|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Craig Ozancin said: >================================= >Candidate: CAN-1999-0352 >Published: >Final-Decision: >Interim-Decision: >Modified: >Announced: 19990721 >Assigned: 19990607 >Category: SF >Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely >Possible/32) enterprise management software >Reference: XF:controlit-passwd-encrypt > >ControlIT 4.5 and earlier (aka Remotely Possible) has weak password >encryption. > >VOTE: Recast > >Can we combine this with CAN-1999-0356 - ControlIT(tm) 4.5 and earlier uses >weak encryption. > >================================= >Candidate: CAN-1999-0356 >Published: >Final-Decision: >Interim-Decision: >Modified: >Announced: 19990721 >Assigned: 19990607 >Category: SF >Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely >Possible/32) enterprise management software >Reference: XF:controlit-bookfile-access > >ControlIT v4.5 and earlier uses weak encryption to store >usernames and passwords in an address book. > >VOTE: Recast > Assuming the CVE vulnerability definition isn't adapted to exclude these candidates in the first place, I agree that these should be merged. According to the ISS advisory, the same encryption strategy is used in both cases; it's the encryption algorithm that's the vulnerability, not the fact that it's used in a number of different functional areas. I consider this situation to be equivalent to a bug in a library or DLL - the vulnerability is in the library, not in all the different executables that use it. - Steve
|
||||
