|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] VOTE SUMMARY: active candidates in CERT and VEN-* clusters
The following candidates have not yet reached the Final Decision phase. They are from the CERT and VEN-* clusters. A short voting summary is provided, along with voters' comments for each candidate. Some of these candidates may be examined more closely during the CVE Review meetings. Many of these touch on content issues that we've discussed recently, especially the Same Codebase. Such candidates will remain in the Proposal phase until we can cleanly address the issue of what constitutes "same codebase" and what to do if we can't be certain. Others would require a significant change to the description, or even a RECAST. - Steve ================================= Candidate: CAN-1999-0004 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-98.10.mime_buffer_overflows Reference: XF:outlook-long-name Reference: SUN:00175 Reference: MS:MS98-008 MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. Modifications: ADDREF MS:MS98-008 DESC include Outlook VOTES: ACCEPT(2) Northcutt, Landfield MODIFY(1) Frech REVIEWING(1) Shostack COMMENTS: Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject Frech> this suggestion, I will not be devastated.) :-) ================================= Candidate: CAN-1999-0005 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-98.09.imapd Reference: XF:imap-authenticate-bo Reference: SUN:00177 Arbitrary command execution via IMAP buffer overflow, as in CERT:CA-98.09.imapd. VOTES: ACCEPT(4) Hill, Shostack, Frech, Wall MODIFY(1) Christey REVIEWING(1) Northcutt COMMENTS: Northcutt> there are multiple similar exploits which may imply Northcutt> multiple vulnerabilties Christey> It's difficult to distinguish between this vulnerability and another Christey> IMAP vulnerability via just the textual description. (The other Christey> vulnerability is CVE-00042, not yet proposed as a candidate for some Christey> odd reason). I had to reference the different CERT advisories to Christey> distinguish between this candidate and CVE-00042. The X-Force Christey> database says that "[the CVE-00042 vulnerability is in] the IMAP LOGIN Christey> command whereas [CAN-1999-0005] affects the IMAP AUTHENTICATE Christey> command." I propose modifying the description to say something to Christey> this effect, though the typical analyst may still need to rely on the Christey> references. ================================= Candidate: CAN-1999-0014 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-98.02.CDE Reference: SUN:00185 Unauthorized privileged access or denial of service via dtappgather program in CDE. VOTES: ACCEPT(2) Hill, Wall MODIFY(1) Frech NOOP(1) Northcutt REJECT(1) Shostack COMMENTS: Shostack> we have insufficient data if a new CDE dtappgather bug Shostack> comes out to determine if its new or a re-invention. Frech> Reference: XF:cde-dtappgather ================================= Candidate: CAN-1999-0017 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-97.27.FTP_bounce Reference: XF:ftp-bounce Reference: XF:ftp-privileged-port FTP bounce attack to connect to arbitrary ports on machines other than the FTP client. VOTES: ACCEPT(3) Hill, Frech, Wall MODIFY(1) Northcutt NOOP(1) Shostack REVIEWING(1) Christey COMMENTS: Northcutt> the primary vulnerability is in some FTP server implementations Northcutt> that allow this as opposed to the actual connecting to the ports Christey> I think Steve Northcutt makes a good point. The description needs to Christey> be modified. ================================= Candidate: CAN-1999-0018 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-97.26.statd Reference: XF:statd Reference: AUSCERT:AA-97.29 Buffer overflow in statd allows root privileges. Modifications: DESC remove CERT advisory from text VOTES: ACCEPT(4) Frech, Shostack, Northcutt, Landfield ================================= Candidate: CAN-1999-0032 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-97.19.bsdlp Reference: AUSCERT:AA-96.12 Reference: XF:bsd-lprbo2 Reference: CIAC:I-042 Reference: SGI:19980402-01-PX Command execution in BSD-based lpr package (lp) due to buffer overflow. VOTES: ACCEPT(3) Northcutt, Hill, Wall MODIFY(2) Shostack, Frech COMMENTS: Shostack> the mention of (lp) is misleading. The problem was with Shostack> the BSD lpr family, not the SYSV lp family. Frech> References: XF:bsd-lprbo Frech> References: XF:lpr-bo ================================= Candidate: CAN-1999-0033 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-97.18.at Reference: SUN:00160 Reference: XF:sun-atbo Command execution in Sun systems via buffer overflow in the at program VOTES: ACCEPT(4) Northcutt, Hill, Shostack, Wall RECAST(1) Frech COMMENTS: Frech> This vulnerability also manifests itself for the following = Frech> platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, Frech> please add the = following: Frech> Reference: XF:at-bo ================================= Candidate: CAN-1999-0035 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Announced: 19990607 Assigned: 19990607 Category: SF Reference: XF:ftp-ftpd Reference: CERT:CA-97.16.ftpd Reference: AUSCERT:AA-97.03 Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. Modifications: ADDREF XF:ftp-ftpd VOTES: ACCEPT(4) Frech, Shostack, Northcutt, Landfield ================================= Candidate: CAN-1999-0046 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-97.06.rlogin-term Reference: XF:rlogin-termbo Buffer overflow of rlogin program using TERM environmental variable Modifications: DELREF XF:bsdi-rlogind ADDREF XF:rlogin-termbo VOTES: ACCEPT(3) Shostack, Northcutt, Landfield MODIFY(1) Frech COMMENTS: Frech> Every sentence is followed by a period (unless you are a criminal, Frech> and then it follows with an appeal.) ================================= Candidate: CAN-1999-0052 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: FreeBSD:FreeBSD-SA-98:08 IP fragmentation denial of service in FreeBSD VOTES: MODIFY(2) Northcutt, Shostack NOOP(1) Hill COMMENTS: Northcutt> Do we want to treat each instantiation of common attacks Northcutt> separately for each OS? Fragmentation and denial of service is Northcutt> not a freebsd specific issue, over the years we have seen: Northcutt> Northcutt> "Pathological" fragmentation where the second packet move the pointer Northcutt> negative and then we scribble on our stack, this is the teardrop Northcutt> approach if I remember the exploit name correctly and uses UDP. Northcutt> Northcutt> We also have the classic memory wasting frag attack where they Northcutt> send the first part and never finish, then send a new first Northcutt> part and so on. Northcutt> Northcutt> I think frag attack was in the cisco set, if not it should be Northcutt> there is a nice attack for IOS Northcutt> Northcutt> Then you have the how_do_you_handles such as Dug Song's Northcutt> frag router to evade IDS systems and whatever the heck Northcutt> this loki like thing that is all the rage for the last Northcutt> 90 days or so. Northcutt> Northcutt> Recommend: MODIFY 52 so that the text blurb at least hints Northcutt> why this is a unique case of mishandling frags OR create Northcutt> general frag vulnerabilities. Shostack> For denial of service attacks, we should distinguish between Shostack> host availability, service, and CPU absorbtion DOS attacks. ================================= Candidate: CAN-1999-0053 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: FreeBSD:FreeBSD-SA-98:07 TCP RST denial of sevice in FreeBSD VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Shostack COMMENTS: Shostack> For denial of service attacks, we should distinguish between Shostack> host availability, service, and CPU absorbtion DOS attacks. ================================= Candidate: CAN-1999-0055 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00172 Reference: RSI:RSI.0005.05-14-98.SUN.LIBNSL Reference: XF:sun-libnsl Buffer overflows in Sun libnsl allow root access. VOTES: ACCEPT(2) Northcutt, Frech MODIFY(1) Prosser COMMENTS: Prosser> This vulnerability also affects other OSes, i.e. AIX 4.3 that have Prosser> ported versions of Sun's libnsl.a Prosser> ref: IBM AIX RS6000 APAR number IX80543 ================================= Candidate: CAN-1999-0057 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: SNI:SNI-19 Reference: XF:vacation Reference: HP:HPSBUX9811-087 Vacation program allows command execution by remote users through a sendmail command. VOTES: ACCEPT(2) Frech, Hill MODIFY(1) Shostack NOOP(1) Northcutt COMMENTS: Shostack> Problem 1: SNI-19 is SNI-19.BSD.lpd.vulnerabilities update according Shostack> to http://geek-girl.com/bugtraq/1997_4/0106.html Shostack> Shostack> Problem 2: Wording is unclear. Is this a vacation problem, a Shostack> .vacation problem, or a sendmail problem? ================================= Candidate: CAN-1999-0065 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00181 Reference: XF:hp-dtmail Bug in how dtmail handles attachments allows remote attacker to execute commands with the same privileges as the user who is reading the message. VOTES: ACCEPT(2) Northcutt, Frech MODIFY(1) Prosser COMMENTS: Prosser> This is a multiple buffer overflow vulnerability in Sun's CDE in how Prosser> dtmail handles attachments. ================================= Candidate: CAN-1999-0067 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-96.06.cgi_example_code Reference: XF:http-cgi-phf CGI phf program allows remote command execution VOTES: ACCEPT(4) Hill, Shostack, Frech, Wall MODIFY(2) Northcutt, Christey COMMENTS: Northcutt> this is not about phf it is about escape_shell_cmd(), Northcutt> you had the same thing with php and so forth. Christey> I agree with Adam that "shell metacharacters" is too high a level of Christey> abstraction. I believe that phf and php and the others should be Christey> distinguished. However, it might be better to change the description Christey> to say "CGI phf program allows remote command execution via shell Christey> metacharacters." ================================= Candidate: CAN-1999-0078 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-96.08.pcnfsd Reference: XF:rpc-pcnfsd pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. Modifications: DELREF XF:nfs-pcnfsd VOTES: ACCEPT(4) Frech, Shostack, Northcutt, Landfield RECAST(1) Christey COMMENTS: Christey> This candidate should be SPLIT, since there are two separate Christey> software flaws. One is a symlink race and the other is a Christey> shell metacharacter problem. ================================= Candidate: CAN-1999-0086 Published: Final-Decision: Interim-Decision: 19990630 Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1998:001.1 Reference: XF:ibm-routed AIX routed allows remote users to modify sensitive files. Modifications: ADDREF XF:ibm-routed VOTES: ACCEPT(2) Shostack, Northcutt MODIFY(2) Frech, Prosser COMMENTS: Frech> Reference: XF:ibm-routed Prosser> This vulnerability allows debug mode to be turned on which is Prosser> the problem. Should this be more specific in the description? This Prosser> one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which Prosser> is in the SGI cluster, shouldn't these be cross-referenced as the same Prosser> vuln affects multiple OSes. ================================= Candidate: CAN-1999-0088 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1998:004.1 IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. VOTES: ACCEPT(2) Shostack, Northcutt MODIFY(2) Frech, Prosser COMMENTS: Frech> ERS (and other references, BTW) explicitly stipulate 'local and Frech> remote'. Frech> Reference: XF:irix-autofsd Prosser> Include the SGI Alert as well since it is mentioned in the Prosser> description. Prosser> SGI Security Advisory 19981005-01-PX ================================= Candidate: CAN-1999-0089 Published: Final-Decision: Interim-Decision: 19990630 Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: XF:ibm-libDtSvc Buffer overflow in AIX libDtSvc library can allow local users to gain root access. Modifications: ADDREF XF:ibm-libDtSvc VOTES: ACCEPT(2) Shostack, Northcutt MODIFY(2) Frech, Prosser COMMENTS: Frech> Reference: XF:ibm-libDtSvc Prosser> The overflow is in the dtaction utility. Also affects Prosser> dtaction in the CDE on versions of SunOS (SUN 164). Probably should be Prosser> specific. ================================= Candidate: CAN-1999-0097 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1997:009.1 The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters, i.e. in files whose name begins with a pipe character. VOTES: ACCEPT(2) Shostack, Northcutt MODIFY(2) Frech, Prosser COMMENTS: Northcutt> Per 97, general issue of mishandling metachars is a lot Northcutt> like my comment about CGI-BINs (not just PHF) [Someone] Northcutt> recently did a content search for about Northcutt> CGI-BIN and /etc/passwd and found about 10 cig programs Northcutt> that someone attempted to exploit... However we resolve the Northcutt> CGI-BIN bit, we ought to consider applying the same logic to Northcutt> candidates like 97. Frech> Reference: XF:ibm-ftp Prosser> Concur with Adam's modification ================================= Candidate: CAN-1999-0099 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-95.13.syslog.vul Reference: XF:smtp-syslog A buffer overflow in the syslog utility allows remote execution through Sendmail and possibly other mail servers. Modifications: DESC could be through other mailers besides Sendmail VOTES: ACCEPT(3) Frech, Northcutt, Landfield MODIFY(1) Shostack COMMENTS: Shostack> Anything that passes bad data to syslog might be used to proxy this, Shostack> not just mail servers. ================================= Candidate: CAN-1999-0121 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00164 Reference: ERS:ERS-SVA-E01-1997:005.1 Buffer overflow in dtaction command gives root access. VOTES: ACCEPT(1) Northcutt MODIFY(2) Frech, Prosser COMMENTS: Frech> Reference: XF:dtaction-bo Frech> Reference: XF:sun-dtaction Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a Prosser> library in AIX 4.x, but reference for this Sun vulnerability should Prosser> only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Prosser> Bulletin ================================= Candidate: CAN-1999-0128 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Announced: 19990607 Assigned: 19990607 Category: SF Reference: XF:ping-death Reference: CERT:CA-96.26.ping Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death. Modifications: ADDREF XF:ping-death COMMENT Andre's other suggested ref's were for a buffer overflow COMMENT in the ping program, which is a different vulnerability. DESC slight wording change to identify this as Ping o' Death *only* VOTES: ACCEPT(4) Frech, Shostack, Northcutt, Landfield ================================= Candidate: CAN-1999-0129 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-96.25.sendmail_groups Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. VOTES: ACCEPT(4) Northcutt, Hill, Shostack, Wall REVIEWING(1) Frech COMMENTS: Frech> PENDING. NEEDS RESEARCH. ================================= Candidate: CAN-1999-0132 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Announced: 19990607 Assigned: 19990607 Category: SF Reference: XF:expreserve Reference: CERT:CA-96.19.expreserve Expreserve, used in vi and ex, allows local users to overwrite arbitrary files and gain root access. Modifications: ADDREF XF:expreserve VOTES: ACCEPT(4) Frech, Shostack, Northcutt, Landfield ================================= Candidate: CAN-1999-0142 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-96.05.java_applet_security_mgr Java Applet Security Manager allows an applet to connect to arbitrary hosts. VOTES: ACCEPT(3) Hill, Shostack, Wall MODIFY(1) Frech RECAST(1) Northcutt REVIEWING(1) Christey COMMENTS: Northcutt> Please note I am not a Java expert, but I think jdk 2.0 and Northcutt> so forth do not have a sandbox notion and applets (perhaps trusted Northcutt> applets) can connect to arbitrary hosts as a matter of course. You Northcutt> might want to contact Li Gong (li.gong@sun.com) or a similar Northcutt> expert before issuing this one. NOTE: another reason to consider Northcutt> the original date!!! Christey> Noting Steve Northcutt's comments, perhaps we would need to modify the Christey> description somewhat to distinguish between current Java versions and Christey> the one that had this vulnerability. However, the CERT reference Christey> associates a general place and time for where this vulnerability Christey> arose, so I don't think it's too big of a deal. Frech> Reference: XF:http-java-appletsecmgr ================================= Candidate: CAN-1999-0185 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00156 In Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution. VOTES: ACCEPT(2) Northcutt, Prosser MODIFY(1) Frech COMMENTS: Frech> Also reported as vulnerable on SunOS, which is similar, but different. Frech> Reference: XF:sun-ftpd/logind ================================= Candidate: CAN-1999-0190 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00167 Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access. VOTES: ACCEPT(1) Northcutt MODIFY(2) Frech, Prosser COMMENTS: Frech> Reference: XF:sun-rpcbind Prosser> The way rpcbind handles indirect calls is vulnerable in this advisory. Prosser> As there are lots of rpcbind problems, maybe should be more specific? ================================= Candidate: CAN-1999-0207 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990607 Assigned: 19990607 Category: SF Reference: XF:majordomo-exe Reference: CERT:CA-94.11.majordomo.vulnerabilities Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. VOTES: ACCEPT(4) Northcutt, Hill, Shostack, Wall REVIEWING(1) Frech COMMENTS: Frech> PENDING. NEEDS RESEARCH. ================================= Candidate: CAN-1999-0208 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Announced: 19990607 Assigned: 19990607 Category: SF Reference: XF:rpc-update Reference: CERT:CA-95.17.rpc.ypupdated.vul rpc.ypupdated (NIS) allowed remote users to execute arbitrary commands. Modifications: ADDREF XF:rpc-update VOTES: ACCEPT(3) Shostack, Northcutt, Landfield MODIFY(1) Frech COMMENTS: Frech> "allows remote users..." since this vuln's context pertains to Frech> when the service was vulnerable. ================================= Candidate: CAN-1999-0212 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00168 rpc.mountd in Linux and Solaris would generate error messages that allowed an attacker to determine what files were on the server. VOTES: ACCEPT(1) Prosser MODIFY(2) Northcutt, Frech COMMENTS: Northcutt> I am concerned that Linux is becoming too Northcutt> non descript a word, in the past two weeks I have run Northcutt> across 3 Linuxes I had never heard of before. I think we need Northcutt> to start being specific when we mention Linux either by Northcutt> the kernal or vendor or something. Frech> Reference: XF:sun-mountd ================================= Candidate: CAN-1999-0328 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: SGI:19971103-01-PX SGI permissions program allows local users to gain root privileges. VOTES: ACCEPT(1) Northcutt MODIFY(2) Shostack, Frech COMMENTS: Shostack> include a path to /usr/bin/permissions to clarify that it is a Shostack> program. Frech> Reference: XF:sgi-permtool ================================= Candidate: CAN-1999-0358 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan29,1999 Reference: COMPAQ:SSRT0583U Digital Unix 4.0 has a buffer overflow in the inc program of the mh package. VOTES: ACCEPT(3) Shostack, Northcutt, Hill MODIFY(2) Prosser, Frech COMMENTS: Prosser> Ref'd SSRT has an 'at' vulnerable as well supposedly fixed by Prosser> the patch. Shouldn't this be included as a seperate CVE in this Prosser> cluster. ref:BugTraq "Digital Unix Buffer Overflows: Exploits" from Prosser> Lamont Granquist for both as well. Frech> Reference: XF:du-inc ================================= Candidate: CAN-1999-0370 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00184 In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files. VOTES: ACCEPT(2) Northcutt, Prosser MODIFY(1) Frech COMMENTS: Frech> Reference: XF:sun-man ================================= Candidate: CAN-1999-0396 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: NETBSD:1999-001 Reference: OPENBSD:Feb17,1999 A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service. VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Shostack COMMENTS: Shostack> For denial of service attacks, we should distinguish between Shostack> host availability, service, and CPU absorbtion DOS attacks. ================================= Candidate: CAN-1999-0485 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: SF Reference: OPENBSD:Feb19,1999 Remote attackers can cause a denial of service through ipintr() in ipq in OpenBSD. VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Shostack COMMENTS: Shostack> For denial of service attacks, we should distinguish between Shostack> host availability, service, and CPU absorbtion DOS attacks. ================================= Candidate: CAN-1999-0513 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990607 Assigned: 19990607 Category: CF Reference: CERT:CA-98.01.smurf Reference: FreeBSD:FreeBSD-SA-98:06 Reference: XF:smurf ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service. VOTES: ACCEPT(4) Hill, Shostack, Frech, Wall MODIFY(1) Northcutt REVIEWING(1) Christey COMMENTS: Northcutt> If you put it this way then ping mapping becomes part of smurf. I Northcutt> would consider calling the vulnerability ICMP to broadcast addresses Northcutt> and in the text state allowing for a Smurf denial or service or ICMP Northcutt> ping mapping to acquire intelligence data about a network. Christey> This one is an interesting case. As Steve noted, this configuration Christey> problem could allow for ping mapping as well. I think the distinction Christey> is that for Smurf, there's a forged source IP address, and that's Christey> generally not the case when you're doing ping mapping. So do we have Christey> a single vulnerability (ICMP to broadcast) with 2 separate Christey> implications? Or, do we have two separate vulnerabilities, where one Christey> accounts for the "design flaw" of spoofed IP addresses and another one Christey> is a vulnerability because it allows information gathering? ================================= Candidate: CAN-1999-0551 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990617 Assigned: 19990607 Category: CF Reference: HP:HPSBUX9804-078 Reference: XF:hp-openmail HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests. VOTES: ACCEPT(2) Frech, Hill NOOP(1) Northcutt REVIEWING(1) Shostack COMMENTS: Shostack> Question: Is this run arbitrary commands as root...?
|
||||
