|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
-----Original Message----- From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG] Sent: Tuesday, July 20, 1999 11:33 PM To: cve-editorial-board-list@lists.mitre.org Subject: PROPOSAL: Cluster 20 - DESIGN (27 candidates) This cluster includes candidates with inherent design flaws, either for protocols or applications. It touches on a number of important and potentially controversial issues. There may be a lot more REJECT votes than we've seen for previous candidates. While considering these issues, recall that the definition of "CVE vulnerability" is specifically intended to be very broad so that the CVE can accommodate very diverse perspectives of what a "vulnerability" is. Some candidates are related to weak encryption. The question becomes, is this sort of design problem alone sufficient for inclusion in the CVE? When we say "weak," what do we really mean by that? Any encryption algorithm is theoretically weak to a brute force attack. So how "weak" must something be to merit inclusion in the CVE? An issue related to weak encryption is the storage or transmission of passwords in the clear. While I haven't defined one, perhaps there should be a content decision that says "Any design choice which can be overcome by a brute force method that is easily achievable within [X amount of time] using commonly available technology, is a vulnerability." Other candidates involve weak authentication, e.g. rexec or rexd. How "weak" must the authentication be to merit inclusion in the CVE? There are other candidates that have to do with design choices which are helpful for information gathering. Information gathering satisfies the detailed description of a CVE vulnerability, i.e. a state that "(6) allows an entity to obtain information that increases the likelihood for exploiting other vulnerabilities." Finger (CAN-1999-0612) is a good example for discussion here. Its very function is to tell someone who the active users on a system are. Is that a design flaw? Not the way you'd normally think of "design flaw." It works exactly as it's supposed to. However, its design is in violation with the above "information gathering" portion of the CVE vulnerability definition. A further question arises here... How much information is sufficient for "information gathering" activities? CAN-1999-0655 may appear to be too high level for most Board members. However, not only is it High Cardinality, we also can't enumerate all the possible instances. Thus the CVE content decisions dictate that it remain at this level. Finally, note the categories of these candidates. Many of them have an SF (Software Flaw) or SA (Service/Application presence) category, yet neither category really fits. This is an example of some of the ambiguity and lack of mutual exhaustiveness of the category in the CVE, which is a problem that the taxonomists always deal with. The category cannot be completely removed, since it guides the CVE content decisions, but we must make sure that it is appropriate for guiding content decisions. But we shouldn't refine the CVE category too much and encounter the problems related to full-blown taxonomies, including the problem of community-wide acceptance. Considering this particular cluster, and the different content decisions that may arise related to design problems, should we define a new category to handle these types of problems? Note that this is the only additional category that I believe we could add. - Steve Summary of votes to use (in ascending order of "severity"): ACCEPT - member accepts the candidate as proposed NOOP - member has no opinion on the candidate MODIFY - member wants to change some minor detail (e.g. reference/description) REVIEWING - member is reviewing/researching the candidate RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. ================================= Candidate: CAN-1999-0074 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: XF:seqport Listening TCP ports are sequentially allocated, allowing spoofing attacks. VOTE: Accept ================================= Candidate: CAN-1999-0077 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF TCP sequence prediction VOTE: RECAST Predictable TCP sequence numbers allow spoofing - is how I would phrase this ================================= Candidate: CAN-1999-0103 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: CERT:CA-96.01.UDP_service_denial Reference: XF:chargen-patch Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm. VOTE: ACCEPT ================================= Candidate: CAN-1999-0111 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF RIP v1 is susceptible to spoofing VOTE: ACCEPT ================================= Candidate: CAN-1999-0116 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: CERT:CA-96.21.tcp_syn.flooding Reference: SGI:19961202-01-PX Reference: SUN:00136 SYN flood denial of service attack VOTE: ACCEPT ================================= Candidate: CAN-1999-0168 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: XF:nfs-portmap The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions. VOTE: ACCEPT ================================= Candidate: CAN-1999-0181 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: XF:walld The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands. VOTE: ACCEPT ================================= Candidate: CAN-1999-0184 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: XF:dns-updates When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. VOTE: ACCEPT ================================= Candidate: CAN-1999-0214 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Denial of service by sending forged ICMP unreachable packets. VOTE: ACCEPT ================================= Candidate: CAN-1999-0351 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: INFOWAR:01 FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client. VOTE: ACCEPT ================================= Candidate: CAN-1999-0352 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: XF:controlit-passwd-encrypt ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption. VOTE: NOOP ================================= Candidate: CAN-1999-0356 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: XF:controlit-bookfile-access ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book. VOTE: NOOP ================================= Candidate: CAN-1999-0377 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb22,1999 Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services. VOTE: ACCEPT Have we done the one about max connections to inetd over a finite time frame? ================================= Candidate: CAN-1999-0414 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: NAI: Linux Blind TCP Spoofing In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection. VOTE: ACCEPT ================================= Candidate: CAN-1999-0470 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: XF:netware-remotenlm-passwords Reference: BUGTRAQ:Apr9,1999 A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted. VOTE: ACCEPT ================================= Candidate: CAN-1999-0476 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SF Reference: XF:sco-termvision-password A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user. VOTE: NOOP ================================= Candidate: CAN-1999-0612 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SA The finger service is running. VOTE: REJECT ================================= Candidate: CAN-1999-0613 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SA The rpc.sprayd service is running. VOTE: REJECT ================================= Candidate: CAN-1999-0618 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SA The rexec service is running. VOTE: REJECT ================================= Candidate: CAN-1999-0624 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SA The rstat/rstatd service is running. VOTE: REJECT ================================= Candidate: CAN-1999-0625 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SA The rpc.rquotad service is running. VOTE: REJECT ================================= Candidate: CAN-1999-0626 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SA The rusers/rusersd service is running. VOTE: REJECT ================================= Candidate: CAN-1999-0627 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SA The rexd service is running. VOTE: REJECT ================================= Candidate: CAN-1999-0628 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SA The rwho/rwhod service is running. VOTE: REJECT ================================= Candidate: CAN-1999-0629 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SA The ident/identd service is running. VOTE: REJECT ================================= Candidate: CAN-1999-0647 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SA The bootparam (bootparamd) service is running. VOTE: REJECT ================================= Candidate: CAN-1999-0655 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: SA A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities. VOTE: ACCEPT
|
||||
