|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] FINAL DECISION: ACCEPT 47 various candidates
I have made a Final Decision to ACCEPT the following candidates. These candidates are now assigned CVE names as noted below. Voting details and comments are provided afterwards. The CVE names for candidates that reach Final Decision should be regarded as stable. In the case of these and all other candidates that reach Final Decision during this validation period, accepted candidates won't reach Publication phase until the CVE goes fully public. The only difference between Publication and Final Decision is that the CVE name is officially "announced" by MITRE during Publication. - Steve Candidate CVE Name --------- ---------- CAN-1999-0018 CVE-1999-0018 CAN-1999-0032 CVE-1999-0032 CAN-1999-0046 CVE-1999-0046 CAN-1999-0062 CVE-1999-0062 CAN-1999-0067 CVE-1999-0067 CAN-1999-0081 CVE-1999-0081 CAN-1999-0082 CVE-1999-0082 CAN-1999-0083 CVE-1999-0083 CAN-1999-0097 CVE-1999-0097 CAN-1999-0099 CVE-1999-0099 CAN-1999-0120 CVE-1999-0120 CAN-1999-0128 CVE-1999-0128 CAN-1999-0132 CVE-1999-0132 CAN-1999-0185 CVE-1999-0185 CAN-1999-0190 CVE-1999-0190 CAN-1999-0208 CVE-1999-0208 CAN-1999-0228 CVE-1999-0228 CAN-1999-0252 CVE-1999-0252 CAN-1999-0294 CVE-1999-0294 CAN-1999-0295 CVE-1999-0295 CAN-1999-0303 CVE-1999-0303 CAN-1999-0305 CVE-1999-0305 CAN-1999-0308 CVE-1999-0308 CAN-1999-0310 CVE-1999-0310 CAN-1999-0311 CVE-1999-0311 CAN-1999-0312 CVE-1999-0312 CAN-1999-0313 CVE-1999-0313 CAN-1999-0314 CVE-1999-0314 CAN-1999-0316 CVE-1999-0316 CAN-1999-0324 CVE-1999-0324 CAN-1999-0325 CVE-1999-0325 CAN-1999-0328 CVE-1999-0328 CAN-1999-0332 CVE-1999-0332 CAN-1999-0340 CVE-1999-0340 CAN-1999-0341 CVE-1999-0341 CAN-1999-0342 CVE-1999-0342 CAN-1999-0344 CVE-1999-0344 CAN-1999-0357 CVE-1999-0357 CAN-1999-0374 CVE-1999-0374 CAN-1999-0396 CVE-1999-0396 CAN-1999-0468 CVE-1999-0468 CAN-1999-0471 CVE-1999-0471 CAN-1999-0472 CVE-1999-0472 CAN-1999-0473 CVE-1999-0473 CAN-1999-0474 CVE-1999-0474 CAN-1999-0475 CVE-1999-0475 CAN-1999-0485 CVE-1999-0485 ================================= Candidate: CAN-1999-0018 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990621-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-97.26.statd Reference: XF:statd Reference: AUSCERT:AA-97.29 Buffer overflow in statd allows root privileges. Modifications: DESC remove CERT advisory from text VOTES: ACCEPT(4) Frech, Shostack, Northcutt, Landfield ================================= Candidate: CAN-1999-0032 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-97.19.bsdlp Reference: AUSCERT:AA-96.12 Reference: CIAC:I-042 Reference: SGI:19980402-01-PX Reference: XF:bsd-lprbo2 Reference: XF:bsd-lprbo Reference: XF:lpr-bo Buffer overflow in BSD-based lpr package allows local users to gain root privileges. Modifications: DESC remove lp, reword ADDREF XF:bsd-lprbo ADDREF XF:lpr-bo VOTES: ACCEPT(3) Northcutt, Hill, Wall MODIFY(2) Shostack, Frech COMMENTS: Shostack> the mention of (lp) is misleading. The problem was with Shostack> the BSD lpr family, not the SYSV lp family. Frech> References: XF:bsd-lprbo Frech> References: XF:lpr-bo ================================= Candidate: CAN-1999-0046 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-02 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-97.06.rlogin-term Reference: XF:rlogin-termbo Buffer overflow of rlogin program using TERM environmental variable. Modifications: DELREF XF:bsdi-rlogind ADDREF XF:rlogin-termbo DESC Add period. VOTES: ACCEPT(3) Shostack, Northcutt, Landfield MODIFY(1) Frech COMMENTS: Frech> Every sentence is followed by a period (unless you are a criminal, Frech> and then it follows with an appeal.) ================================= Candidate: CAN-1999-0062 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:openbsd-chpass Reference: NAI:NAI-28 The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage. Modifications: DESC per Prosser's comments ADDREF NAI:NAI-28 VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech MODIFY(1) Prosser COMMENTS: Prosser> I believe this is a file leakage problem where the temp Prosser> password file can be modified and used to overwrite the original Prosser> password file. The reference source for this is a NAI Security Prosser> Advisory #28, no longer available from the now defunct old NAI site Prosser> but is on Bugtraq Prosser> http://netspace.org/cgi-bin/wa?A2=ind9808B&L=bugtraq&P=R455 ================================= Candidate: CAN-1999-0067 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-96.06.cgi_example_code Reference: XF:http-cgi-phf CGI phf program allows remote command execution through shell metacharacters. Modifications: DESC reword slightly VOTES: ACCEPT(4) Hill, Shostack, Frech, Wall MODIFY(2) Northcutt, Christey COMMENTS: Northcutt> this is not about phf it is about escape_shell_cmd(), Northcutt> you had the same thing with php and so forth. Christey> I agree with Adam that "shell metacharacters" is too high a level of Christey> abstraction. I believe that phf and php and the others should be Christey> distinguished. However, it might be better to change the description Christey> to say "CGI phf program allows remote command execution via shell Christey> metacharacters." ================================= Candidate: CAN-1999-0081 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:ftp-rnfr wu-ftp allows files to be overwritten via the rnfr command. VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech NOOP(1) Prosser ================================= Candidate: CAN-1999-0082 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:ftp-cwd Reference: FarmerVenema:Improving the Security of Your Site by Breaking Into it CWD ~root command in ftpd allows root access. Modifications: DESC reword VOTES: ACCEPT(3) Northcutt, Baker, Frech MODIFY(2) Shostack, Prosser COMMENTS: Shostack> 'in ftpD allows root access' Prosser> Dan Farmer and Wietse Venema covered this vulnerability as Prosser> well in their guide "Improving the Security of Your Site by Breaking Prosser> Into it" ================================= Candidate: CAN-1999-0083 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:cwdleak getcwd() file descriptor leak in FTP VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech NOOP(1) Prosser ================================= Candidate: CAN-1999-0097 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990617 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1997:009.1 Reference: XF:ibm-ftp The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character). Modifications: ADDREF XF:ibm-ftp DESC slight change VOTES: ACCEPT(2) Shostack, Northcutt MODIFY(2) Frech, Prosser COMMENTS: Northcutt> Per 97, general issue of mishandling metachars is a lot Northcutt> like my comment about CGI-BINs (not just PHF) [Someone] Northcutt> recently did a content search for about Northcutt> CGI-BIN and /etc/passwd and found about 10 cig programs Northcutt> that someone attempted to exploit... However we resolve the Northcutt> CGI-BIN bit, we ought to consider applying the same logic to Northcutt> candidates like 97. Frech> Reference: XF:ibm-ftp Prosser> Concur with Adam's modification ================================= Candidate: CAN-1999-0099 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-02 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-95.13.syslog.vul Reference: XF:smtp-syslog Buffer overflow in syslog utility allows local or remote attackers to gain root privileges. Modifications: DESC could be through other mailers besides Sendmail DESC applies to syslog period, not just mail servers VOTES: ACCEPT(3) Frech, Northcutt, Landfield MODIFY(1) Shostack COMMENTS: Shostack> Anything that passes bad data to syslog might be used to proxy this, Shostack> not just mail servers. ================================= Candidate: CAN-1999-0120 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: CERT:CA-94.06.utmp.vulnerability Reference: XF:utmp-write Sun/Solaris utmp file allows local users to gain root access if it is writable by users other than root. VOTES: ACCEPT(5) Northcutt, Shostack, Prosser, Baker, Frech COMMENTS: Shostack> | ================================= Candidate: CAN-1999-0128 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990621-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: XF:ping-death Reference: CERT:CA-96.26.ping Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death. Modifications: ADDREF XF:ping-death COMMENT Andre's other suggested ref's were for a buffer overflow COMMENT in the ping program, which is a different vulnerability. DESC slight wording change to identify this as Ping o' Death *only* VOTES: ACCEPT(4) Frech, Shostack, Northcutt, Landfield ================================= Candidate: CAN-1999-0132 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990621-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: XF:expreserve Reference: CERT:CA-96.19.expreserve Expreserve, used in vi and ex, allows local users to overwrite arbitrary files and gain root access. Modifications: ADDREF XF:expreserve VOTES: ACCEPT(4) Frech, Shostack, Northcutt, Landfield ================================= Candidate: CAN-1999-0185 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00156 Reference: XF:sun-ftpd/logind In SunOS or Solaris, a remote user could connect from an FTP server's data port to an rlogin server on a host that trusts the FTP server, allowing remote command execution. Modifications: DESC wording change ADDREF XF:sun-ftpd/logind VOTES: ACCEPT(2) Northcutt, Prosser MODIFY(1) Frech COMMENTS: Frech> Also reported as vulnerable on SunOS, which is similar, but different. Frech> Reference: XF:sun-ftpd/logind ================================= Candidate: CAN-1999-0190 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00167 Reference: XF:sun-rpcbind Solaris rpcbind can be exploited to overwrite arbitrary files and gain root access. Modifications: ADDREF XF:sun-rpcbind VOTES: ACCEPT(1) Northcutt MODIFY(2) Frech, Prosser COMMENTS: Frech> Reference: XF:sun-rpcbind Prosser> The way rpcbind handles indirect calls is vulnerable in this advisory. Prosser> As there are lots of rpcbind problems, maybe should be more specific? ================================= Candidate: CAN-1999-0208 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-02 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: XF:rpc-update Reference: CERT:CA-95.17.rpc.ypupdated.vul rpc.ypupdated (NIS) allows remote users to execute arbitrary commands. Modifications: ADDREF XF:rpc-update DESC change to present tense VOTES: ACCEPT(3) Shostack, Northcutt, Landfield MODIFY(1) Frech COMMENTS: Frech> "allows remote users..." since this vuln's context pertains to Frech> when the service was vulnerable. ================================= Candidate: CAN-1999-0228 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:nt-rpc-ver Reference: MSKB:Q162567 Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT. Modifications: ADDREF MSKB:Q162567 VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech MODIFY(1) Prosser COMMENTS: Prosser> this is a 100% CPU utilization through the rpc port 135 Prosser> on an NT box. Source is Microsoft Knowledge Base article Q162567 ================================= Candidate: CAN-1999-0252 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:smtp-listserv Buffer overflow in listserv allows arbitrary command execution. VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech NOOP(1) Prosser ================================= Candidate: CAN-1999-0294 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:nt-wins-snmp2 All records in a WINS database can be deleted through SNMP for a denial of service. VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech NOOP(1) Prosser ================================= Candidate: CAN-1999-0295 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:sun-sysdef Reference: SUN:00157 Solaris sysdef command allows local users to read kernel memory, potentially leading to root privileges. VOTES: ACCEPT(5) Northcutt, Shostack, Prosser, Baker, Frech COMMENTS: Prosser> reference though should be Sun Security Bulletin 00157 ================================= Candidate: CAN-1999-0303 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:bnu-uucpd-bo Reference: RSI:RSI.0002.05-18-98.BNU.UUCPD Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames. Modifications: ADDREF RSI:RSI.0002.05-18-98.BNU.UUCPD VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech MODIFY(1) Prosser COMMENTS: Prosser> source should be REPSEC Security Advisory Prosser> RSI.0002.05-18-98.BNU.UUCPD ================================= Candidate: CAN-1999-0305 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:bsd-sourceroute Reference: OPENBSD:Feb15,1998 "IP Source Routing Problem" BSD sysctl control does not properly restrict source routing. Modifications: ADDREF OPENBSD:Feb15,1998 VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech MODIFY(1) Prosser COMMENTS: Prosser> reference: OpenBSD Security Advisory February 15, 1998 IP Prosser> Source Routing Problem ================================= Candidate: CAN-1999-0308 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: HP:HPSBUX9410-018 Reference: XF:hpux-gwind-overwrite Reference: CIAC:H-03: HP-UX suid Vulnerabilities HP-UX gwind program allows users to modify arbitrary files. Modifications: ADDREF HP:HPSBUX9410-018 VOTES: ACCEPT(3) Northcutt, Baker, Frech MODIFY(1) Prosser NOOP(1) Shostack COMMENTS: Prosser> add source HP Security Bulletin HPSBUX9410-018 ================================= Candidate: CAN-1999-0310 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:ssh-1225 SSH 1.2.25 on HP-UX allows access to new user accounts. VOTES: ACCEPT(4) Northcutt, Prosser, Baker, Frech NOOP(1) Shostack ================================= Candidate: CAN-1999-0311 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:hpux-fpkg2swpk Reference: HP:HPSBUX9612-042 fpkg2swpk in HP-UX allows local users to gain root access. Modifications: ADDREF HP:HPSBUX9612-042 VOTES: ACCEPT(3) Northcutt, Baker, Frech MODIFY(1) Prosser NOOP(1) Shostack COMMENTS: Prosser> add source: HP Security Advisory HPSBUX9612-042 ================================= Candidate: CAN-1999-0312 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:nis-ypbind Reference: CERT:CA-93:01.REVISED.HP.NIS.ypbind.vulnerability HP ypbind allows attackers with root privileges to modify NIS data. Modifications: ADDREF CERT:CA-93:01.REVISED.HP.NIS.ypbind.vulnerability VOTES: ACCEPT(3) Northcutt, Baker, Frech MODIFY(1) Prosser NOOP(1) Shostack COMMENTS: Prosser> Source is an older CERT Bulletin CA-93.1, Revised Prosser> Hewlett-Packard NIS ypbind Vulnerability ================================= Candidate: CAN-1999-0313 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:sgi-disk-bandwidth Reference: SGI:19980701-01-P IRIX disk_bandwidth program allows local users to gain root access using relative pathnames. Modifications: ADDREF SGI:19980701-01-P VOTES: ACCEPT(3) Northcutt, Baker, Frech MODIFY(1) Prosser NOOP(1) Shostack COMMENTS: Prosser> Source is SGI Security Advisory 19980701-01-P ================================= Candidate: CAN-1999-0314 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:sgi-ioconfig Reference: SGI:19980701-01-P IRIX ioconfig program allows local users to gain root access using relative pathnames. Modifications: ADDREF SGI:19980701-01-P VOTES: ACCEPT(3) Northcutt, Baker, Frech MODIFY(1) Prosser NOOP(1) Shostack COMMENTS: Prosser> Source is SGI Security Advisory 19980701-01-P ================================= Candidate: CAN-1999-0316 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:linux-splitvt Reference: CIAC:G-08 Buffer overflow in Linux splitvt command gives root access to local users. Modifications: ADDREF CIAC:G-08 VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech MODIFY(1) Prosser COMMENTS: Prosser> Source is CIAC Bulletin G-08 ================================= Candidate: CAN-1999-0324 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: HP:HPSBUX9702-053 Reference: CIAC:H-31 Reference: XF:hp-ppllog ppl program in HP-UX allows local users to create root files through symlinks. Modifications: ADDREF CIAC:H-31 ADDREF HP:HPSBUX9702-053 VOTES: ACCEPT(3) Northcutt, Baker, Frech MODIFY(1) Prosser NOOP(1) Shostack COMMENTS: Prosser> reference CIAC Bulletin H-31, HP Security Bulletin Prosser> HPSBUX9702-053 ================================= Candidate: CAN-1999-0325 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:hp-vhe Reference: HP:HPSBUX9406-013 vhe_u_mnt program in HP-UX allows local users to create root files through symlinks. Modifications: ADDREF HP:HPSBUX9406-013 VOTES: ACCEPT(3) Northcutt, Baker, Frech MODIFY(1) Prosser NOOP(1) Shostack COMMENTS: Prosser> reference: HPSBUX9406-013 ================================= Candidate: CAN-1999-0328 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990617 Assigned: 19990607 Category: SF Reference: SGI:19971103-01-PX Reference: XF:sgi-permtool SGI permissions program allows local users to gain root privileges. Modifications: ADDREF XF:sgi-permtool VOTES: ACCEPT(1) Northcutt MODIFY(2) Shostack, Frech COMMENTS: Shostack> include a path to /usr/bin/permissions to clarify that it is a Shostack> program. Frech> Reference: XF:sgi-permtool ================================= Candidate: CAN-1999-0332 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:nt-netmeeting Reference: MSKB:Q184346 Buffer overflow in NetMeeting allows denial of service and remote command execution. Modifications: ADDREF MSKB:Q184346 VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech MODIFY(1) Prosser NOOP(1) Christey COMMENTS: Shostack> All BOs can be dos attacks. When should or should not that be listed? Prosser> reference: Prosser> www.microsoft.com/windows/ie/security/netmbuff.asp, Knowledgebase Prosser> Q184346 Christey> The DoS (a crash) occurs before the exploit, so both cases Christey> should be listed here. ================================= Candidate: CAN-1999-0340 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: KSRT:005 Reference: XF:linux-crond Buffer overflow in Linux Slackware crond program allows local users to gain root access. Modifications: ADDREF KSRT:005 VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech NOOP(1) Prosser COMMENTS: Prosser> advisory comes from KSRT, KSR[T] Advisory #005 Prosser> Date: Dec 6, 1997 ================================= Candidate: CAN-1999-0341 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: KSRT:006 Reference: XF:linux-deliver Buffer overflow in the Linux mail program "deliver" allows local users to gain root access. Modifications: ADDREF KSRT:006 VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech NOOP(1) Prosser COMMENTS: Prosser> advisory comes from KSRT, Advisory #006 Prosser> Date: Jan 14, 1998 ================================= Candidate: CAN-1999-0342 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: REDHAT:http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam Reference: XF:linux-pam-passwd-tmprace Linux PAM modules allow local users to gain root access using temporary files. Modifications: ADDREF REDHAT:http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech MODIFY(1) Prosser COMMENTS: Prosser> one source from Bugtraq, another from Prosser> http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam ================================= Candidate: CAN-1999-0344 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: MS:MS98-009 Reference: MSKB:Q190288 Reference: XF:nt-priv-fix NT users can gain debug-level access on a system process using the Sechole exploit. Modifications: ADDREF MS:MS98-009 ADDREF MSKB:Q190288 VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech MODIFY(1) Prosser COMMENTS: Prosser> Source: MS Bulletin ms98-009 and Microssoft Knowledge Prosser> Base article Q190288 ================================= Candidate: CAN-1999-0357 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan25,1999 Reference: XF:win98-oshare-dos Denial of service in Windows systems using malformed oshare packets. Modifications: ADDREF XF:win98-oshare-dos VOTES: ACCEPT(3) Northcutt, Shostack, Baker MODIFY(1) Frech NOOP(1) Prosser COMMENTS: Frech> XF:win98-oshare-dos ================================= Candidate: CAN-1999-0374 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: DEBIAN:19990215 Reference: BUGTRAQ:Feb16,1999 Reference: XF:linux-cfengine-symlinks Debian Linux cfengine package is susceptible to a symlink attack. Modifications: ADDREF DEBIAN:19990215 ADDREF XF:linux-cfengine-symlinks VOTES: ACCEPT(3) Northcutt, Shostack, Baker MODIFY(1) Frech NOOP(1) Prosser COMMENTS: Frech> XF:linux-cfengine-symlinks ================================= Candidate: CAN-1999-0396 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990617 Assigned: 19990607 Category: SF Reference: NETBSD:1999-001 Reference: OPENBSD:Feb17,1999 Reference: XF:netbsd-tcp-race A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service. Modifications: ADDREF XF:netbsd-tcp-race VOTES: ACCEPT(2) Northcutt, Hill MODIFY(2) Shostack, Frech COMMENTS: Shostack> For denial of service attacks, we should distinguish between Shostack> host availability, service, and CPU absorbtion DOS attacks. Frech> Reference: XF:netbsd-tcp-race ================================= Candidate: CAN-1999-0468 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: MS:MS99-012 Reference: XF:ie-scriplet-fileread Reference: BUGTRAQ:Apr9,1999 Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component. Modifications: ADDREF MS:MS99-012 VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech MODIFY(1) Prosser COMMENTS: Prosser> Source: MS bulletin ms99-012 ================================= Candidate: CAN-1999-0471 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:winroute-config Reference: BUGTRAQ:Apr9,1999 The remote proxy server in Winroute allows a remote attacker to reconfigure the proxy without authentication through the "cancel" button. VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech NOOP(1) Prosser ================================= Candidate: CAN-1999-0472 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:netcache-snmp Reference: BUGTRAQ:Apr7,1999 The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it. Modifications: DESC Changed NetApps to NetApp per vendor usage VOTES: ACCEPT(3) Northcutt, Shostack, Baker MODIFY(1) Frech NOOP(1) Prosser COMMENTS: Frech> Verify that the company's name is not correctly spelled Network Appliances. Frech> XF Reference is ok. ================================= Candidate: CAN-1999-0473 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: CALDERA:CSSA-1999:010.0 Reference: XF:rsync-permissions Reference: BUGTRAQ:Apr7,1999 The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred. Modifications: ADDREF CALDERA:CSSA-1999:010.0 VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech MODIFY(1) Prosser COMMENTS: Prosser> Source: Caldera Security Advisory CSSA-1999:010.0 ================================= Candidate: CAN-1999-0474 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:icq-webserver-read Reference: BUGTRAQ:Apr5,1999 The ICQ Webserver allows remote attackers to use .. to access arbitrary files outside of the user's personal directory. VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech NOOP(1) Prosser ================================= Candidate: CAN-1999-0475 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:procmail-race Reference: BUGTRAQ:Apr5,1999 A race condition in how procmail handles .procmailrc files allows a local user to read arbitrary files available to the user who is running procmail. VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech NOOP(1) Prosser ================================= Candidate: CAN-1999-0485 Published: Final-Decision: 19990827 Interim-Decision: 19990823 Modified: 19990821-01 Proposed: 19990617 Assigned: 19990607 Category: SF Reference: OPENBSD:Feb19,1999 Reference: XF:openbsd-ipintr-race Remote attackers can cause a system crash through ipintr() in ipq in OpenBSD. Modifications: ADDREF XF:openbsd-ipintr-race DESC change DoS to system crash VOTES: ACCEPT(2) Northcutt, Hill MODIFY(2) Shostack, Frech COMMENTS: Shostack> For denial of service attacks, we should distinguish between Shostack> host availability, service, and CPU absorbtion DOS attacks. Frech> Reference: XF:openbsd-ipintr-race
|
||||
