-0157 Published: Final-Decision: Interim-Decision: 19990712 Modified: 19990712-01 Announced: 19990617 Assigned: 19990607 Category: SF Reference: CISCO:http://www.cisco.com/warp/public/770/nifrag.shtml Reference: XF:cisco-fragmented-attacks Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service. Modifications: ADDREF XF:cisco-fragmented-attacks VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech COMMENTS: Frech> Reference: XF:cisco-fragmented-attacks ================================= Candidate: CAN-1999-0158 Published: Final-Decision: Interim-Decision: 19990712 Modified: 19990712-01 Announced: 19990617 Assigned: 19990607 Category: SF Reference: CISCO:http://www.cisco.com/warp/public/770/pixmgrfile-pub.shtml Reference: XF:cisco-pix-file-exposure Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known. Modifications: ADDREF Reference: XF:cisco-pix-file-exposure VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech COMMENTS: Frech> Reference: XF:cisco-pix-file-exposure ================================= Candidate: CAN-1999-0159 Published: Final-Decision: Interim-Decision: 19990712 Modified: 19990712-01 Announced: 19990617 Assigned: 19990607 Category: SF Reference: CISCO:http://www.cisco.com/warp/public/770/ioslogin-pub.shtml Reference: XF:cisco-ios-crash Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases. Modifications: ADDREF Reference: XF:cisco-ios-crash VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech COMMENTS: Frech> Reference: XF:cisco-ios-crash ================================= Candidate: CAN-1999-0162 Published: Final-Decision: Interim-Decision: 19990712 Modified: 19990712-01 Announced: 19990617 Assigned: 19990607 Category: SF Reference: CISCO:http://www.cisco.com/warp/public/707/2.html Reference: XF:cisco-acl-established The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering. Modifications: ADDREF XF:cisco-acl-established VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech COMMENTS: Frech> Reference: XF:cisco-acl-established ================================= Candidate: CAN-1999-0293 Published: Final-Decision: Interim-Decision: 19990712 Modified: 19990712-01 Announced: 19990617 Assigned: 19990607 Category: SF Reference: CISCO:http://www.cisco.com/warp/public/770/aaapair-pub.shtml Reference: XF:cisco-ios-aaa-auth AAA authentication on Cisco systems allows attackers to execute commands without authorization. Modifications: ADDREF XF:cisco-ios-aaa-auth VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech COMMENTS: Frech> Reference: XF:cisco-ios-aaa-auth ================================= Candidate: CAN-1999-0430 Published: Final-Decision: Interim-Decision: 19990712 Modified: 19990712-01 Announced: 19990617 Assigned: 19990607 Category: SF Reference: ISS:Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches Reference: CISCO:Cisco Catalyst Supervisor Remote Reload Reference: XF:cisco-catalyst-crash Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload. Modifications: ADDREF XF:cisco-catalyst-crash CHANGEREF CISCO:Cisco Catalyst Supervisor Remote Reload http://www.cisco.com/warp/public/770/cat7161-pub.shtml VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech COMMENTS: Frech> Reference: XF:cisco-catalyst-crash Frech> CISCO reference should be Frech> http://www.cisco.com/warp/public/770/cat7161-pub.shtml ================================= Candidate: CAN-1999-0445 Published: Final-Decision: Interim-Decision: 19990712 Modified: 19990712-01 Announced: 19990617 Assigned: 19990607 Category: SF Reference: CISCO:Cisco IOS(R) Software Input Access List Leakage with NAT Reference: XF:cisco-natacl-leakage In Cisco routers under some versions of IOS 12.0 running NAT, some packets may not be filtered by input access list filters. Modifications: ADDREF XF:cisco-natacl-leakage CHANGEREF CISCO:Cisco IOS(R) Software Input Access List Leakage with NAT http://www.cisco.com/warp/public/770/iosnatacl-pub.shtml VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech COMMENTS: Frech> Reference: XF:cisco-natacl-leakage Frech> CISCO reference should be Frech> http://www.cisco.com/warp/public/770/iosnatacl-pub.shtml
|
||||
