Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)

To: coley@linus.mitre.org (Steven M. Christey)
Subject: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
From: bakerd@mitre.org (David Baker)
Date: Mon, 26 Jul 1999 13:14:35 -0400
cc: cve-editorial-board-list@lists.mitre.org
Organization: The MITRE Corporation
References: <199907210332.XAA10246@basie.mitre.org>

=================================
Candidate: CAN-1999-0074
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:seqport

Listening TCP ports are sequentially allocated, allowing spoofing
attacks.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0077
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF

TCP sequence prediction

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0103
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.01.UDP_service_denial
Reference: XF:chargen-patch

Echo and chargen, or other combinations of UDP services, can be used
in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0111
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF

RIP v1 is susceptible to spoofing

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0116
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.21.tcp_syn.flooding
Reference: SGI:19961202-01-PX
Reference: SUN:00136

SYN flood denial of service attack

VOTE:  MODIFY

We sort of explain most vulnerabilities, at least to a minimum degree. 
To remain consistent, we should have some detail of this one too.
Something like - 
A destination system that fails to receive an ACK signal, after replying
to a SYN packet with a SYN/ACK packet, has reserved memory for the TCP
connection state until the connection times out.  Multiple rapid
occurrences of these initial SYN packets that remain unacknowledged will
result in a denial of service when the maximum number of TCP connections
has been reached (SYN Flood). 

=================================
Candidate: CAN-1999-0168
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:nfs-portmap

The portmapper may act as a proxy and redirect service requests from
an attacker, making the request appear to come from the local host,
possibly bypassing authentication that would otherwise have taken
place.  For example, NFS file systems could be mounted through the
portmapper despite export restrictions.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0181
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:walld

The wall daemon can be used for denial of service, social engineering
attacks, or to execute remote commands.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0184
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:dns-updates

When compiled with the -DALLOW_UPDATES option, bind allows dynamic
updates to the DNS server, allowing for malicious modification of DNS
records.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0214
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF

Denial of service by sending forged ICMP unreachable packets.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0351
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: INFOWAR:01

FTP PASV "Pizza Thief" denial of service and unauthorized data
access.  Attackers can steal data by connecting to a port that was
intended for use by a client.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0352
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly
Remotely
Possible/32) enterprise management software
Reference: XF:controlit-passwd-encrypt

ControlIT 4.5 and earlier (aka Remotely Possible) has weak password
encryption.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0356
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly
Remotely
Possible/32) enterprise management software
Reference: XF:controlit-bookfile-access

ControlIT v4.5 and earlier uses weak encryption to store
usernames and passwords in an address book.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0377
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb22,1999

Process table attack in Unix systems allows a remote attacker to
perform a denial of service by filling a machine's process tables
through multiple connections to network services.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0414
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: NAI: Linux Blind TCP Spoofing

In Linux before version 2.0.36, remote attackers can spoof a TCP
connection and pass data to the application layer before fully
establishing the connection.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0470
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:netware-remotenlm-passwords
Reference: BUGTRAQ:Apr9,1999

A weak encryption algorithm is used for passwords in Novell
Remote.NLM, allowing them to be easily decrypted.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0476
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:sco-termvision-password

A weak encryption algorithm is used for passwords in SCO TermVision,
allowing them to be easily decrypted by a local user.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0612
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA

The finger service is running.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0613
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA

The rpc.sprayd service is running.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0618
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA

The rexec service is running.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0624
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA

The rstat/rstatd service is running.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0625
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA

The rpc.rquotad service is running.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0626
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA

The rusers/rusersd service is running.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0627
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA

The rexd service is running.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0628
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA

The rwho/rwhod service is running.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0629
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA

The ident/identd service is running.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0647
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA

The bootparam (bootparamd) service is running.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0655
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA

A service may include useful information in its banner or help
function (such as the name and version), making it useful for
information gathering activities.

VOTE:  ACCEPT

=================================
 ------------------------------------------------------------
 David W. Baker
 INFOSEC Engineer                           bakerd@mitre.org
 G023 - Secure Information Technology      (703) 883-3658
 The MITRE Corporation                     (703) 883-1397 FAX
 1820 Dolley Madison Blvd, Mailstop W422    McLean, VA, 22102
 ------------------------------------------------------------

References:
- PROPOSAL: Cluster 20 - DESIGN (27 candidates)
  - From: "Steven M. Christey" <coley@linus.mitre.org>

Prev by Date: Re: PROPOSAL: Cluster 19 - NTCONFIG (13 candidates)
Next by Date: High-level schedule of future CVE release activities
Prev by thread: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Next by thread: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)