|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [TECH] Active candidates
All: Below are all the current candidates that are still active. The list includes voting summaries. If you wish, you can use these to make your mappings more complete and/or reduce duplication when you send me your top 100 or six month lists. I could also provide these candidates in HTML or comma-separated format if you wish. - Steve ================================= Candidate: CAN-1999-0001 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: CERT:CA-98-13-tcp-denial-of-service Denial of service in BSD-derived TCP/IP implementations, as described in CERT CA-98-13. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0004 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-98.10.mime_buffer_overflows Reference: XF:outlook-long-name Reference: SUN:00175 Reference: MS:MS98-008 MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. Modifications: ADDREF MS:MS98-008 DESC include Outlook VOTES: ACCEPT(3) Northcutt, Landfield, Wall MODIFY(1) Frech REVIEWING(1) Shostack COMMENTS: Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject Frech> this suggestion, I will not be devastated.) :-) ================================= Candidate: CAN-1999-0015 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: CERT:CA-97.28.Teardrop_Land Reference: XF:teardrop Teardrop IP denial of service. VOTES: ACCEPT(1) Wall MODIFY(1) Frech COMMENTS: Frech> XF: teardrop-mod ================================= Candidate: CAN-1999-0020 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Buffer overflow in Linux lpr command gives root access. VOTES: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall COMMENTS: Frech> XF:lpr-bo ================================= Candidate: CAN-1999-0030 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul Reference: XF:sgi-xlockbo Reference: SGI:19970508-02-PX root privileges via buffer overflow in xlock command on SGI IRIX systems. VOTES: ACCEPT(3) Prosser, Levy, Ozancin RECAST(1) Frech REJECT(1) Christey COMMENTS: Frech> XF:xlock-bo (also add) Frech> As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and Frech> several Linii. Frech> Also, don't you mean to cite SGI:19970502-02-PX? The one you list is Frech> login/scheme. Levy> Notice that this xlock overflow is the same as in Levy> CA-97.13. CA-97.21 simply is a reminder. Christey> As pointed out by Elias, CA-97.13 (CVE-1999-0038) already mentions Christey> this. However, CVE-1999-0038 may need to be modified to reflect Christey> the different OSes, though I suspect it's the same codebase, Christey> as well as to update its references. Christey> To keep the description as short and simple as possible, we Christey> should avoid this specific detail until there is a second AIX Christey> telnet DoS ================================= Candidate: CAN-1999-0031 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: CERT:CA-97.20.javascript JavaScript allows remote attackers to monitor a user's web activities. VOTES: ACCEPT(1) Wall NOOP(1) Northcutt ================================= Candidate: CAN-1999-0033 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-97.18.at Reference: SUN:00160 Reference: XF:sun-atbo Command execution in Sun systems via buffer overflow in the at program VOTES: ACCEPT(4) Northcutt, Hill, Shostack, Wall RECAST(1) Frech COMMENTS: Frech> This vulnerability also manifests itself for the following = Frech> platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, Frech> please add the = following: Frech> Reference: XF:at-bo ================================= Candidate: CAN-1999-0061 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: NAI:NAI-20 Reference: XF:bsd-lpd File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). VOTES: ACCEPT(3) Hill, Frech, Northcutt ================================= Candidate: CAN-1999-0076 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:ftp-args Buffer overflow in wu-ftp from PASV command causes a core dump. Modifications: DESC make more explicit to distinguish from CAN-1999-0075 VOTES: ACCEPT(1) Frech NOOP(1) Balinsky COMMENTS: Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability? ================================= Candidate: CAN-1999-0078 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-96.08.pcnfsd Reference: XF:rpc-pcnfsd pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. Modifications: DELREF XF:nfs-pcnfsd VOTES: ACCEPT(4) Frech, Shostack, Northcutt, Landfield RECAST(1) Christey COMMENTS: Christey> This candidate should be SPLIT, since there are two separate Christey> software flaws. One is a symlink race and the other is a Christey> shell metacharacter problem. ================================= Candidate: CAN-1999-0086 Published: Final-Decision: Interim-Decision: 19990630 Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1998:001.1 Reference: XF:ibm-routed AIX routed allows remote users to modify sensitive files. Modifications: ADDREF XF:ibm-routed VOTES: ACCEPT(2) Shostack, Northcutt MODIFY(2) Frech, Prosser COMMENTS: Frech> Reference: XF:ibm-routed Prosser> This vulnerability allows debug mode to be turned on which is Prosser> the problem. Should this be more specific in the description? This Prosser> one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which Prosser> is in the SGI cluster, shouldn't these be cross-referenced as the same Prosser> vuln affects multiple OSes. ================================= Candidate: CAN-1999-0088 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1998:004.1 IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. VOTES: ACCEPT(2) Shostack, Northcutt MODIFY(2) Frech, Prosser COMMENTS: Frech> ERS (and other references, BTW) explicitly stipulate 'local and Frech> remote'. Frech> Reference: XF:irix-autofsd Prosser> Include the SGI Alert as well since it is mentioned in the Prosser> description. Prosser> SGI Security Advisory 19981005-01-PX ================================= Candidate: CAN-1999-0089 Published: Final-Decision: Interim-Decision: 19990630 Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: XF:ibm-libDtSvc Buffer overflow in AIX libDtSvc library can allow local users to gain root access. Modifications: ADDREF XF:ibm-libDtSvc VOTES: ACCEPT(2) Shostack, Northcutt MODIFY(2) Frech, Prosser NOOP(1) Christey COMMENTS: Frech> Reference: XF:ibm-libDtSvc Prosser> The overflow is in the dtaction utility. Also affects Prosser> dtaction in the CDE on versions of SunOS (SUN 164). Probably should be Prosser> specific. Christey> DUPE CAN-1999-0121 (SF-CODEBASE) ================================= Candidate: CAN-1999-0092 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1997:006.1 Various vulnerabilities in the AIX portmir command allows local users to obtain root access. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:ibm-portmir ================================= Candidate: CAN-1999-0098 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: XF:smtp-helo-bo Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. VOTES: MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey COMMENTS: Frech> (Accept XF reference.) Frech> Our references do not mention hiding activities. This issue can crash the Frech> SMTP server or execute arbitrary byte-code. Is there another reference Frech> available? Christey> Should this be merged with CAN-1999-0284, which is Sendmail Christey> with SMTP HELO? ================================= Candidate: CAN-1999-0101 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1997:001.1 Reference: SUN:00137 Reference: NAI:NAI-1 Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. VOTES: ACCEPT(1) Prosser MODIFY(1) Frech COMMENTS: Frech> XF:ghbn-bo Frech> in addition to ERS:1997:001.1, also include 1996:007.1 Frech> Sun's bulletin is 137a, not 137. Prosser> concur wtih Andre, sun bul is 137a ================================= Candidate: CAN-1999-0104 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: CERT:CA-97.28.Teardrop_Land Reference: XF:teardrop-mod A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2 VOTES: ACCEPT(2) Wall, Frech COMMENTS: Wall> Another reference is Microsoft Knowledge Base Q179129. ================================= Candidate: CAN-1999-0105 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF finger allows recursive searches by using a long string of @ symbols. VOTES: MODIFY(2) Shostack, Frech REJECT(1) Northcutt COMMENTS: Shostack> fingerD Frech> XF:finger-bomb ================================= Candidate: CAN-1999-0106 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Finger redirection allows finger bombs. VOTES: ACCEPT(1) Northcutt MODIFY(2) Shostack, Frech COMMENTS: Shostack> fingerd allows redirection Shostack> This is a larger modification, since there are two applications of the Shostack> vulnerability, one that I can finger anonymously, and the other that I Shostack> can finger bomb anonymously. Frech> XF:finger-bomb ================================= Candidate: CAN-1999-0107 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Buffer overflow in HTTP Apache 1.2 or earlier, up to 1.2.5. VOTES: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall COMMENTS: Wall> - Although this is probably the phf hack. Frech> XF:apache-dos ================================= Candidate: CAN-1999-0110 Published: Final-Decision: Interim-Decision: 19990810 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF ** REJECT ** Duplicate of CAN-1999-0315 (this has a typo) Buffer overflow in fbformat command in Solaris. VOTES: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall COMMENTS: Frech> XF:fdformat-bo ================================= Candidate: CAN-1999-0114 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. VOTES: ACCEPT(1) Shostack MODIFY(1) Frech NOOP(2) Northcutt, Wall COMMENTS: Frech> XF:elm-filter2 ================================= Candidate: CAN-1999-0115 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF AIX bugfiler program allows local users to gain root access. VOTES: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall COMMENTS: Frech> XF:ibm-bugfiler ================================= Candidate: CAN-1999-0118 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF AIX infod allows local users to gain root access through an X display. VOTES: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall COMMENTS: Frech> XF:aix-infod ================================= Candidate: CAN-1999-0119 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Windows NT 4.0 beta allows users to read and delete shares. VOTES: NOOP(1) Northcutt REJECT(1) Wall COMMENTS: Wall> Reject based on beta copy. ================================= Candidate: CAN-1999-0121 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00164 Reference: ERS:ERS-SVA-E01-1997:005.1 Buffer overflow in dtaction command gives root access. VOTES: ACCEPT(1) Northcutt MODIFY(2) Frech, Prosser NOOP(1) Christey COMMENTS: Frech> Reference: XF:dtaction-bo Frech> Reference: XF:sun-dtaction Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a Prosser> library in AIX 4.x, but reference for this Sun vulnerability should Prosser> only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Prosser> Bulletin Christey> This is the Same Codebase as CAN-1999-0089, so the two entries Christey> should be merged. ================================= Candidate: CAN-1999-0123 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: XF:linux-mailx Race condition in Linux mailx command allows local users to read user files. VOTES: ACCEPT(2) Ozancin, Frech NOOP(1) Wall ================================= Candidate: CAN-1999-0124 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability Reference: XF:gopher-vuln Vulnerabilities in UMN gopher and gopher+ allow an intruder to read any files that can be accessed by the gopher daemon. VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0127 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-96.27.hp_sw_install Reference: AUSCERT:AA-96.04 Reference: XF:hpux-swinstall swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. VOTES: ACCEPT(1) Prosser MODIFY(1) Frech NOOP(1) Christey COMMENTS: Frech> (keep current XF: reference, and add) Frech> XF:hpux-sqwmodify Christey> Perhaps this should be split, per SF-LOC. ================================= Candidate: CAN-1999-0140 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Denial of service in RAS/PPTP on NT systems. VOTES: ACCEPT(1) Hill MODIFY(2) Meunier, Frech NOOP(1) Christey COMMENTS: Meunier> Add "pptp invalid packet length in header" to distinguish from other Meunier> vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be Meunier> discovered in the future. Frech> XF:nt-ras-bo Frech> ONLY IF reference is to MS:MS99-016 Christey> According to my mappings, this is not the MS:MS99-016 problem Christey> referred to by Andre. However, I have yet to dig up a Christey> source. ================================= Candidate: CAN-1999-0142 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-96.05.java_applet_security_mgr Java Applet Security Manager allows an applet to connect to arbitrary hosts. VOTES: ACCEPT(3) Hill, Shostack, Wall MODIFY(1) Frech RECAST(1) Northcutt REVIEWING(1) Christey COMMENTS: Northcutt> Please note I am not a Java expert, but I think jdk 2.0 and Northcutt> so forth do not have a sandbox notion and applets (perhaps trusted Northcutt> applets) can connect to arbitrary hosts as a matter of course. You Northcutt> might want to contact Li Gong (li.gong@sun.com) or a similar Northcutt> expert before issuing this one. NOTE: another reason to consider Northcutt> the original date!!! Christey> Noting Steve Northcutt's comments, perhaps we would need to modify the Christey> description somewhat to distinguish between current Java versions and Christey> the one that had this vulnerability. However, the CERT reference Christey> associates a general place and time for where this vulnerability Christey> arose, so I don't think it's too big of a deal. Frech> Reference: XF:http-java-appletsecmgr ================================= Candidate: CAN-1999-0144 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: XF:qmail-rcpt Denial of service in Qmail by specifying a large number of recipients with the RCPT command. VOTES: ACCEPT(3) Hill, Meunier, Frech ================================= Candidate: CAN-1999-0145 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Sendmail WIZ command enabled, allowing root access. VOTES: ACCEPT(4) Hill, Blake, Proctor, Balinsky MODIFY(2) Frech, Prosser NOOP(1) Christey REJECT(1) Northcutt COMMENTS: Frech> XF:smtp-wiz Northcutt> I have voted against this before as well. This raises the case of a Northcutt> historic but no longer existant vulnerability. Or is there any data Northcutt> that wiz still exists on any operational systems? Prosser> additional sources Prosser> Bugtraq Prosser> "sendmail wizard thing" Prosser> http://securityfocus/ Prosser> CERT Advisory CA-93.14 Prosser> http://www.cert.org Christey> While this may not be active anywhere (we hope), it is still Christey> of historic interest and potentially useful for academic Christey> study. Therefore it should be included. ================================= Candidate: CAN-1999-0151 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: CERT:CA-95.07a.REVISED.satan.vul Reference: CERT:CA-95.06.satan.vul The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access. VOTES: ACCEPT(2) Hill, Northcutt MODIFY(1) Frech COMMENTS: Frech> XF:satan-scan ================================= Candidate: CAN-1999-0156 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:ftp-pwless wu-ftpd FTP daemon allows any user and password combination. VOTES: ACCEPT(2) Northcutt, Shostack NOOP(1) Baker RECAST(1) Frech REVIEWING(1) Prosser COMMENTS: Prosser> but so far can find no reference to this one Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie, Frech> also affects IIS FTP server). ================================= Candidate: CAN-1999-0163 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:smtp-pipe In older versions of Sendmail, an attacker could use a pipe character to execute root commands. VOTES: ACCEPT(2) Northcutt, Frech MODIFY(1) Prosser NOOP(2) Baker, Christey RECAST(1) Shostack COMMENTS: Shostack> there was a 'To: |' and a 'From: |' attack, which I Shostack> think are seperate. Prosser> older vulnerability, but one additional reference is- Prosser> The Ultimate Sendmail Hole List by Markus Hübner @ Prosser> bau2.uibk.ac.at/matic/buglist.htm Prosser> '|PROGRAM ' Christey> Description needs to be more specific to distinguish between Christey> this and CAN-1999-0203, as alluded to by Adam Shostack ================================= Candidate: CAN-1999-0165 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:nfs-cache NFS cache poisoning VOTES: ACCEPT(3) Northcutt, Baker, Frech MODIFY(1) Shostack NOOP(1) Prosser COMMENTS: Shostack> need more data ================================= Candidate: CAN-1999-0169 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:nfs-uid NFS allows attackers to read and write any file on the system by specifying a false UID. VOTES: ACCEPT(2) Northcutt, Frech REJECT(1) Shostack COMMENTS: Shostack> this is not a vulnerability but a design feature. ================================= Candidate: CAN-1999-0171 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:syslog-flood Denial of service in syslog by sending it a large number of superfluous messages. VOTES: ACCEPT(2) Northcutt, Frech REJECT(1) Shostack COMMENTS: Shostack> design issue, not a vulnerability. Alternately, add: Shostack> DOS on server by opening a large number of telnet sessions.. ================================= Candidate: CAN-1999-0186 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: SUN:00178 Reference: XF:snmp-backdoor-access In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters. VOTES: MODIFY(1) Frech NOOP(1) Wall COMMENTS: Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr Frech> Add ISS:Hidden Community String in SNMP Implementation ================================= Candidate: CAN-1999-0187 Published: Final-Decision: Interim-Decision: Modified: 19990805 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: SUN:00179 ** REJECT ** Duplicate of CAN-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist) The rdist program in Solaris has some buffer overflows that allow attackers to gain root access. VOTES: ACCEPT(2) Northcutt, Hill RECAST(2) Prosser, Frech REVIEWING(1) Christey COMMENTS: Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in Prosser> rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() Prosser> (ref CERT 97-23) and various vendor bulletins. However both of these rdist Prosser> BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, Prosser> FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content Prosser> decision Frech> XF:rdist-bo (error msg formation) Frech> XF:rdist-bo2 (execute code) Frech> XF:rdist-bo3 (execute user-created code) Frech> XF:rdist-sept97 (root from local) Christey> Duplicate of CAN-1999-0022 (SUN:00179 is referenced in Christey> CERT:CA-97.23.rdist), but as Mike and Andre noted, there Christey> are multiple flaws here, so a RECAST may be necessary. ================================= Candidate: CAN-1999-0193 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. VOTES: ACCEPT(2) Northcutt, Shostack REVIEWING(1) Frech COMMENTS: Frech> possibly XF:ascend-kill Frech> I can't find a reference that lists both routers in the same reference. ================================= Candidate: CAN-1999-0195 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Denial of service in RPC portmapper allows attackers to register or unregister RPC services, or spoof RPC services. VOTES: ACCEPT(1) Shostack MODIFY(1) Frech NOOP(2) Northcutt, Wall COMMENTS: Frech> XF:rpcbind-spoof ================================= Candidate: CAN-1999-0197 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF finger 0@host on some systems may print information on some user accounts. VOTES: MODIFY(1) Shostack REJECT(1) Northcutt REVIEWING(1) Frech COMMENTS: Shostack> fingerd may respond to 'finger 0@host' with account info Frech> Need more reference to establish this 'exposure'. ================================= Candidate: CAN-1999-0198 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF finger .@host on some systems may print information on some user accounts. VOTES: MODIFY(1) Shostack REJECT(1) Northcutt REVIEWING(1) Frech COMMENTS: Shostack> as above Frech> Need more reference to establish this 'exposure'. ================================= Candidate: CAN-1999-0200 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF WFTP would allow an attacker to log into the FTP server using any username and password. VOTES: MODIFY(2) Shostack, Frech NOOP(2) Northcutt, Wall COMMENTS: Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another? Frech> Other have mentioned this before, but it may be WU-FTP. Frech> POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root Frech> access without anon FTP or a regular account? Frech> POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a Frech> non-anon FTP account and gain root privs. ================================= Candidate: CAN-1999-0203 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program. VOTES: ACCEPT(5) Hill, Blake, Balinsky, Ozancin, Northcutt NOOP(1) Christey REVIEWING(1) Frech COMMENTS: Christey> Description needs to be more specific to distinguish between Christey> this and CAN-1999-0163, as alluded to by Adam Shostack ================================= Candidate: CAN-1999-0205 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990630 Assigned: 19990607 Category: SF Reference: ADDREF BUGTRAQ:19990708 SM 8.6.12 Denial of service in Sendmail 8.6.11 and 8.6.12. VOTES: ACCEPT(2) Hill, Northcutt MODIFY(2) Frech, Prosser REVIEWING(2) Ozancin, Christey COMMENTS: Frech> XF:sendmail-alias-dos Prosser> additional source Prosser> Bugtraq Prosser> "Re: SM 8.6.12" Prosser> http://www.securityfocus.com Christey> The Bugtraq thread does not provide any proof, including a Christey> comment by Eric Allman that he hadn't been provided any Christey> details either. Christey> Christey> See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu Christey> for the thread. ================================= Candidate: CAN-1999-0210 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Automount daemon in Solaris allows local or remote users privileged access, and access to remote users in conjunction with rpc.statd. VOTES: MODIFY(2) Shostack, Frech NOOP(2) Northcutt, Wall COMMENTS: Shostack> I think there was an SNI advisory on this Frech> Not enough information; POSSIBLY XF:sun-automountd (changing mount options) ================================= Candidate: CAN-1999-0212 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00168 rpc.mountd in Linux and Solaris would generate error messages that allowed an attacker to determine what files were on the server. VOTES: ACCEPT(1) Prosser MODIFY(2) Northcutt, Frech COMMENTS: Northcutt> I am concerned that Linux is becoming too Northcutt> non descript a word, in the past two weeks I have run Northcutt> across 3 Linuxes I had never heard of before. I think we need Northcutt> to start being specific when we mention Linux either by Northcutt> the kernal or vendor or something. Frech> Reference: XF:sun-mountd ================================= Candidate: CAN-1999-0213 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. VOTES: ACCEPT(1) Hill MODIFY(1) Frech NOOP(1) Meunier COMMENTS: Frech> XF:sun-libnsl ================================= Candidate: CAN-1999-0216 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Denial of service of inetd on Linux through SYN and RST packets. VOTES: ACCEPT(1) Hill MODIFY(1) Frech RECAST(1) Meunier COMMENTS: Meunier> The location of the vulnerability, whether in the Linux kernel or the Meunier> application, is debatable. Any program making the same (reasonnable) Meunier> assumption is vulnerable, i.e., implements the same vulnerability: Meunier> "Assumption that TCP-three-way handshake is complete after calling Linux Meunier> kernel function accept(), which returns socket after getting SYN. Result Meunier> is process death by SIGPIPE" Meunier> Moreover, whether it results in DOS (to third parties) depends on the Meunier> process that made the assumption. Meunier> I think that the present entry should be split, one entry for every Meunier> application that implements the vulnerability (really describing threat Meunier> instances, which is what other people think about when we talk about Meunier> vulnerabilities), and one entry for the Linux kernel that allows the Meunier> vulnerability to happen. Frech> XF:hp-inetd Frech> XF:linux-inetd-dos ================================= Candidate: CAN-1999-0220 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Attackers can do a denial of service of IRC by crashing the server. VOTES: NOOP(1) Northcutt ================================= Candidate: CAN-1999-0222 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL. VOTES: MODIFY(2) Shostack, Frech NOOP(2) Northcutt, Wall COMMENTS: Shostack> I follow cisco announcements and problems pretty closely, and haven't Shostack> seen this. Source? Frech> XF:cisco-web-crash ================================= Candidate: CAN-1999-0223 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry. VOTES: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall COMMENTS: Frech> XF:sol-syslogd-crash ================================= Candidate: CAN-1999-0225 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: SNI:SNI-25 Denial of service in Windows NT using SMB file commands before logging in and accessing shares. VOTES: ACCEPT(1) Hill MODIFY(1) Frech NOOP(1) Wall COMMENTS: Frech> XF:nt-logondos ================================= Candidate: CAN-1999-0226 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0229 Published: Final-Decision: Interim-Decision: Modified: 19990821-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: MSKB:Q115052 Reference: XF:http-dotdot Denial of service in Windows NT IIS server using ..\.. Modifications: ADDREF MSKB:Q115052 ADDREF XF:http-dotdot VOTES: ACCEPT(1) Shostack MODIFY(2) Wall, Frech NOOP(1) Northcutt COMMENTS: Wall> Denial of service in Windows NT IIS Server 1.0 using ..\... Wall> Source: Microsoft Knowledge Base Article Q115052 - IIS Server. Frech> XF:http-dotdot (not necessarily IIS?) ================================= Candidate: CAN-1999-0231 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. VOTES: ACCEPT(1) Levy NOOP(2) Northcutt, Landfield RECAST(1) Frech REVIEWING(1) Ozancin COMMENTS: Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) Frech> XF:smtp-vrfy-bo (many mail packages) Northcutt> (There is no way I will have access to these systems) ================================= Candidate: CAN-1999-0232 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech NOOP(1) Prosser COMMENTS: Frech> Unable to provide a match due to vague/insufficient description/references. Frech> Possible matches are: Frech> XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) Frech> XF:http-ncsa-longurl (highest probability) ================================= Candidate: CAN-1999-0233 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-iis-cmd IIS and WebSite allow users to execute arbitrary commands using ..bat or .cmd files. VOTES: ACCEPT(2) Northcutt, Prosser REVIEWING(1) Frech COMMENTS: Frech> XF reference is correct, but cannot find supporting reference for WebSite Frech> vulnerability. Frech> No further action to be taken unless more information forthcoming. ================================= Candidate: CAN-1999-0235 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access. VOTES: ACCEPT(3) Northcutt, Hill, Prosser MODIFY(1) Frech COMMENTS: Frech> XF:http-ncsa-longurl ================================= Candidate: CAN-1999-0238 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-phpfileread php.cgi allows attackers to read any file on the system. VOTES: ACCEPT(3) Northcutt, Prosser, Frech COMMENTS: Prosser> additional source Prosser> AUSCERT External Security Bulletin ESB-97.047 Prosser> http://www.auscert.org.au Prosser> Published: Prosser> Final-Decision: Prosser> Interim-Decision: Prosser> Modified: Prosser> Announced: 19990623 Prosser> Assigned: 19990607 Prosser> Category: SF Prosser> Reference: XF:http-iis-2e Prosser> IIS 3.0 allows remote intruders to read source code for ASP programs Prosser> by using a "2e" instead of a "." in the URL. ================================= Candidate: CAN-1999-0240 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0241 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990630 Assigned: 19990607 Category: SF Reference: XF:http-xguess-cookie Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm. VOTES: ACCEPT(3) Hill, Northcutt, Proctor MODIFY(2) Frech, Prosser REVIEWING(1) Christey COMMENTS: Frech> Also add to references: Frech> XF:sol-mkcookie Prosser> additional source Prosser> Bugtraq Prosser> "X11 cookie hijacker" Prosser> http://www.securityfocus.com Christey> The cookie hijacker thread has to do with stealing cookies Christey> through a file with bad permissions. I'm not sure the Christey> X-Force reference identifies this problem either. ================================= Candidate: CAN-1999-0242 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords. VOTES: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall COMMENTS: Frech> Ambiguous description: need more detail. Possibly: Frech> XF:linux-pop3d (mktemp() leads to reading e-mail) ================================= Candidate: CAN-1999-0243 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Linux cfingerd could be exploited to gain root access. VOTES: ACCEPT(1) Shostack NOOP(2) Northcutt, Wall REVIEWING(1) Frech ================================= Candidate: CAN-1999-0246 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: XF:hp-remote HP Remote Watch allows a remote user to gain root access. VOTES: ACCEPT(4) Hill, Frech, Northcutt, Prosser NOOP(1) Christey COMMENTS: Frech> Comment: Determine if it's RemoteWatch or Remote Watch. Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in Christey> Remote Watch (the advisory uses two words, not one, for the Christey> "Remote Watch" name) Prosser> agree that the advisory mentions two vulnerabilities in Remote Prosser> Watch, one being a socket connection and other with the showdisk utility Prosser> which seems to be a suid vulnerability. Never get much details on this Prosser> anywhere since the recommendation is to remove the program since it is Prosser> obsolete and superceded by later tools. Believe the biggest concern here is Prosser> to just not run the tool at all. ================================= Candidate: CAN-1999-0247 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Buffer overflow in nnrpd program in INN allows remote users to execute arbitrary commands. VOTES: NOOP(1) Northcutt ================================= Candidate: CAN-1999-0248 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF sshd 1.2.17 can be compromised through the SSH protocol. VOTES: ACCEPT(1) Northcutt MODIFY(1) Shostack NOOP(1) Frech COMMENTS: Shostack> http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html Shostack> looks to me to be about the correct message that came from Tatu. Shostack> There are comments in changelog: * Improved the security of Shostack> auth_input_request_forwarding(). Shostack> Shostack> I'm not in favor of moving this forward without additional detail, but Shostack> thought I'd add a confirming URL and comment. We have insufficient Shostack> detail to accept it as a CVE. Frech> Try http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1; to wit Frech> (see asterisked section): Frech> ... Frech> ***** Frech> Versions of ssh prior to 1.2.17 had problems with authentication agent Frech> handling on some machines. There is a chance (a race condition) that a Frech> malicious user could steal another user's credentials. This should be fixed Frech> in 1.2.17. Frech> ***** ================================= Candidate: CAN-1999-0249 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Windows NT RSHSVC program allows remote users to execute arbitrary commands. VOTES: MODIFY(2) Wall, Frech NOOP(2) Northcutt, Shostack COMMENTS: Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows Wall> remote Wall> users to execute arbitrary commands. Wall> Source: rshsvc.txt from the Windows NT Resource Kit. Frech> XF:rsh-svc ================================= Candidate: CAN-1999-0250 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: XF:qmail-leng Denial of service in Qmail through long SMTP commands. VOTES: ACCEPT(2) Hill, Meunier MODIFY(1) Frech COMMENTS: Frech> XF:qmail-rcpt ================================= Candidate: CAN-1999-0253 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-iis-2e IIS 3.0 allows remote intruders to read source code for ASP programs by using a "2e" instead of a "." in the URL. VOTES: ACCEPT(2) Northcutt, Frech NOOP(1) Prosser ================================= Candidate: CAN-1999-0254 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: ISS:Hidden SNMP community in HP OpenView Reference: XF:hpov-hidden-snmp-comm A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information. VOTES: ACCEPT(1) Frech NOOP(1) Wall ================================= Candidate: CAN-1999-0255 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Buffer overflow in ircd allows arbitrary command execution. VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech NOOP(1) Prosser COMMENTS: Frech> XF:irc-bo ================================= Candidate: CAN-1999-0257 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Nestea variation of teardrop IP fragmentation denial of service. VOTES: ACCEPT(1) Wall MODIFY(1) Frech COMMENTS: Frech> XF:nestea-linux-dos ================================= Candidate: CAN-1999-0258 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Bonk variation of teardrop IP fragmentation denial of service. VOTES: MODIFY(2) Wall, Frech COMMENTS: Wall> Reference Q179129 Frech> XF:teardrop-mod ================================= Candidate: CAN-1999-0259 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF cfingerd lists all users on a system via search.**@target. VOTES: ACCEPT(1) Shostack MODIFY(1) Frech NOOP(1) Northcutt COMMENTS: Frech> XF:cfinger-user-enumeration ================================= Candidate: CAN-1999-0261 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Netmanager Chameleon SMTPd has several buffer overflows that cause a crash. VOTES: MODIFY(2) Frech, Landfield NOOP(1) Northcutt COMMENTS: Frech> XF:chamelion-smtp-dos Landfield> - Specify what "a crash" means. ================================= Candidate: CAN-1999-0268 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF MetaInfo MetaWeb web server allows users to upload and execute scripts. VOTES: ACCEPT(1) Northcutt NOOP(1) Prosser REVIEWING(1) Frech ================================= Candidate: CAN-1999-0270 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF pfdispaly CGI program for SGI's Performer API Search Tool allows read access to files. VOTES: ACCEPT(2) Northcutt, Prosser MODIFY(1) Frech REVIEWING(1) Christey COMMENTS: Prosser> additional source Prosser> CIAC Security Bulletin I-041 Prosser> http://www.ciac.org Frech> XF:sgi-pfdispaly Frech> XF:sgi-dispaly-patch-vuln Christey> There are two bugs here, as described in Bugtraq. The first one Christey> allowed read access to files outside of a document root (a dot dot Christey> problem). The second one was a shell metacharacter problem. Christey> CAN-1999-0270 refers to the first problem only. ================================= Candidate: CAN-1999-0271 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19980115 pnserver exploit.. Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug? Progressive Networks Real Video server (pnserver) can be crashed remotely. Modifications: ADDREF BUGTRAQ:19980115 pnserver exploit.. ADDREF BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug? VOTES: ACCEPT(2) Northcutt, Blake NOOP(2) Prosser, Christey REVIEWING(1) Frech COMMENTS: Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq Christey> posting), but may be multiple codebases since several Christey> Real Audio servers are affected. ================================= Candidate: CAN-1999-0275 Published: Final-Decision: Interim-Decision: Modified: 19990905-01 Proposed: 19990726 Assigned: 19990607 Category: SF Reference: XF:nt-dnscrash Reference: MS:Q169461 Denial of service in Windows NT DNS servers by flooding port 53 with too many characters. Modifications: CHANGEREF XF:nt-dns-crash XF:nt-dnscrash DESC slight change to mention port 53 specifically. VOTES: ACCEPT(1) Ozancin MODIFY(2) Wall, Frech REVIEWING(1) Christey COMMENTS: Wall> Denial of service in Windows NT DNS servers by malicious telnet attack. Frech> Change XF:nt-dns-crash to XF:nt-dnscrash Frech> ADDREF XF:nt-dnsver Christey> The XF entry, and the corresponding Microsoft KB articles, Christey> indicate that there is more than one vulnerability related to Christey> the DNS server. Other CVE entries need to be created for the Christey> other cases, including the telnet case that Mike mentions. ================================= Candidate: CAN-1999-0280 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990630 Assigned: 19990607 Category: SF Reference: NTBUGTRAQ:19970317 Internet Explorer Bug #4 Reference: CIAC:H-38 Reference: XF:http-ie-lnkurl Remote command execution in Microsoft Internet Explorer using .lnk and ..url files. Modifications: ADDREF CIAC:H-38 ADDREF XF:http-ie-lnkurl ADDREF NTBUGTRAQ:19970317 Internet Explorer Bug #4 VOTES: ACCEPT(5) Hill, Wall, Northcutt, Proctor, Balinsky MODIFY(2) Frech, Prosser NOOP(1) Christey COMMENTS: Frech> XF:http-ie-lnkurl Prosser> additional source Prosser> CIAC Bulletin H-38 Prosser> http://www.ciac.org Prosser> Microsoft Internet Explorer Security Updates Prosser> "Internet Explorer 3.02 Includes All Security" Prosser> http://www.microsoft.com/windows/ie/security Christey> Mike's Microsoft reference is no longer listed there. Christey> This topic appears to have generated a long NTBugtraq thread. ================================= Candidate: CAN-1999-0282 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-95.12.sun.loadmodule.vul Vulnerabilities in loadmodule and modload programs in SunOS and OpenWindows VOTES: MODIFY(1) Frech RECAST(1) Prosser COMMENTS: Frech> XF:sun-loadmodule Frech> XF:sun-modload (CERT CA-93.18 very old!) Prosser> Believe the reference given, 95-12, is referencing a later Prosser> loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an Prosser> earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories Prosser> for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the Prosser> same as the HP patches are 100448-02 for the 93 loadmodule/modload Prosser> vulnerability and 100448-03 for the 95 loadmodule vulnerability which Prosser> normally indicated a patch update. Looks like the original patch either Prosser> didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell Prosser> much beyond that and this is my opinion only as have no way to check it. Prosser> Which one is this CVE referencing? I accept both. ================================= Candidate: CAN-1999-0283 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF The Java Web Server would allow remote users to obtain the source code for CGI programs. VOTES: ACCEPT(2) Northcutt, Blake NOOP(1) Prosser REVIEWING(1) Frech ================================= Candidate: CAN-1999-0284 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:smtp-helo-bo Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command. VOTES: ACCEPT(2) Blake, Northcutt MODIFY(3) Frech, Levy, Ozancin REVIEWING(1) Christey COMMENTS: Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification) Frech> XF:mdaemon-helo-bo Frech> XF:lotus-notes-helo-crash Frech> XF:slmail-helo-overflow Frech> XF:smtp-helo-bo (mentions several products) Frech> XF:smtp-exchangedos Levy> - Need one per software. Each one should be its own Levy> vulnerability. Ozancin> => Windows NT is correct Christey> These are probably multiple codebases, so we'll need to use Christey> dot notation. Also need to see if this should be merged Christey> with CAN-1999-0098 (Sendmail SMTP HELO). ================================= Candidate: CAN-1999-0285 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection. VOTES: ACCEPT(1) Hill NOOP(1) Wall REVIEWING(1) Frech ================================= Candidate: CAN-1999-0286 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages. VOTES: ACCEPT(1) Shostack MODIFY(1) Wall NOOP(2) Northcutt, Christey REVIEWING(1) Frech COMMENTS: Wall> In some NT web servers, appending a dot at the end of a URL may Wall> allows attackers to read source code for active pages. Wall> Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears Wall> in Browser" Frech> In the meantime, reword description as 'Windows NT' (trademark issue) Christey> Spaces, dots, there are many like this. Description is too Christey> vague. ================================= Candidate: CAN-1999-0287 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Vulnerability in the Wguest CGI program. VOTES: ACCEPT(1) Blake MODIFY(2) Shostack, Frech NOOP(2) Northcutt, Wall REVIEWING(1) Christey COMMENTS: Shostack> allows file reading Frech> XF:http-cgi-webcom-guestbook Christey> Appears to be a duplicate of CAN-1999-0467 ================================= Candidate: CAN-1999-0290 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Denial of service in the Telnet proxy in WinGate. VOTES: ACCEPT(3) Hill, Blake, Northcutt MODIFY(2) Frech, Prosser COMMENTS: Frech> XF:wingate-dos Prosser> additional source Prosser> Hrvoje Crvelin Prosser> Security Bugware Prosser> http://161.53.42.3/~crv/security/bugs/NT/wingate2.html ================================= Candidate: CAN-1999-0291 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Remote users can redirect their connections through a WinGate proxy. VOTES: ACCEPT(4) Hill, Blake, Northcutt, Ozancin MODIFY(2) Frech, Prosser COMMENTS: Frech> Description needs more info or references on how this redirection takes Frech> place. Is it by password access" If so, consider these two references: Frech> XF:wingate-unpassworded Frech> XF:wingate-registry-passwords Prosser> believe this is the "WinGate Bounce" described in Prosser> Hrvoje Crvelin's Prosser> Security Bugware Prosser> http://161.53.42.3/~crv/security/bugs/NT/wingate.htm ================================= Candidate: CAN-1999-0297 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: NAI:NAI-3 Buffer overflow in Vixie Cron 2.1 allows local users to obtain root access. VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech RECAST(1) Prosser COMMENTS: Prosser> This appears to be the same as the Cron BO reported in CIAC Prosser> H-17 which affects versions of the vixie cron package up to and including Prosser> 3.0 Frech> XF:vixie-cron ================================= Candidate: CAN-1999-0298 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: NAI:NAI-6 ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files. VOTES: ACCEPT(1) Northcutt NOOP(1) Shostack REVIEWING(1) Frech ================================= Candidate: CAN-1999-0304 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: XF:bsd-mmap Reference: FreeBSD:FreeBSD-SA-98:02 mmap function in BSD allows local attackers in the kmem group to modify memory through devices. VOTES: ACCEPT(3) Hill, Frech, Northcutt ================================= Candidate: CAN-1999-0306 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:hp-xlock buffer overflow in HP xlock program. VOTES: ACCEPT(3) Northcutt, Baker, Frech MODIFY(1) Prosser NOOP(1) Shostack COMMENTS: Prosser> This is another of those with multiple affected OSs. Prosser> Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt, Prosser> HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150 ================================= Candidate: CAN-1999-0307 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:hpux-cstm-bo Buffer overflow in HP-UX cstm program allows local users to gain root privileges. VOTES: ACCEPT(2) Northcutt, Frech NOOP(3) Shostack, Prosser, Baker COMMENTS: Prosser> only ref I can find is an old SOD exploit on Prosser> www.outpost9.com ================================= Candidate: CAN-1999-0317 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:su-bo Buffer overflow in Linux su command gives root access to local users. VOTES: ACCEPT(3) Northcutt, Hill, Frech NOOP(1) Prosser ================================= Candidate: CAN-1999-0318 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:xmcd-envbo Buffer overflow in xmcd 2.0p12 allows local users to gain access through an environmental variable. VOTES: ACCEPT(3) Northcutt, Hill, Frech NOOP(1) Prosser ================================= Candidate: CAN-1999-0319 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:xmcd-tiflestr Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting. VOTES: ACCEPT(3) Northcutt, Hill, Frech NOOP(1) Prosser ================================= Candidate: CAN-1999-0322 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: FreeBSD:FreeBSD-SA-97:05 Reference: XF:freebsd-open The open() function in FreeBSD allows local attackers to write to arbitrary files. VOTES: ACCEPT(3) Hill, Frech, Northcutt ================================= Candidate: CAN-1999-0323 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: FreeBSD:FreeBSD-SA-98:04 FreeBSD mmap function allows users to modify append-only or immutable files. VOTES: ACCEPT(2) Hill, Northcutt REVIEWING(1) Frech COMMENTS: Frech> probably XF:bsd-mmap ================================= Candidate: CAN-1999-0330 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Linux bdash game has a buffer overflow that allows local users to gain root access. VOTES: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall COMMENTS: Frech> XF:bdash-bo ================================= Candidate: CAN-1999-0331 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:msie-bo Buffer overflow in Internet Explorer 4.0(1) VOTES: ACCEPT(2) Northcutt, Baker MODIFY(2) Shostack, Frech RECAST(1) Prosser COMMENTS: Shostack> this is a high cardinality item Prosser> needs to be more specific. Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague Frech> duplicate) Frech> Description (from xfdb): Some versions of Internet Explorer for Windows Frech> contain a vulnerability that may crash the broswer when a malicious web site Frech> contains a certain kind of URL (that begins with "mk://") with more Frech> characters than the browser supports. ================================= Candidate: CAN-1999-0333 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK Reference: HP:HPSBUX9810-085 Reference: XF:omniback-remote HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack. Modifications: ADDREF HP:HPSBUX9810-085 VOTES: ACCEPT(1) Frech MODIFY(1) Prosser RECAST(1) Christey COMMENTS: Prosser> additional source Prosser> HP Security Bulletin 85 Prosser> http://us-support.external.hp.com Prosser> http://europe-support.external.hp.com Christey> Two separate bugs, so SF-LOC says this candidate should be Christey> split ================================= Candidate: CAN-1999-0336 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:hpux-mstm-bo Buffer overflow in mstm in HP-UX allows local users to gain root access. VOTES: ACCEPT(2) Northcutt, Frech NOOP(3) Shostack, Prosser, Baker COMMENTS: Prosser> same as CAN-1999-0307, only ref I can find is an old SOD Prosser> exploit on www.outpost9.com ================================= Candidate: CAN-1999-0343 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:palace-execute A malicious Palace server can force a client to execute arbitrary programs. VOTES: ACCEPT(2) Northcutt, Baker MODIFY(1) Frech NOOP(2) Shostack, Prosser COMMENTS: Shostack> The description worries me. Can force any client? Can force an Shostack> overly trusting client? Frech> XF reference above is obsolete; replace with Frech> XF:palace-malicious-servers-vuln ================================= Candidate: CAN-1999-0345 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. VOTES: MODIFY(1) Wall NOOP(1) Northcutt COMMENTS: Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and Wall> Windows NT systems. Wall> Reference: Q154174. Wall> Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. Wall> It is a modified teardrop 2 attack. ================================= Candidate: CAN-1999-0347 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan26,1999 Reference: NTBUGTRAQ:Jan28,1999 Javascript bug in Internet Explorer 4.01 by adding %01URL allows reading local files and spoofing of web pages from other sites. VOTES: ACCEPT(2) Northcutt, Levy MODIFY(1) Prosser REVIEWING(1) Frech COMMENTS: Prosser> this is a modified Cross-Frame vulnerability that circumvents Prosser> the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012 Prosser> http://www.microsoft.com/security/bulletins/ms99-012.asp ================================= Candidate: CAN-1999-0352 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: XF:controlit-passwd-encrypt ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption. VOTES: ACCEPT(2) Baker, Frech NOOP(2) Wall, Northcutt RECAST(1) Ozancin COMMENTS: Ozancin> Can we combine this with CAN-1999-0356 - ControlIT(tm) 4.5 and earlier uses Ozancin> weak encryption. ================================= Candidate: CAN-1999-0354 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: NTBUGTRAQ:Jan27,1999 Reference: MS:MS99-002 Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message. VOTES: ACCEPT(1) Wall REVIEWING(1) Frech ================================= Candidate: CAN-1999-0356 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: XF:controlit-bookfile-access ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book. VOTES: ACCEPT(2) Baker, Frech NOOP(2) Wall, Northcutt RECAST(1) Ozancin ================================= Candidate: CAN-1999-0358 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan29,1999 Reference: COMPAQ:SSRT0583U Digital Unix 4.0 has a buffer overflow in the inc program of the mh package. VOTES: ACCEPT(3) Shostack, Northcutt, Hill MODIFY(2) Prosser, Frech COMMENTS: Prosser> Ref'd SSRT has an 'at' vulnerable as well supposedly fixed by Prosser> the patch. Shouldn't this be included as a seperate CVE in this Prosser> cluster. ref:BugTraq "Digital Unix Buffer Overflows: Exploits" from Prosser> Lamont Granquist for both as well. Frech> Reference: XF:du-inc ================================= Candidate: CAN-1999-0360 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan29,1999 Reference: NTBUGTRAQ:Jan29,1999 MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely. VOTES: ACCEPT(2) Northcutt, Wall NOOP(1) Prosser REVIEWING(1) Frech ================================= Candidate: CAN-1999-0361 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan29,1999 NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0364 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb04,1999 Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0370 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00184 In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files. VOTES: ACCEPT(2) Northcutt, Prosser MODIFY(1) Frech COMMENTS: Frech> Reference: XF:sun-man ================================= Candidate: CAN-1999-0378 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb22,1999 InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands. VOTES: ================================= Candidate: CAN-1999-0380 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb25,1999 Reference: SF:497 SLMail 3.2 or 3.1 allows local users to access any file in the NTFS file system when the Remote Administration Service (RAS) is enabled. VOTES: ACCEPT(2) Wall, Ozancin REVIEWING(1) Frech ================================= Candidate: CAN-1999-0381 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb26,1999 Reference: Sekure:SUPER's log function buffer overflow Reference: XF:linux-super-logging-bo Reference: SF:342 super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access. VOTES: ACCEPT(2) Ozancin, Frech NOOP(2) Wall, Christey COMMENTS: Christey> Is this the same as CVE-1999-0373? They both have the same Christey> X-Force reference ================================= Candidate: CAN-1999-0387 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allowed attackers to read plaintext network passwords. VOTES: ================================= Candidate: CAN-1999-0393 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Dec12,1999 Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers. VOTES: ================================= Candidate: CAN-1999-0394 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan15,1999 DPEC Online Courseware allows an attacker to change another user's password without knowing the original password. VOTES: ================================= Candidate: CAN-1999-0395 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: ISS:Vulnerability in the BackWeb Polite Agent Protocol A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server. VOTES: ACCEPT(1) Hill MODIFY(1) Frech NOOP(2) Northcutt, Landfield COMMENTS: Frech> XF:backweb-polite-agent-protocol ================================= Candidate: CAN-1999-0397 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: L0PHT:Jan21,1999 Reference: BUGTRAQ:Jan21,1999 The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext. VOTES: ACCEPT(1) Northcutt REJECT(1) Wall ================================= Candidate: CAN-1999-0398 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan23,1999 In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login. VOTES: ================================= Candidate: CAN-1999-0399 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan24,1999 The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands. VOTES: ================================= Candidate: CAN-1999-0400 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Denial of service in Linux 2.2.0 running the ldd command on a core file. VOTES: ================================= Candidate: CAN-1999-0401 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb2,1999 A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files. VOTES: ================================= Candidate: CAN-1999-0403 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb4,1999 Reference: XF:cyrix-hang A bug in Cyrix CPU's on Linux allows local users to perform a denial of service. VOTES: ACCEPT(1) Northcutt NOOP(1) Wall ================================= Candidate: CAN-1999-0406 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb19,1999 Reference: XF:digital-networker-bo Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege. VOTES: ================================= Candidate: CAN-1999-0407 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb19,1999 By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. VOTES: ================================= Candidate: CAN-1999-0408 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb19,1999 Reference: XF:cobalt-raq-history-exposure Reference: SF:337 Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server. VOTES: ACCEPT(2) Ozancin, Frech NOOP(1) Wall ================================= Candidate: CAN-1999-0409 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Mar4,1999 Reference: XF:gnuplot-home-overflow Reference: SF:319 Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access. VOTES: ACCEPT(2) Ozancin, Frech NOOP(1) Wall ================================= Candidate: CAN-1999-0411 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb19,1999 Reference: XF:sco-startup-scripts Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access. VOTES: MODIFY(1) Frech NOOP(1) Wall COMMENTS: Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not Frech> 19 February) does not mention gaining root access... it says a local user Frech> could Frech> "delete or overwrite arbitrary files on the system." ================================= Candidate: CAN-1999-0415 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers The Clickstart web server in Cisco 700 series routers allows remote attackers to execute commands on the router, or perform information gathering, without authentication. VOTES: MODIFY(1) Frech COMMENTS: Frech> Reference: ISS:March11,1999 (consistent with cluster 1, CAN-1999-0008) Frech> XF:cisco-router-commands Frech> XF:cisco-web-config ================================= Candidate: CAN-1999-0416 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers The Clickstart web server in Cisco 700 series routers allows remote attackers to perform a denial of service. VOTES: MODIFY(1) Frech COMMENTS: Frech> Reference: ISS:March11,1999 Frech> XF:cisco-web-crash ================================= Candidate: CAN-1999-0419 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Mar17,1999 When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service. VOTES: ================================= Candidate: CAN-1999-0421 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: ISS:Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password. VOTES: ACCEPT(2) Hill, Northcutt MODIFY(1) Frech COMMENTS: Frech> XF:linux-slackware-install ================================= Candidate: CAN-1999-0426 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Mar19,1999 The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing. VOTES: ================================= Candidate: CAN-1999-0427 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Mar20,1999 Reference: XF:eudora-long-attachments Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names. VOTES: ================================= Candidate: CAN-1999-0428 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Mar22,1999 Reference: XF:ssl-session-reuse OpenSSL and SSLeay allows remote attackers to reuse SSL sessions. VOTES: ACCEPT(2) Wall, Frech ================================= Candidate: CAN-1999-0429 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Mar23,1999 Reference: XF:lotus-client-encryption The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference. VOTES: ACCEPT(2) Ozancin, Frech NOOP(1) Wall ================================= Candidate: CAN-1999-0431 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Mar24,1999 Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service. VOTES: ================================= Candidate: CAN-1999-0434 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Mar31,1999 Reference: SF:359 XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. VOTES: ================================= Candidate: CAN-1999-0435 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: HP:HPSBUX9903-096 MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:hp-servicegaurd ================================= Candidate: CAN-1999-0439 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr4,1999 Reference: XF:procmail-overflow Buffer overflow in procmail before version 3.12 allows remote execution, or local attackers to gain privileges. VOTES: ACCEPT(1) Ozancin MODIFY(1) Frech NOOP(1) Wall COMMENTS: Frech> Poorly summarized. See procmail-overflow. ================================= Candidate: CAN-1999-0440 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr4,1999 Reference: XF:java-unverified-code The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages. VOTES: ACCEPT(2) Ozancin, Frech REVIEWING(1) Wall ================================= Candidate: CAN-1999-0443 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr9,1999 Reference: XF:bmc-patrol-replay Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password. VOTES: ================================= Candidate: CAN-1999-0444 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr12,1999 Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files. VOTES: ================================= Candidate: CAN-1999-0450 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan22,1999 Reference: SF:194 In IIS, an attacker could determine a real path using a request for a non-existent URLs that would be interpreted by Perl (perl.exe) . VOTES: ACCEPT(2) Wall, Ozancin REVIEWING(1) Frech COMMENTS: Frech> Can't find in database. ================================= Candidate: CAN-1999-0451 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan19,1999 Reference: SF:343 Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port. VOTES: ACCEPT(1) Ozancin NOOP(1) Wall REVIEWING(1) Frech ================================= Candidate: CAN-1999-0452 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF A service or application has a backdoor password that was placed there by the developer. VOTES: ACCEPT(1) Wall REJECT(1) Frech COMMENTS: Frech> Much too broad. Also may be HIGHCARD (or will be in the future). ================================= Candidate: CAN-1999-0453 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Dicsovery Protocol (CDP). VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0454 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso. VOTES: NOOP(1) Wall REJECT(1) Northcutt COMMENTS: Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced Northcutt> ways to accomplish this. To pursue making the world signature free Northcutt> is as much a vulnerability as having signatures, nay more. ================================= Candidate: CAN-1999-0455 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: ALLAIRE:ASB-001 Reference: XF:coldfusion-expression-evaluator Reference: SF:115 The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server. VOTES: ACCEPT(2) Ozancin, Frech MODIFY(1) Wall COMMENTS: Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues) Wall> make application plural since there are three sample applications Wall> (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm). ================================= Candidate: CAN-1999-0459 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: XF:linux-milo-halt Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot. VOTES: NOOP(1) Northcutt REJECT(1) Wall ================================= Candidate: CAN-1999-0460 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb18,1999 Reference: SF:312 Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service. VOTES: ACCEPT(1) Ozancin NOOP(1) Wall REVIEWING(1) Frech ================================= Candidate: CAN-1999-0461 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address. VOTES: ================================= Candidate: CAN-1999-0462 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan14,1999 Reference: SF:339 suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk. VOTES: ================================= Candidate: CAN-1999-0464 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames. VOTES: ================================= Candidate: CAN-1999-0465 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: XF:http-img-overflow Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter. VOTES: ACCEPT(1) Northcutt REJECT(1) Wall ================================= Candidate: CAN-1999-0467 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-webcom-guestbook The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the template key. VOTES: ACCEPT(2) Frech, Landfield NOOP(1) Northcutt REVIEWING(1) Christey COMMENTS: Christey> Appears to be a duplicate of CAN-1999-0287 ================================= Candidate: CAN-1999-0469 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: XF:ie-window-spoof Reference: BUGTRAQ:Apr9,1999 Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client. VOTES: ACCEPT(1) Wall NOOP(1) Northcutt COMMENTS: Wall> Reference: Microsoft Security Bulletin MS99-012 ================================= Candidate: CAN-1999-0470 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: XF:netware-remotenlm-passwords Reference: BUGTRAQ:Apr9,1999 A weak encryption algorithm is used for passwords in Novell Remote.NLM, allowing them to be easily decrypted. VOTES: ACCEPT(5) Wall, Northcutt, Baker, Ozancin, Frech ================================= Candidate: CAN-1999-0476 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: XF:sco-termvision-password A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user. VOTES: ACCEPT(3) Baker, Ozancin, Frech NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0477 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: L0PHT:Cold Fusion App Server Reference: XF:coldfusion-expression-evaluator Reference: SF:115 The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to execute commands by uploading a file. VOTES: ACCEPT(3) Ozancin, Christey, Frech REJECT(1) Wall COMMENTS: Wall> Duplicate of 0455 Christey> CAN-1999-0477 and CAN-1999-0455 were discovered at different Christey> times. Also, the attack was different. So "Same Attack" and Christey> "Same Time of Discovery" dictate that these should remain Christey> separate. ================================= Candidate: CAN-1999-0480 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr15,1999 Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack. VOTES: ================================= Candidate: CAN-1999-0486 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr20,1999 Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash. VOTES: ================================= Candidate: CAN-1999-0488 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: MS:MS99-012 MSHTML.DLL in Internet Explorer allows a remote attacker to execute security scripts in a different security context, using malicious URLs. VOTES: ACCEPT(1) Landfield MODIFY(2) Frech, Wall COMMENTS: Frech> XF:ie-mshtml-crossframe Wall> (source: MSKB:Q168485) ================================= Candidate: CAN-1999-0489 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: MS:MS99-012 MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to read the contents of a user's clipboard, aka untrusted scripted paste. VOTES: ACCEPT(1) Levy MODIFY(1) Wall RECAST(1) Prosser REVIEWING(1) Frech COMMENTS: Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a Frech> clipboard in either. Frech> I cannot proceed on this one without further clarification. Wall> (source: MS:MS99-012) Prosser> agree with Andre here. The Untrusted Scripted paste Prosser> vulnerability was originally addressed in MS98-015 and it is in the file Prosser> upload intrinsic control in which an attacker can paste the name of a file Prosser> on the target's drive in the control and a form submission would then send Prosser> that file from the attacked machine to the remote web site. This one has Prosser> nothing to do with the clipboard. What the advisory mentioned here, Prosser> MS99-012, does is replace the MSHTML parsing engine which is supposed to fix Prosser> the original Untrusted Scripted Paste issue and a variant, as well as the Prosser> two Cross-Frame variants and a privacy issue in IMG SRC. Prosser> The vulnerability that allowed reading of a user's clipboard is the Forms Prosser> 2.0 Active X control vulnerability discussed in MS99-01 ================================= Candidate: CAN-1999-0490 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: MS:MS99-012 MSHTML.DLL in Internet Explorer allows a remote attacker to learn information about a local user's files. VOTES: ACCEPT(2) Wall, Landfield MODIFY(1) Frech COMMENTS: Frech> XF:ie-scriplet-fileread ================================= Candidate: CAN-1999-0491 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr20,1999 Reference: SF:119 The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute. VOTES: ================================= Candidate: CAN-1999-0492 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr23,1999 The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses. VOTES: ACCEPT(1) Northcutt MODIFY(1) Shostack REVIEWING(1) Frech COMMENTS: Shostack> isn't that what finger is supposed to do? ================================= Candidate: CAN-1999-0493 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF A remote attacker can bounce RPC calls through rpc.statd. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0495 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0497 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Anonymous FTP is enabled VOTES: ACCEPT(1) Shostack REJECT(1) Northcutt ================================= Candidate: CAN-1999-0498 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990630 Assigned: 19990607 Category: CF Reference: CERT:CA-91.18.Active.Internet.tftp.Attacks TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files. Modifications: ADDREF CERT:CA-91.18.Active.Internet.tftp.Attacks VOTES: ACCEPT(3) Hill, Blake, Northcutt MODIFY(1) Frech NOOP(1) Christey COMMENTS: Frech> XF:linux-tftp Christey> XF:linux-tftp refers to CAN-1999-0183 ================================= Candidate: CAN-1999-0499 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF NETBIOS share information may be published through SNMP registry keys in NT. VOTES: ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin MODIFY(1) Frech COMMENTS: Frech> Change wording to 'Windows NT.' Frech> XF:snmp-netbios ================================= Candidate: CAN-1999-0501 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Unix account has a guessable password. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0502 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Unix account has a default, null, blank, or missing password. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0503 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Windows NT local user or administrator account has a guessable password. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0504 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Windows NT local user or administrator account has a default, null, blank, or missing password. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0505 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Windows NT domain user or administrator account has a guessable password. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0506 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Windows NT domain user or administrator account has a default, null, blank, or missing password. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0507 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF An account on a router, firewall, or other network device has a guessable password. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0508 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF An account on a router, firewall, or other network device has a default, null, blank, or missing password. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0509 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF Perl, sh, csh, or other shell interpreters are accessible on a WWW site. VOTES: ACCEPT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0510 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall allows source routed packets from arbitrary hosts. VOTES: ACCEPT(1) Northcutt MODIFY(1) Frech COMMENTS: Frech> XF:source-routing ================================= Candidate: CAN-1999-0511 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF IP forwarding is enabled on a machine which is not a router or firewall. VOTES: ACCEPT(1) Northcutt MODIFY(1) Frech COMMENTS: Frech> XF:ip-forwarding ================================= Candidate: CAN-1999-0512 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Mail relay is enabled, allowing abuse by spammers. VOTES: ACCEPT(2) Northcutt, Shostack ================================= Candidate: CAN-1999-0515 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv. VOTES: ACCEPT(1) Northcutt REJECT(1) Shostack COMMENTS: Shostack> Overly broad ================================= Candidate: CAN-1999-0516 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF An SNMP community name is guessable. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0517 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF An SNMP community name is the default (e.g. public), null, or missing. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0518 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A NETBIOS/SMB share password is guessable. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0519 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A NETBIOS/SMB share password is the default, null, or missing. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0520 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical NETBIOS/SMB share has inappropriate access control. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we need to enumerate the shares and or the access control ================================= Candidate: CAN-1999-0521 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF An NIS domain name is easily guessable. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0522 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF Reference: CERT:CA-96.10 The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> Why not say world readable, this is what you do further down in the Northcutt> file (world exportable in CAN-1999-0554) ================================= Candidate: CAN-1999-0523 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF ICMP echo (ping) is allowed from arbitrary hosts. VOTES: REJECT(1) Northcutt REVIEWING(1) Frech COMMENTS: Northcutt> (Though I sympathize with this one :) ================================= Candidate: CAN-1999-0524 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF ICMP information such as netmask and timestamp is allowed from arbitrary hosts. VOTES: MODIFY(1) Frech REJECT(1) Northcutt COMMENTS: Frech> XF:icmp-timestamp Frech> XF:icmp-netmask ================================= Candidate: CAN-1999-0525 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF IP traceroute is allowed from arbitrary hosts. VOTES: MODIFY(1) Frech REJECT(1) Northcutt COMMENTS: Frech> XF:traceroute ================================= Candidate: CAN-1999-0527 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten. VOTES: ACCEPT(2) Wall, Northcutt COMMENTS: Northcutt> That that starts to get specific :) ================================= Candidate: CAN-1999-0528 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of. VOTES: ACCEPT(1) Northcutt REVIEWING(1) Frech COMMENTS: Frech> possibly XF:nisd-dns-fwd-check ================================= Candidate: CAN-1999-0529 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc. VOTES: REJECT(1) Northcutt REVIEWING(1) Frech COMMENTS: Northcutt> I have seen ISPs "assign" private addresses within their domain ================================= Candidate: CAN-1999-0530 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A system is operating in "promiscuous" mode which allows it to perform packet sniffing. VOTES: ACCEPT(1) Northcutt REJECT(1) Shostack ================================= Candidate: CAN-1999-0531 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO. VOTES: RECAST(1) Shostack REJECT(1) Northcutt COMMENTS: Shostack> I think expn != vrfy, help, esmtp. ================================= Candidate: CAN-1999-0532 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A DNS server allows zone transfers. VOTES: MODIFY(1) Frech REJECT(1) Northcutt COMMENTS: Northcutt> (With split DNS implementations this is quite appropriate) Frech> XF:dns-zonexfer ================================= Candidate: CAN-1999-0533 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A DNS server allows inverse queries. VOTES: MODIFY(1) Frech REJECT(1) Northcutt COMMENTS: Northcutt> (rule of thumb) Frech> XF:dns-iquery ================================= Candidate: CAN-1999-0534 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input. VOTES: ACCEPT(5) Wall, Baker, Shostack, Ozancin, Christey MODIFY(2) Northcutt, Frech COMMENTS: Northcutt> If we are going to write a laundry list put access to the scheduler in it. Christey> The list of privileges is very useful for lookup. Frech> XF:nt-create-token Frech> XF:nt-replace-token Frech> XF:nt-lock-memory Frech> XF:nt-increase-quota Frech> XF:nt-unsol-input Frech> XF:nt-act-system Frech> XF:nt-create-object Frech> XF:nt-sec-audit Frech> XF:nt-add-workstation Frech> XF:nt-manage-log Frech> XF:nt-take-owner Frech> XF:nt-load-driver Frech> XF:nt-profile-system Frech> XF:nt-system-time Frech> XF:nt-single-process Frech> XF:nt-increase-priority Frech> XF:nt-create-pagefile Frech> XF:nt-backup Frech> XF:nt-restore Frech> XF:nt-debug Frech> XF:nt-system-env Frech> XF:nt-remote-shutdown ================================= Candidate: CAN-1999-0535 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness. VOTES: ACCEPT(2) Wall, Shostack MODIFY(2) Baker, Frech RECAST(2) Northcutt, Ozancin COMMENTS: Northcutt> inappropriate implies there is appropriate. As a guy who has been Northcutt> monitoring Northcutt> networks for years I have deep reservations about justiying the existance Northcutt> of any fixed cleartext password. For appropriate to exist, some "we" would Northcutt> have to establish some criteria for appropriate passwords. Baker> Perhaps this could be re-worded a bit. The CVE CAN-1999-00582 Baker> specifies "...settings for lockouts". To remain consistent with the Baker> other, maybe it should specify "...settings for passwords" I think Baker> most people would agree that passwords should be at least 8 Baker> characters; contain letters (upper and lowercase), numbers and at Baker> least one non-alphanumeric; should only be good a limited time 30-90 Baker> days; and should not contain character combinations from user's prior Baker> 2 or 3 passwords. Baker> Suggested rewrite - Baker> A Windows NT account policy does not enforce reasonable minimum Baker> security-critical settings for passwords, e.g. passwords of sufficient Baker> length, periodic required password changes, or new password uniqueness Ozancin> What is appropriate? Frech> XF:nt-autologonpwd Frech> XF:nt-pwlen Frech> XF:nt-maxage Frech> XF:nt-minage Frech> XF:nt-pw-history Frech> XF:nt-user-pwnoexpire Frech> XF:nt-unknown-pwdfilter Frech> XF:nt-pwd-never-expire Frech> XF:nt-pwd-nochange Frech> XF:nt-pwdcache-enable Frech> XF:nt-guest-change-passwords ================================= Candidate: CAN-1999-0537 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc. VOTES: ACCEPT(1) Wall RECAST(1) Frech COMMENTS: Frech> Good candidate for dot notation. Frech> XF:nav-java-enabled Frech> XF:nav-javascript-enabled Frech> XF:ie-active-content Frech> XF:ie-active-download Frech> XF:ie-active-scripting Frech> XF:ie-activex-execution Frech> XF:ie-java-enabled Frech> XF:netscape-javascript Frech> XF:netscape-java Frech> XF:zone-active-scripting Frech> XF:zone-activex-execution Frech> XF:zone-desktop-install Frech> XF:zone-low-channel Frech> XF:zone-file-download Frech> XF:zone-file-launch Frech> XF:zone-java-scripting Frech> XF:zone-low-java Frech> XF:zone-safe-scripting Frech> XF:zone-unsafe-scripting ================================= Candidate: CAN-1999-0539 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A trust relationship exists between two Unix hosts. VOTES: REJECT(2) Northcutt, Shostack COMMENTS: Northcutt> Too non specific ================================= Candidate: CAN-1999-0541 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A password for accessing a WWW URL is guessable. VOTES: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0546 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF The Windows NT guest account is enabled. VOTES: ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin MODIFY(1) Frech COMMENTS: Frech> XF:nt-guest-account ================================= Candidate: CAN-1999-0547 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An SSH server allows authentication through the .rhosts file. VOTES: ACCEPT(1) Shostack NOOP(1) Northcutt ================================= Candidate: CAN-1999-0548 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A superfluous NFS server is running, but it is not importing or exporting any file systems. VOTES: ACCEPT(1) Shostack REJECT(1) Northcutt ================================= Candidate: CAN-1999-0549 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: CF Windows NT automatically logs in an administrator upon rebooting. VOTES: ACCEPT(1) Hill MODIFY(1) Blake NOOP(1) Wall REVIEWING(1) Frech COMMENTS: Wall> Don't know what this is. Don't think it is a vulnerability and would Wall> initially reject. This is different than just renaming the Wall> administrator account. Frech> Would appreciate more information on this one, as in a reference. Blake> Reference: XF:nt-autologin ================================= Candidate: CAN-1999-0550 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router's routing tables can be obtained from arbitrary hosts. VOTES: MODIFY(1) Frech RECAST(1) Northcutt COMMENTS: Northcutt> Don't you mean obtained by arbitrary hosts Frech> XF:routed Frech> XF:decod-rip-entry Frech> XF:rip ================================= Candidate: CAN-1999-0554 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF NFS exports system-critical data to the world, e.g. / or a password file. VOTES: ACCEPT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0555 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Unix account with a name other than "root" has UID 0, i.e. root privileges. VOTES: REJECT(2) Northcutt, Shostack COMMENTS: Northcutt> This is very bogus ================================= Candidate: CAN-1999-0556 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Two or more Unix accounts have the same UID. VOTES: REJECT(2) Northcutt, Shostack ================================= Candidate: CAN-1999-0559 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Unix file or directory has inappropriate permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> Writable other than by root/bin/wheelgroup? ================================= Candidate: CAN-1999-0560 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Windows NT file or directory has inappropriate permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we should specify these ================================= Candidate: CAN-1999-0561 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF IIS has the #exec function enabled for Server Side Include (SSI) files. VOTES: NOOP(1) Northcutt RECAST(1) Shostack ================================= Candidate: CAN-1999-0562 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF The registry in Windows NT can be accessed remotely by users who are not administrators. VOTES: ACCEPT(4) Wall, Baker, Shostack, Ozancin MODIFY(1) Frech RECAST(1) Northcutt COMMENTS: Northcutt> This isn't all or nothing, users may be allowed to access part of the Northcutt> registry. Frech> XF:nt-winreg-all Frech> XF:nt-winreg-net ================================= Candidate: CAN-1999-0564 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled. VOTES: ACCEPT(1) Shostack NOOP(1) Northcutt ================================= Candidate: CAN-1999-0565 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Sendmail alias allows input to be piped to a program. VOTES: ACCEPT(1) Northcutt RECAST(1) Shostack COMMENTS: Shostack> Is this a default alias? Is my .procmailrc an instance of this? ================================= Candidate: CAN-1999-0568 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF rpc.admind in Solaris is not running in a secure mode. VOTES: ACCEPT(1) Northcutt RECAST(1) Shostack COMMENTS: Shostack> are there secure modes? ================================= Candidate: CAN-1999-0569 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt COMMENTS: Northcutt> I do this intentionally somethings in high content directories ================================= Candidate: CAN-1999-0570 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Windows NT is not using a password filter utility, e.g. PASSFILT.DLL. VOTES: ACCEPT(1) Northcutt REJECT(1) Wall COMMENTS: Northcutt> Here we are crossing into the best practices arena again. However since Northcutt> passfilt does establish a measurable standard and since we aren't the Northcutt> ones defining the stanard, simply saying it should be employed I will Northcutt> vote for this. ================================= Candidate: CAN-1999-0571 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Feb5,1999 A router allows arbitrary hosts to connect to its configuration service, or related services such as telnet. VOTES: NOOP(1) Northcutt REVIEWING(1) Frech ================================= Candidate: CAN-1999-0572 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF ..reg files are associated with the Windows NT registry editor, making the registry susceptible to Trojan Horse attacks. VOTES: ACCEPT(4) Wall, Baker, Shostack, Ozancin MODIFY(1) Frech NOOP(1) Northcutt COMMENTS: Northcutt> I don't quite get what this means, sorry Frech> XF:nt-regfile ================================= Candidate: CAN-1999-0575 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking. VOTES: ACCEPT(4) Wall, Shostack, Ozancin, Christey MODIFY(1) Frech RECAST(1) Northcutt REVIEWING(1) Baker COMMENTS: Northcutt> It isn't a great truth that you should enable all or the above, if you Northcutt> do you potentially introduce a vulnerbility of filling up the file Northcutt> system with stuff you will never look at. Ozancin> It is far less interesting what a user does successfully that what they Ozancin> attempt and fail at. Christey> The list of event types is very useful for lookup. Frech> XF:nt-system-audit Frech> XF:nt-logon-audit Frech> XF:nt-object-audit Frech> XF:nt-privil-audit Frech> XF:nt-process-audit Frech> XF:nt-policy-audit Frech> XF:nt-account-audit ================================= Candidate: CAN-1999-0576 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories. VOTES: ACCEPT(3) Wall, Baker, Shostack MODIFY(2) Ozancin, Frech REJECT(1) Northcutt COMMENTS: Northcutt> 1.) Too general are we ready to state what the security-critical files Northcutt> and directories are Northcutt> 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability Ozancin> Some files and directories are clearly understood to be critical. Others are Ozancin> unclear. We need to clarify that critical is. Frech> XF:nt-object-audit ================================= Candidate: CAN-1999-0577 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories. VOTES: ACCEPT(2) Wall, Shostack MODIFY(2) Ozancin, Frech REJECT(1) Northcutt REVIEWING(1) Baker COMMENTS: Ozancin> It is far less interesting what a user does successfully that what they Ozancin> attempt and fail at. Ozancin> Perhaps only failure should be logged. Frech> XF:nt-object-audit ================================= Candidate: CAN-1999-0578 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys. VOTES: ACCEPT(4) Wall, Baker, Shostack, Ozancin REJECT(1) Northcutt REVIEWING(1) Frech COMMENTS: Ozancin> with reservation Ozancin> Again what is defined as critical ================================= Candidate: CAN-1999-0579 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys. VOTES: ACCEPT(3) Wall, Baker, Shostack MODIFY(1) Ozancin REJECT(1) Northcutt REVIEWING(1) Frech COMMENTS: Ozancin> Again only failure may be of interest. It would be impractical to wad Ozancin> through the incredibly large amount of logging that this would generate. It Ozancin> could overwhelm log entries that you might find interesting. ================================= Candidate: CAN-1999-0580 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0581 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0582 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc. VOTES: ACCEPT(3) Wall, Shostack, Ozancin MODIFY(2) Baker, Frech REJECT(1) Northcutt COMMENTS: Northcutt> The definition is? Baker> Maybe a rewording of this one too. I think most people would agree on Baker> some "minimum" policies like 3-5 bad attempts lockout for an hour or Baker> until the administrator unlocks the account. Baker> Suggested rewrite - Baker> A Windows NT account policy does not enforce reasonable minimum Baker> security-critical settings for lockouts, e.g. lockout duration, Baker> lockout after bad logon attempts, etc. Ozancin> with reservations Ozancin> What is appropriate? Frech> XF:nt-thres-lockout Frech> XF:nt-lock-duration Frech> XF:nt-lock-window Frech> XF:nt-perm-lockout Frech> XF:lockout-disabled ================================= Candidate: CAN-1999-0583 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF There is a one-way or two-way trust relationship between Windows NT domains. VOTES: REJECT(2) Northcutt, Shostack ================================= Candidate: CAN-1999-0584 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT file system is not NTFS. VOTES: ACCEPT(2) Wall, Northcutt COMMENTS: Wall> NTFS partition provides the security. This could be re-worded Wall> to "A Windows NT file system is FAT" since it is either NTFS or FAT Wall> and FAT is less secure. ================================= Candidate: CAN-1999-0585 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT administrator account has the default name of Administrator. VOTES: ACCEPT(1) Ozancin MODIFY(1) Frech REJECT(3) Northcutt, Baker, Shostack REVIEWING(1) Wall COMMENTS: Wall> Some sources say this is not a vulnerability, but a warning. It just Wall> slows down the search for the admin account (SID = 500) which can Wall> always be found. Northcutt> I change this on all NT systems I am responsible for, but is Northcutt> root a vulnerability? Baker> There are ways to identify the administrator account anyway, so this Baker> is only a minor delay to someone that is knowledgeable. This, in and Baker> of itself, doesn't really strike me as a vulnerability, anymore than Baker> the root account on a Unix box. Shostack> (there is no way to hide the account name today) Frech> XF:nt-adminexists ================================= Candidate: CAN-1999-0586 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A network service is running on a nonstandard port. VOTES: RECAST(1) Shostack REJECT(1) Northcutt COMMENTS: Shostack> Might be acceptable if clearer; is that a standard service on a Shostack> non-standard port, or any service on an unassigned port? ================================= Candidate: CAN-1999-0587 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> While I would accept this for Unix, I am not sure this applies to NT, Northcutt> VMS, palm pilots, or commodore 64 ================================= Candidate: CAN-1999-0588 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A filter in a router or firewall allows unusual fragmented packets. VOTES: MODIFY(1) Frech REJECT(1) Northcutt COMMENTS: Northcutt> I want to vote to accept this one, but unusual is a shade broad. Frech> XF:nt-rras Frech> XF:cisco-fragmented-attacks Frech> XF:ip-frag ================================= Candidate: CAN-1999-0589 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Windows NT registry key has inappropriate permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0590 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A system does not present an appropriate legal message or warning to a user who is accessing it. VOTES: ACCEPT(1) Northcutt RECAST(1) Shostack ================================= Candidate: CAN-1999-0591 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF An event log in Windows NT has inappropriate access permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> splain Lucy, splain ================================= Candidate: CAN-1999-0592 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF The Logon box of a Windows NT system displays the name of the last user who logged in. VOTES: REJECT(2) Wall, Northcutt COMMENTS: Wall> Information gathering, not vulnerability Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing Northcutt> not just vulnerability ================================= Candidate: CAN-1999-0593 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A user is allowed to shut down a Windows NT system without logging in. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt COMMENTS: Wall> Still a denial of service. Northcutt> May well be appropriate ================================= Candidate: CAN-1999-0594 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt COMMENTS: Wall> Perhaps it can be re-worded to "removable media drives Wall> such as a floppy disk drive or CDROM drive can be accessed (shared) in a Wall> Windows NT system." Northcutt> - what good is my NT w/o its floppy ================================= Candidate: CAN-1999-0595 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT system does not clear the system page file during shutdown. VOTES: ACCEPT(1) Wall NOOP(1) Northcutt ================================= Candidate: CAN-1999-0596 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT log file has an inappropriate maximum size or retention period. VOTES: REJECT(2) Wall, Northcutt COMMENTS: Northcutt> define appropriate ================================= Candidate: CAN-1999-0597 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire. VOTES: ACCEPT(1) Northcutt REJECT(1) Wall ================================= Candidate: CAN-1999-0598 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0599 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0600 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not verify the checksum on a packet. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0601 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0602 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly reassemble fragmented packets. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0603 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc. VOTES: REJECT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0604 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0605 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0606 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0607 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the QuikStore shopping cart CGI program "quikstore.cgi" could disclose private information. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0608 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0609 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0610 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr23,1999 An incorrect configuration of the Webcart CGI program could disclose private information. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0611 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Windows NT registry key has an inappropriate value. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0613 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SA The rpc.sprayd service is running. VOTES: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall REJECT(1) Northcutt COMMENTS: Frech> XF:sprayd ================================= Candidate: CAN-1999-0614 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The FTP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0615 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The SNMP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0616 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The TFTP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0617 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The SMTP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0618 Published: Final-Decision: Interim-Decision: Modified: 19990921-01 Proposed: 19990721 Assigned: 19990607 Category: SA Reference: XF:rexec The rexec service is running. Modifications: ADDREF XF:rexec VOTES: ACCEPT(4) Wall, Northcutt, Baker, Ozancin MODIFY(1) Frech COMMENTS: Frech> XF:decod-rexec Frech> XF:rexec ================================= Candidate: CAN-1999-0619 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The Telnet service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0620 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to NIS is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0621 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to NETBIOS is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0622 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to DNS service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0623 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The X Windows service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0624 Published: Final-Decision: Interim-Decision: 19990925 Modified: 19990924-01 Proposed: 19990721 Assigned: 19990607 Category: SA Reference: XF:rstat-out Reference: XF:rstatd The rstat/rstatd service is running. Modifications: ADDREF XF:rstat-out ADDREF XF:rstatd VOTES: ACCEPT(3) Northcutt, Baker, Ozancin MODIFY(1) Frech NOOP(2) Wall, Meunier COMMENTS: Frech> XF:rstat-out Frech> XF:rstatd ================================= Candidate: CAN-1999-0625 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SA The rpc.rquotad service is running. VOTES: ACCEPT(3) Northcutt, Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall COMMENTS: Frech> XF:rquotad ================================= Candidate: CAN-1999-0629 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SA The ident/identd service is running. VOTES: ACCEPT(2) Baker, Ozancin NOOP(1) Wall REJECT(1) Northcutt REVIEWING(1) Frech COMMENTS: Frech> possibly XF:identd? ================================= Candidate: CAN-1999-0630 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The NT Alerter and Messenger services are running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0631 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The NFS service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0632 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The RPC portmapper service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0633 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The HTTP/WWW service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0634 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The SSH service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0635 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The echo service is running. VOTES: ACCEPT(2) Wall, Northcutt COMMENTS: Northcutt> The method to my madness is echo is the common denom in the dos attack ================================= Candidate: CAN-1999-0636 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The discard service is running. VOTES: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0637 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The systat service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0638 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The daytime service is running. VOTES: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0639 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The chargen service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0640 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The Gopher service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0641 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The UUCP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0642 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A POP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0643 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The IMAP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0644 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The NNTP news service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0645 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The IRC service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0646 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The LDAP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0647 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SA The bootparam (bootparamd) service is running. VOTES: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall REJECT(1) Northcutt COMMENTS: Frech> XF:bootp ================================= Candidate: CAN-1999-0648 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The X25 service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0649 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The FSP service is running. VOTES: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0650 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The netstat service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0651 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The rsh/rlogin service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0652 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A database service is running, e.g. a SQL server, Oracle, or mySQL. VOTES: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0653 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to NIS+ is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0654 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SA The OS/2 or POSIX subsystem in NT is enabled. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt COMMENTS: Wall> These subsystems could still allow a process to persist across logins. ================================= Candidate: CAN-1999-0655 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SA A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities. VOTES: ACCEPT(4) Wall, Northcutt, Baker, Ozancin REVIEWING(1) Frech ================================= Candidate: CAN-1999-0656 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The ugidd service is running. VOTES: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0657 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA WinGate is being used. VOTES: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0658 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA DCOM is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0659 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present. VOTES: REJECT(2) Wall, Northcutt COMMENTS: Wall> Don't consider this a service or a problem. ================================= Candidate: CAN-1999-0660 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: MP A hacker utility or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc. VOTES: ACCEPT(3) Wall, Northcutt, Hill ================================= Candidate: CAN-1999-0661 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: MP A system is running a version of software that was replaced with a Trojan Horse at its distribution point, e.g. TCP Wrappers, wuftpd, etc. VOTES: ACCEPT(3) Wall, Northcutt, Hill ================================= Candidate: CAN-1999-0662 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: AN A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete. VOTES: ACCEPT(3) Wall, Northcutt, Hill ================================= Candidate: CAN-1999-0663 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: AN A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified. VOTES: ACCEPT(2) Wall, Hill RECAST(1) Northcutt COMMENTS: Northcutt> This needs to be worded carefully. Northcutt> 1. Rootkits evade checksum detection. Northcutt> 2. The modification could be positive (a patch) ================================= Candidate: CAN-1999-0664 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990803 Category: CF An application-critical Windows NT registry key has inappropriate permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0665 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990803 Category: CF An application-critical Windows NT registry key has an inappropriate value. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate.
|
||||
