|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [INTERIM] ACCEPT 23 candidates from CERT2 (Final 1/3/2000)
I have made an Interim Decision to ACCEPT the following 23 candidates from the CERT2 cluster. I will make a Final Decision on January 3, 2000. Voters: Frech ACCEPT(1) MODIFY(22) Ozancin ACCEPT(23) Christey NOOP(1) Cole ACCEPT(12) MODIFY(11) Armstrong ACCEPT(21) NOOP(2) Prosser ACCEPT(17) MODIFY(6) Stracener ACCEPT(22) MODIFY(1) - Steve ================================= Candidate: CAN-1999-0687 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990913 Vulnerability in ttsession Reference: SUN:00185 Reference: HP:HPSBUX9909-103 Reference: COMPAQ:SSRT0617U_TTSESSION Reference: CIAC:K-001 Reference: CERT:CA-99-11 Reference: BID:637 Reference: XF:cde-ttsession-rpc-auth The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands. Modifications: CHANGEREF CIAC:J-051 CIAC:K-001 ADDREF XF:cde-ttsession-rpc-auth DESC correct capitalization in ToolTalk, add execute commands INFERRED VOTE: CAN-1999-0687 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(3) Armstrong, Ozancin, Prosser MODIFY(3) Cole, Frech, Stracener COMMENTS: Cole> I would add at the end that this vulnerability can be used to execute Cole> arbitrary programs. Frech> XF:cde-ttsession-rpc-auth Frech> MODREF:CIAC:K-001 (J-051 relates to Calendar Manager) Stracener> Remove REF: CIAC: J-051 (Advisory not relevant to this CAN). It should Stracener> be "ToolTalk" rather than "Tooltalk" ================================= Candidate: CAN-1999-0689 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990913 Vulnerability in dtspcd Reference: SUN:00185 Reference: HP:HPSBUX9909-103 Reference: CERT:CA-99-11 Reference: XF:cde-dtspcd-file-auth Reference: BID:636 The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack. Modifications: DESC Change impact DESC ADDREF XF:cde-dtspcd-file-auth INFERRED VOTE: CAN-1999-0689 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener MODIFY(2) Cole, Frech COMMENTS: Cole> The attack indirectly allows users to gain privileges. The main Cole> vulnerability of the attack is that users can execute commands as root. I Cole> would update the exploit to reflect this. Frech> XF:cde-dtspcd-file-auth ================================= Candidate: CAN-1999-0691 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990913 Vulnerability in dtaction Reference: SUN:00185 Reference: HP:HPSBUX9909-103 Reference: COMPAQ:SSRTO615U_DTACTION Reference: CERT:CA-99-11 Reference: XF:cde-dtaction-username-bo Reference: BID:635 Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name. Modifications: DESC Add AddSuLog to description. ADDREF XF:cde-dtaction-username-bo INFERRED VOTE: CAN-1999-0691 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Armstrong, Ozancin, Stracener MODIFY(2) Frech, Prosser COMMENTS: Frech> XF:cde-dtaction-username-bo Prosser> Overflow is in the AddSuLog function. Might want to add this to the Prosser> description to differentiate from other CDE dtaction vulnerabilities ================================= Candidate: CAN-1999-0692 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991125 Category: CF Reference: CERT:CA-99-09 Reference: CIAC:J-052 Reference: SGI:19990701-01-P Reference: XF:sgi-arrayd The default configuration of the Array Services daemon (arrayd) disables authentication, allowing remote users to gain root privileges. Modifications: ADDREF XF:sgi-arrayd INFERRED VOTE: CAN-1999-0692 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:sgi-arrayd ================================= Candidate: CAN-1999-0693 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: CERT:CA-99-11 Reference: SUN:00185 Reference: HP:HPSBUX9909-103 Reference: BID:641 Reference: XF:cde-dtsession-env-bo Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges. Modifications: DESC Add impact ADDREF XF:cde-dtsession-env-bo INFERRED VOTE: CAN-1999-0693 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener MODIFY(2) Cole, Frech COMMENTS: Cole> I would add that this allows users to execute commands as root. Frech> XF:cde-dtsession-env-bo ================================= Candidate: CAN-1999-0704 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991208 Assigned: 19991125 Category: SF Reference: REDHAT:RHSA-1999:032-01 Reference: CALDERA:CSSA-1999:024.0 Reference: FREEBSD:SA-99:06 Reference: DEBIAN:19991018 Reference: BID:614 Reference: CERT:CA-99-12 Reference: XF:amd-bo Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others. INFERRED VOTE: CAN-1999-0704 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(6) Cole, Armstrong, Frech, Ozancin, Prosser, Stracener ================================= Candidate: CAN-1999-0722 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991125 Category: CF Reference: XF:cobalt-raq2-default-config Reference: CERT:CA-99-10 The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages. Modifications: ADDREF XF:cobalt-raq2-default-config INFERRED VOTE: CAN-1999-0722 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Armstrong, Ozancin, Stracener MODIFY(2) Frech, Prosser COMMENTS: Frech> XF:cobalt-raq2-default-config Prosser> Additional reference http://noram.cobaltnet.com/support/security/index.html ================================= Candidate: CAN-1999-0833 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: BID:788 Reference: XF:bind-nxt-bo Buffer overflow in BIND 8.2 via NXT records. Modifications: ADDREF BID:788 ADDREF XF:bind-nxt-bo INFERRED VOTE: CAN-1999-0833 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(3) Armstrong, Ozancin, Stracener MODIFY(3) Cole, Frech, Prosser COMMENTS: Cole> I would that a Buffer overflow in Bind 8.2 falis to validate NXT records, Cole> which would allow an attacker to execute arbitrary code. Frech> XF:bind-nxt-bo Prosser> additional reference: BID 788 ================================= Candidate: CAN-1999-0835 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: XF:bind-sigrecord-dos Reference: BID:788 Denial of service in BIND named via malformed SIG records. Modifications: DESC Add "malformed" ADDREF XF:bind-sigrecord-dos ADDREF BID:788 INFERRED VOTE: CAN-1999-0835 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(3) Armstrong, Ozancin, Stracener MODIFY(3) Cole, Frech, Prosser COMMENTS: Cole> I would change it to a Denial of service in BIND based on the failure Cole> to properly validate SIG records, which could result in crashing the Cole> named daemon. Frech> XF:bind-sigrecord-dos Prosser> additional reference: BID 788 ================================= Candidate: CAN-1999-0837 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: XF:bind-solinger-dos Reference: BID:788 Denial of service in BIND by improperly closing TCP sessions via so_linger. Modifications: ADDREF XF:bind-solinger-dos ADDREF BID:788 INFERRED VOTE: CAN-1999-0837 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Armstrong, Ozancin, Stracener MODIFY(2) Frech, Prosser COMMENTS: Frech> XF:bind-solinger-dos Prosser> additional reference: BID 788 ================================= Candidate: CAN-1999-0848 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: BID:788 Reference: XF:bind-fdmax-dos Denial of service in BIND named via consuming more than "fdmax" file descriptors. Modifications: ADDREF XF:bind-fdmax-dos ADDREF BID:788 INFERRED VOTE: CAN-1999-0848 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(3) Armstrong, Ozancin, Stracener MODIFY(3) Cole, Frech, Prosser COMMENTS: Cole> I would add consuming more "fdmax file descriptors that BIND can properly Cole> manage. Cole> Just a general comment. I do not know what the copyrights restritions are Cole> but CERT seems to do a pretty good job in coming up with the descriptions. Cole> Can we just use them because it seems like some of the above ones leaves out Cole> some detail that would be necessary to pinpoint a specific exploit. Frech> XF:bind-fdmax-dos Prosser> additional reference: BID 788 ================================= Candidate: CAN-1999-0849 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: XF:bind-maxdname-bo Denial of service in BIND named via maxdname. Modifications: ADDREF XF:bind-maxdname-bo INFERRED VOTE: CAN-1999-0849 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener MODIFY(2) Cole, Frech COMMENTS: Cole> I would add at the end that this is accomplshed by not properly handling the Cole> copying of data from the network. Frech> XF:bind-maxdname-bo ================================= Candidate: CAN-1999-0851 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: XF:bind-naptr-dos Denial of service in BIND named via naptr. Modifications: ADDREF XF:bind-naptr-dos INFERRED VOTE: CAN-1999-0851 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener MODIFY(2) Cole, Frech COMMENTS: Cole> I would add that this is done by failing to validate zone information loaded Cole> from disk files. Frech> XF:bind-naptr-dos ================================= Candidate: CAN-1999-0868 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: CERT:CA-97.08 Reference: XF:inn-ucbmail-shell-meta ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN. Modifications: ADDREF XF:inn-ucbmail-shell-meta INFERRED VOTE: CAN-1999-0868 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(3) Ozancin, Prosser, Stracener MODIFY(2) Cole, Frech NOOP(2) Armstrong, Christey COMMENTS: Cole> This is accomplished because INN does not remove certain shell Cole> metacharacters from the data in the control message. Cole> I am assuming that the other vulnerability in innd is covered by a different Cole> CVE number. I just want to make sure we do not miss it. Frech> XF:inn-ucbmail-shell-meta Christey> The other INN problem is CVE-1999-0043. ================================= Candidate: CAN-1999-0878 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: AUSCERT:AA-1999.01 Reference: CERT:CA-99-13 Reference: REDHAT:RHSA1999031_01 Reference: XF:wu-ftpd-dir-name Reference: BID:599 Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via MAPPING_CHDIR. Modifications: ADDREF XF:wu-ftpd-dir-name ADDREF AUSCERT:AA-1999.01 INFERRED VOTE: CAN-1999-0878 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:wu-ftpd-dir-name ================================= Candidate: CAN-1999-0879 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: CERT:CA-99-13 Reference: XF:wuftp-message-file-root Buffer overflow in WU-FTPD and related FTP servers allows remote attackers to gain root privileges via macro variables in a message file. Modifications: ADDREF XF:wuftp-message-file-root INFERRED VOTE: CAN-1999-0879 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener MODIFY(2) Cole, Frech COMMENTS: Cole> This is accomplished by overwriting the stack of the FTP daemon. Frech> XF:wuftp-message-file-root ================================= Candidate: CAN-1999-0880 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: CERT:CA-99-13 Reference: XF:wuftp-site-newer-dos Denial of service in WU-FTPD via the SITE NEWER command, which does not free memory properly. Modifications: ADDREF XF:wuftp-site-newer-dos DESC change "memory leak" to "free memory" INFERRED VOTE: CAN-1999-0880 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener MODIFY(2) Cole, Frech COMMENTS: Cole> It is not really a memory leak, it is just that the program fails to free up Cole> memory under certain circumstances. Frech> XF:wuftp-site-newer-dos ================================= Candidate: CAN-1999-0938 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: CERT:VN-99-03 Reference: XF:sdr-execute MBone SDR Package allows remote attackers to execute commands via shell metacharacters in Sesion Initiation Protocol (SIP) messages. Modifications: ADDREF XF:sdr-execute INFERRED VOTE: CAN-1999-0938 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:sdr-execute ================================= Candidate: CAN-1999-0956 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: CERT:CA-93.02a Reference: XF:next-netinfo The NeXT NetInfo _writers property allows local users to gain root privileges or conduct a denial of service. Modifications: ADDREF XF:next-netinfo INFERRED VOTE: CAN-1999-0956 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(4) Cole, Ozancin, Prosser, Stracener MODIFY(1) Frech NOOP(1) Armstrong COMMENTS: Frech> XF:next-netinfo ================================= Candidate: CAN-1999-0960 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: AUSCERT:AA-96.11 Reference: SGI:19980301-01-PX Reference: XF:irix-cdplayer-directory-create IRIX cdplayer allows local users to create directories in arbitrary locations via a command line option. Modifications: ADDREF XF:irix-cdplayer-directory-create INFERRED VOTE: CAN-1999-0960 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:irix-cdplayer-directory-create ================================= Candidate: CAN-1999-0962 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: AUSCERT:AA-96.13 Reference: HP:HPSBUX9701-045 Reference: XF:hp-password-cmd-bo Buffer overflow in HPUX passwd command allows local users to gain root privileges via a command line option. Modifications: ADDREF XF:hp-password-cmd-bo INFERRED VOTE: CAN-1999-0962 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:hp-password-cmd-bo ================================= Candidate: CAN-1999-0963 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: BUGTRAQ:19960316 BoS: SECURITY BUG in FreeBS Reference: CERT:VB-96.06 Reference: XF:freebsd-mount-union-root FreeBSD mount_union command allows local users to gain root privileges via a symlink attack. Modifications: ADDREF XF:freebsd-mount-union-root INFERRED VOTE: CAN-1999-0963 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:freebsd-mount-union-root ================================= Candidate: CAN-1999-0965 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: CERT:CA-93.17 Reference: XF:xterm Race condition in xterm allows local users to modify arbitrary files via the logging option. Modifications: ADDREF XF:xterm INFERRED VOTE: CAN-1999-0965 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:xterm
|
||||
