[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PROPOSAL: Cluster 24 - FINGER (6 candidates)



The following votes and comments are from Steve Northcutt, who points
out that we haven't clearly defined what finger "should" do, thus it's
not clear whether some of these candidates should be considered
vulnerabilities.

In my opinion, if some finger application offers some sort of access
control, or a capability which limits what kinds of data can be
presented, then when a bug in that application *fails* to restrict
that information, then it's a CVE vulnerability as a result of the
second bullet of the definition:

>  - (2) allows an entity to read or modify data belonging to another
>    entity, when it is contrary to the specified access restrictions
>    for that data


- Steve




>From Stephen.Northcutt@bmdo.osd.mil  Tue Jul 27 08:11:19 1999
Message-ID: <A0CCBD88DC7ED1118BBD00005A4441D403C1B091@hqbmdofs01.bmdo.osd.mil>
From: "Northcutt, Stephen, CIV, BMDO/DSC" <Stephen.Northcutt@bmdo.osd.mil>
To: "'Steven M. Christey'" <coley@linus.mitre.org>
Subject: RE: PROPOSAL: Cluster 24 - FINGER (6 candidates)
Date: Tue, 27 Jul 1999 08:11:45 -0400
Content-Type: text/plain;
	charset="iso-8859-1"

Steven, note I only responded to you, your choice whether to
push forward.  You argue that if finger releases more information
than it should  ... but we don't define what it should, not
is it clear to me, we should be making that call.

-----Original Message-----
From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
Sent: Monday, July 26, 1999 8:42 PM
To: cve-editorial-board-list@lists.mitre.org
Subject: PROPOSAL: Cluster 24 - FINGER (6 candidates)


The following candidates all deal with bugs in the finger service.  If
running finger is not a vulnerability, what if finger has a bug?  If
the bug causes a denial of service or other problem outside the scope
of finger itself, then that's a CVE vulnerability based on other
portions of the definition.

But what if the bug just releases more user information than it should
have?  In this case, I argue that these are vulnerabilities, since the
finger application in question does *not* work as intended.

- Steve



Summary of votes to use (in ascending order of "severity"):

ACCEPT - member accepts the candidate as proposed
NOOP - member has no opinion on the candidate
MODIFY - member wants to change some minor detail (e.g.
reference/description)
REVIEWING - member is reviewing/researching the candidate
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

Please write your vote on the line that starts with "VOTE: ".  If you
want to add comments or details, add them to lines after the VOTE: line.


=================================
Candidate: CAN-1999-0105
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF

finger allows recursive searches by using a long string of @ symbols.

VOTE:REJECT

=================================
Candidate: CAN-1999-0106
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF

Finger redirection allows finger bombs.

VOTE:ACCEPT

=================================
Candidate: CAN-1999-0197
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF

finger 0@host on some systems may print information on some user accounts.

VOTE:REJECT

=================================
Candidate: CAN-1999-0198
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF

finger .@host on some systems may print information on some user accounts.

VOTE:REJECT

=================================
Candidate: CAN-1999-0259
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF

cfingerd lists all users on a system via search.**@target.

VOTE:NOOP

=================================
Candidate: CAN-1999-0492
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr23,1999

The ffingerd 1.19 allows remote attackers to identify users on the
target system based on its responses.

VOTE:ACCEPT

 
Page Last Updated: May 22, 2007