[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VOTES] Vote details for older clusters related to content decisions



This OLD-CD meta-cluster includes voting details for all the older
clusters which were used to illustrate content decisions, back in July
and August 1999.

Not surprisingly, these clusters have a large number of candidates
that are still active and being held back by unresolved content
decisions.  These will be revisited in the coming months.

SA-OTHER
SA-LITTLE
SA-ATTACK
SA-HIST
NT-REGISTRY
DATA
CFMISC
NOVULN
PRIVACY
NETCONF
CDEC
DESIGN
NTCONFIG
PASS
MULT2
MULT


- Steve


--------------------- CLUSTER SA-OTHER ---------------------

SA-OTHER (8 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/29
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Other SA candidates


Voters:
  Wall ACCEPT(5) NOOP(3)
  Northcutt REJECT(8)


<PROPOSED> --> 8
REJECT --> 8

=================================
Candidate: CAN-1999-0640
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The Gopher service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0640 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0644
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The NNTP news service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0644 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0648
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The X25 service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0648 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0649
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The FSP service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0649 REJECT (1 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   NOOP(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0650
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The netstat service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0650 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0652
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A database service is running, e.g. a SQL server, Oracle, or mySQL.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0652 REJECT (1 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   NOOP(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0656
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The ugidd service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0656 REJECT (1 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   NOOP(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0658
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

DCOM is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0658 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt




--------------------- CLUSTER SA-LITTLE ---------------------

SA-LITTLE (5 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/29
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Presence of "little" services that are rarely necessary


Voters:
  Wall ACCEPT(3) NOOP(2)
  Northcutt ACCEPT(1) REJECT(4)


<PROPOSED> --> 5
ACCEPT --> 1
REJECT --> 4

=================================
Candidate: CAN-1999-0635
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The echo service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0635 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Wall, Northcutt

Comments:
 Northcutt> The method to my madness is echo is the common denom in the dos attack


=================================
Candidate: CAN-1999-0636
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The discard service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0636 REJECT (1 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   NOOP(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0637
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The systat service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0637 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0638
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The daytime service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0638 REJECT (1 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   NOOP(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0639
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The chargen service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0639 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt




--------------------- CLUSTER SA-ATTACK ---------------------

SA-ATTACK (10 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/29
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Presence of services that are common attack points


Voters:
  Wall ACCEPT(9) REJECT(1)
  Northcutt REJECT(10)


<PROPOSED> --> 10
REJECT --> 10

=================================
Candidate: CAN-1999-0615
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The SNMP service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0615 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0620
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A component service related to NIS is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0620 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0630
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The NT Alerter and Messenger services are running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0630 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0633
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The HTTP/WWW service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0633 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0641
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The UUCP service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0641 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0645
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The IRC service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0645 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0646
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The LDAP service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0646 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0651
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The rsh/rlogin service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0651 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0653
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A component service related to NIS+ is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0653 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0659
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A Windows NT Primary Domain Controller (PDC) or Backup Domain
Controller (BDC) is present.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0659 REJECT (2 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   REJECT(2) Wall, Northcutt

Comments:
 Wall> Don't consider this a service or a problem.




--------------------- CLUSTER SA-HIST ---------------------

SA-HIST (13 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/29
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Presence of services with a history of problems


Voters:
  Wall ACCEPT(12) NOOP(1)
  Northcutt REJECT(13)


<PROPOSED> --> 13
REJECT --> 13

=================================
Candidate: CAN-1999-0614
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The FTP service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0614 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0616
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The TFTP service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0616 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0617
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The SMTP service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0617 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0619
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The Telnet service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0619 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0621
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A component service related to NETBIOS is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0621 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0622
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A component service related to DNS service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0622 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0623
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The X Windows service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0623 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0631
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The NFS service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0631 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0632
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The RPC portmapper service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0632 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0634
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The SSH service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0634 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0642
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A POP service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0642 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0643
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The IMAP service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0643 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0657
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

WinGate is being used.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0657 REJECT (1 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   NOOP(1) Wall
   REJECT(1) Northcutt




--------------------- CLUSTER NT-REGISTRY ---------------------

NT-REGISTRY (6 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/28
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

CF problems related to NT registry settings


Voters:
  Wall ACCEPT(6)
  Northcutt RECAST(6)


<PROPOSED> --> 6
RECAST --> 6

=================================
Candidate: CAN-1999-0580
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate,
system-critical permissions.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0580 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.


=================================
Candidate: CAN-1999-0581
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate,
system-critical permissions.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0581 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.


=================================
Candidate: CAN-1999-0589
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A system-critical Windows NT registry key has inappropriate
permissions.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0589 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.


=================================
Candidate: CAN-1999-0611
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A system-critical Windows NT registry key has an inappropriate value.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0611 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.


=================================
Candidate: CAN-1999-0664
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990803
Category: CF

An application-critical Windows NT registry key has inappropriate
permissions.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0664 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.


=================================
Candidate: CAN-1999-0665
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990803
Category: CF

An application-critical Windows NT registry key has an inappropriate
value.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0665 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.




--------------------- CLUSTER DATA ---------------------

DATA (10 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/28
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

CF problems related to data access


Voters:
  Wall ACCEPT(10)
  Northcutt ACCEPT(3) RECAST(6) REJECT(1)


<MODIFIED> --> 1
<PROPOSED> --> 9
ACCEPT --> 3
RECAST --> 6
REJECT --> 1

=================================
Candidate: CAN-1999-0509
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

Perl, sh, csh, or other shell interpreters are accessible on a WWW
site.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0509 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0520
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A system-critical NETBIOS/SMB share has inappropriate access control.

CONTENT-DECISIONS: CF-DATA

INFERRED ACTION: CAN-1999-0520 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> I think we need to enumerate the shares and or the access control


=================================
Candidate: CAN-1999-0522
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
Reference: CERT:CA-96.10

The permissions for a system-critical NIS+ table (e.g. passwd) are
inappropriate.

CONTENT-DECISIONS: CF-DATA

INFERRED ACTION: CAN-1999-0522 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> Why not say world readable, this is what you do further down in the
 Northcutt> file (world exportable in CAN-1999-0554)


=================================
Candidate: CAN-1999-0527
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

The permissions for system-critical data in an anonymous FTP account
are inappropriate.  For example, the root directory is writeable by
world, a real password file is obtainable, or executable commands such
as "ls" can be overwritten.

CONTENT-DECISIONS: CF-DATA

INFERRED ACTION: CAN-1999-0527 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Wall, Northcutt

Comments:
 Northcutt> That that starts to get specific :)


=================================
Candidate: CAN-1999-0554
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

NFS exports system-critical data to the world, e.g. / or a password
file.

CONTENT-DECISIONS: CF-DATA

INFERRED ACTION: CAN-1999-0554 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0559
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A system-critical Unix file or directory has inappropriate
permissions.

CONTENT-DECISIONS: CF-DATA,LOA

INFERRED ACTION: CAN-1999-0559 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> Writable other than by root/bin/wheelgroup?


=================================
Candidate: CAN-1999-0560
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A system-critical Windows NT file or directory has inappropriate
permissions.

CONTENT-DECISIONS: CF-DATA

INFERRED ACTION: CAN-1999-0560 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> I think we should specify these


=================================
Candidate: CAN-1999-0569
Published:
Final-Decision:
Interim-Decision:
Modified: 19991130-01
Proposed: 19990803
Assigned: 19990607
Category: CF

A URL for a WWW directory allows auto-indexing, which provides a list
of all files in that directory if it does not contain an index.html
file.

Modifications:
  Mention missing index.html

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0569 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt

Comments:
 Northcutt> I do this intentionally somethings in high content directories


=================================
Candidate: CAN-1999-0587
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A WWW server is not running in a restricted file system, e.g. through
a chroot, thus allowing access to system-critical data.

CONTENT-DECISIONS: CF-DATA

INFERRED ACTION: CAN-1999-0587 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> While I would accept this for Unix, I am not sure this applies to NT,
 Northcutt> VMS, palm pilots, or commodore 64


=================================
Candidate: CAN-1999-0591
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

An event log in Windows NT has inappropriate access permissions.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0591 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

Comments:
 Northcutt> splain Lucy, splain




--------------------- CLUSTER CFMISC ---------------------

CFMISC (18 candidates)
--------------------
Proposed: 7/28
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Miscellaneous CF problems


Voters:
  Shostack ACCEPT(5) RECAST(6) REJECT(6)
  Northcutt ACCEPT(6) NOOP(3) REJECT(8)


<PROPOSED> --> 17
ACCEPT --> 3
RECAST --> 4
REJECT --> 10

=================================
Candidate: CAN-1999-0497
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

Anonymous FTP is enabled

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0497 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Shostack
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0512
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

Mail relay is enabled, allowing abuse by spammers.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0512 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Northcutt, Shostack


=================================
Candidate: CAN-1999-0515
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

An unrestricted remote trust relationship for Unix systems has been
set up, e.g. by using a + sign in /etc/hosts.equiv.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0515 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Northcutt
   REJECT(1) Shostack

Comments:
 Shostack> Overly broad


=================================
Candidate: CAN-1999-0530
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A system is operating in "promiscuous" mode which allows it to perform
packet sniffing.

CONTENT-DECISIONS: CF-NETCONFIG

INFERRED ACTION: CAN-1999-0530 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Northcutt
   REJECT(1) Shostack


=================================
Candidate: CAN-1999-0531
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0531 REJECT (1 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   RECAST(1) Shostack
   REJECT(1) Northcutt

Comments:
 Shostack> I think expn != vrfy, help, esmtp.


=================================
Candidate: CAN-1999-0539
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A trust relationship exists between two Unix hosts.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0539 REJECT (2 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   REJECT(2) Northcutt, Shostack

Comments:
 Northcutt> Too non specific


=================================
Candidate: CAN-1999-0547
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

An SSH server allows authentication through the .rhosts file.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0547 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Shostack
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0548
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A superfluous NFS server is running, but it is not importing or exporting
any file systems.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0548 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Shostack
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0555
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Unix account with a name other than "root" has UID 0, i.e. root
privileges.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0555 REJECT (2 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   REJECT(2) Northcutt, Shostack

Comments:
 Northcutt> This is very bogus


=================================
Candidate: CAN-1999-0556
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

Two or more Unix accounts have the same UID.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0556 REJECT (2 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   REJECT(2) Northcutt, Shostack


=================================
Candidate: CAN-1999-0561
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

IIS has the #exec function enabled for Server Side Include (SSI) files.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0561 RECAST (1 recast, 0 accept, 0 review) HAS_CDS

Current Votes:
   NOOP(1) Northcutt
   RECAST(1) Shostack


=================================
Candidate: CAN-1999-0564
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

An attacker can force a printer to print arbitrary documents (e.g. if
the printer doesn't require a password) or to become disabled.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0564 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Shostack
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0565
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Sendmail alias allows input to be piped to a program.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0565 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Northcutt
   RECAST(1) Shostack

Comments:
 Shostack> Is this a default alias?  Is my .procmailrc an instance of this?


=================================
Candidate: CAN-1999-0568
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

rpc.admind in Solaris is not running in a secure mode.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0568 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Northcutt
   RECAST(1) Shostack

Comments:
 Shostack> are there secure modes?


=================================
Candidate: CAN-1999-0583
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

There is a one-way or two-way trust relationship between Windows NT
domains.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0583 REJECT (2 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   REJECT(2) Northcutt, Shostack


=================================
Candidate: CAN-1999-0586
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A network service is running on a nonstandard port.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0586 REJECT (1 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   RECAST(1) Shostack
   REJECT(1) Northcutt

Comments:
 Shostack> Might be acceptable if clearer; is that a standard service on a
 Shostack> non-standard port, or any service on an unassigned port?


=================================
Candidate: CAN-1999-0590
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A system does not present an appropriate legal message or warning to a
user who is accessing it.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0590 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Northcutt
   RECAST(1) Shostack




--------------------- CLUSTER NOVULN ---------------------

NOVULN (19 candidates)
--------------------
Proposed: 7/28
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Problems that may be regarded as "not a vulnerability"


Voters:
  Wall ACCEPT(5) NOOP(5) REJECT(9)
  Northcutt ACCEPT(6) NOOP(6) REJECT(7)


<PROPOSED> --> 19
ACCEPT --> 3
NOOP --> 3
REJECT --> 13

=================================
Candidate: CAN-1999-0119
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Windows NT 4.0 beta allows users to read and delete shares.

INFERRED ACTION: CAN-1999-0119 REJECT (1 reject, 0 accept, 0 review)

Current Votes:
   NOOP(1) Northcutt
   REJECT(1) Wall

Comments:
 Wall> Reject based on beta copy.


=================================
Candidate: CAN-1999-0361
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan29,1999

NetWare version of LaserFiche stores usernames and passwords
unencrypted, and allows administrative changes without logging.

INFERRED ACTION: CAN-1999-0361 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0364
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb04,1999

Microsoft Access 97 stores a database password as plaintext in a
foreign mdb, allowing access to data.

INFERRED ACTION: CAN-1999-0364 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0397
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: L0PHT:Jan21,1999
Reference: BUGTRAQ:Jan21,1999

The demo version of the Quakenbush NT Password Appraiser sends
passwords across the network in plaintext.

INFERRED ACTION: CAN-1999-0397 REJECT (1 reject, 1 accept, 0 review)

Current Votes:
   ACCEPT(1) Northcutt
   REJECT(1) Wall

Comments:
 Wall> Reject based on beta copy.


=================================
Candidate: CAN-1999-0403
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb4,1999
Reference: XF:cyrix-hang

A bug in Cyrix CPU's on Linux allows local users to perform a denial
of service.

INFERRED ACTION: CAN-1999-0403 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Northcutt
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0453
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

An attacker can identify a CISCO device by sending a SYN packet to
port 1999, which is for the Cisco Dicsovery Protocol (CDP).

INFERRED ACTION: CAN-1999-0453 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0454
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

A remote attacker can sometimes identify the operating system of a
host based on how it reacts to some IP or ICMP packets, using a tool
such as nmap or queso.

INFERRED ACTION: CAN-1999-0454 REJECT (1 reject, 0 accept, 0 review)

Current Votes:
   NOOP(1) Wall
   REJECT(1) Northcutt

Comments:
 Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced
 Northcutt> ways to accomplish this.  To pursue making the world signature free
 Northcutt> is as much a vulnerability as having signatures, nay more.


=================================
Candidate: CAN-1999-0459
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: XF:linux-milo-halt

Local users can perform a denial of service in Alpha Linux, using MILO
to force a reboot.

INFERRED ACTION: CAN-1999-0459 REJECT (1 reject, 0 accept, 0 review)

Current Votes:
   NOOP(1) Northcutt
   REJECT(1) Wall

Comments:
 Wall> Reject based on beta copy.


=================================
Candidate: CAN-1999-0465
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: XF:http-img-overflow

Remote attackers can crash Lynx and Internet Explorer using an IMG tag
with a large width parameter.

INFERRED ACTION: CAN-1999-0465 REJECT (1 reject, 1 accept, 0 review)

Current Votes:
   ACCEPT(1) Northcutt
   REJECT(1) Wall

Comments:
 Wall> Reject based on client-side DoS


=================================
Candidate: CAN-1999-0570
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0570 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Northcutt
   REJECT(1) Wall

Comments:
 Northcutt> Here we are crossing into the best practices arena again.  However since
 Northcutt> passfilt does establish a measurable standard and since we aren't the
 Northcutt> ones defining the stanard, simply saying it should be employed I will
 Northcutt> vote for this.


=================================
Candidate: CAN-1999-0584
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Windows NT file system is not NTFS.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0584 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Wall, Northcutt

Comments:
 Wall> NTFS partition provides the security.  This could be re-worded
 Wall> to "A Windows NT file system is FAT" since it is either NTFS or FAT
 Wall> and FAT is less secure.


=================================
Candidate: CAN-1999-0592
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

The Logon box of a Windows NT system displays the name of the last
user who logged in.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0592 REJECT (2 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   REJECT(2) Wall, Northcutt

Comments:
 Wall> Information gathering, not vulnerability
 Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing
 Northcutt> not just vulnerability


=================================
Candidate: CAN-1999-0593
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A user is allowed to shut down a Windows NT system without logging in.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0593 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt

Comments:
 Wall> Still a denial of service.
 Northcutt> May well be appropriate


=================================
Candidate: CAN-1999-0594
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Windows NT system does not restrict access to removable media drives
such as a floppy disk drive or CDROM drive.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0594 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt

Comments:
 Wall> Perhaps it can be re-worded to "removable media drives
 Wall> such as a floppy disk drive or CDROM drive can be accessed (shared) in a
 Wall> Windows NT system."
 Northcutt> - what good is my NT w/o its floppy


=================================
Candidate: CAN-1999-0595
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: MSKB:Q182086

A Windows NT system does not clear the system page file during
shutdown, which might allow sensitive information to be recorded.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0595 MOREVOTES (1 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0596
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Windows NT log file has an inappropriate maximum size or retention
period.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0596 REJECT (2 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   REJECT(2) Wall, Northcutt

Comments:
 Northcutt> define appropriate


=================================
Candidate: CAN-1999-0597
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Windows NT account policy does not forcibly disconnect remote users
from the server when their logon hours expire.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0597 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Northcutt
   REJECT(1) Wall


=================================
Candidate: CAN-1999-0603
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

In Windows NT, an inappropriate user is a member of a group,
e.g. Administrator, Backup Operators, Domain Admins, Domain Guests,
Power Users, Print Operators, Replicators, System Operators, etc.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0603 REJECT (2 reject, 0 accept, 0 review) HAS_CDS

Current Votes:
   REJECT(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0654
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SA

The OS/2 or POSIX subsystem in NT is enabled.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0654 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Northcutt

Comments:
 Wall> These subsystems could still allow a process to persist across logins.




--------------------- CLUSTER PRIVACY ---------------------

PRIVACY (9 candidates)
--------------------
Proposed: 7/28
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Problems related to privacy


Voters:
  Wall ACCEPT(2) NOOP(7)
  Christey REJECT(1)
  Northcutt NOOP(9)


<PROPOSED> --> 9
ACCEPT --> 1
NOOP --> 7
REJECT --> 1

=================================
Candidate: CAN-1999-0031
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.20.javascript

JavaScript allows remote attackers to monitor a user's web
activities.

INFERRED ACTION: CAN-1999-0031 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Wall
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0469
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990409 IE 5.0 security vulnerabilities - %01 bug again
Reference: XF:ie-window-spoof

Internet Explorer 5.0 allows window spoofing, allowing a remote
attacker to spoof a legitimate web site and capture information from
the client.

INFERRED ACTION: CAN-1999-0469 SMC_REJECT (1 reject, 1 accept, 0 review)

Current Votes:
   ACCEPT(1) Wall
   NOOP(1) Northcutt
   REJECT(1) Christey

Comments:
 Wall> Reference: Microsoft Security Bulletin MS99-012
 Christey> DUPE CAN-1999-0488


=================================
Candidate: CAN-1999-0604
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data

An incorrect configuration of the WebStore 1.0 shopping cart
CGI program "web_store.cgi" could disclose private information.

INFERRED ACTION: CAN-1999-0604 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0605
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data

An incorrect configuration of the Order Form 1.0 shopping cart
CGI program could disclose private information.

INFERRED ACTION: CAN-1999-0605 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0606
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data

An incorrect configuration of the EZMall 2000 shopping cart
CGI program "mall2000.cgi" could disclose private information.

INFERRED ACTION: CAN-1999-0606 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0607
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data

An incorrect configuration of the QuikStore shopping cart
CGI program "quikstore.cgi" could disclose private information.

INFERRED ACTION: CAN-1999-0607 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0608
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data

An incorrect configuration of the PDG Shopping Cart CGI program
"shopper.cgi" could disclose private information.

INFERRED ACTION: CAN-1999-0608 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0609
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data

An incorrect configuration of the SoftCart CGI program
"SoftCart.exe" could disclose private information.

INFERRED ACTION: CAN-1999-0609 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0610
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data

An incorrect configuration of the Webcart CGI program
could disclose private information.

INFERRED ACTION: CAN-1999-0610 MOREVOTES (0 accept, 0 ack, 0 review)

Current Votes:
   NOOP(2) Wall, Northcutt




--------------------- CLUSTER NETCONF ---------------------

NETCONF (12 candidates)
--------------------
Proposed: 7/26
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Network configuration problems


Voters:
  Frech MODIFY(8) REVIEWING(4)
  Northcutt ACCEPT(3) NOOP(1) RECAST(1) REJECT(7)


<PROPOSED> --> 12
MODIFY --> 2
RECAST --> 1
REJECT --> 7
REVIEWING --> 2

=================================
Candidate: CAN-1999-0510
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A router or firewall allows source routed packets from arbitrary
hosts.

CONTENT-DECISIONS: CF-NETCONFIG

INFERRED ACTION: CAN-1999-0510 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Northcutt
   MODIFY(1) Frech

Comments:
 Frech> XF:source-routing


=================================
Candidate: CAN-1999-0511
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

IP forwarding is enabled on a machine which is not a router or
firewall.

CONTENT-DECISIONS: CF-NETCONFIG

INFERRED ACTION: CAN-1999-0511 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Northcutt
   MODIFY(1) Frech

Comments:
 Frech> XF:ip-forwarding


=================================
Candidate: CAN-1999-0523
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

ICMP echo (ping) is allowed from arbitrary hosts.

CONTENT-DECISIONS: CF-NETCONFIG

INFERRED ACTION: CAN-1999-0523 REJECT (1 reject, 0 accept, 1 review) HAS_CDS

Current Votes:
   REJECT(1) Northcutt
   REVIEWING(1) Frech

Comments:
 Northcutt> (Though I sympathize with this one :)


=================================
Candidate: CAN-1999-0524
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

ICMP information such as netmask and timestamp is allowed from
arbitrary hosts.

CONTENT-DECISIONS: CF-NETCONFIG

INFERRED ACTION: CAN-1999-0524 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   MODIFY(1) Frech
   REJECT(1) Northcutt

Comments:
 Frech> XF:icmp-timestamp
 Frech> XF:icmp-netmask


=================================
Candidate: CAN-1999-0525
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

IP traceroute is allowed from arbitrary hosts.

CONTENT-DECISIONS: CF-NETCONFIG

INFERRED ACTION: CAN-1999-0525 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   MODIFY(1) Frech
   REJECT(1) Northcutt

Comments:
 Frech> XF:traceroute


=================================
Candidate: CAN-1999-0528
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A router or firewall forwards external packets that claim to come from
inside the network that the router/firewall is in front of.

CONTENT-DECISIONS: CF-NETCONFIG

INFERRED ACTION: CAN-1999-0528 MOREVOTES (1 accept, 0 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(1) Northcutt
   REVIEWING(1) Frech

Comments:
 Frech> possibly XF:nisd-dns-fwd-check


=================================
Candidate: CAN-1999-0529
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A router or firewall forwards packets that claim to come from IANA
reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x,
etc.

CONTENT-DECISIONS: CF-NETCONFIG

INFERRED ACTION: CAN-1999-0529 REJECT (1 reject, 0 accept, 1 review) HAS_CDS

Current Votes:
   REJECT(1) Northcutt
   REVIEWING(1) Frech

Comments:
 Northcutt> I have seen ISPs "assign" private addresses within their domain


=================================
Candidate: CAN-1999-0532
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A DNS server allows zone transfers.

CONTENT-DECISIONS: CF-DATA

INFERRED ACTION: CAN-1999-0532 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   MODIFY(1) Frech
   REJECT(1) Northcutt

Comments:
 Northcutt> (With split DNS implementations this is quite appropriate)
 Frech> XF:dns-zonexfer


=================================
Candidate: CAN-1999-0533
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A DNS server allows inverse queries.

CONTENT-DECISIONS: CF-DATA

INFERRED ACTION: CAN-1999-0533 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   MODIFY(1) Frech
   REJECT(1) Northcutt

Comments:
 Northcutt> (rule of thumb)
 Frech> XF:dns-iquery


=================================
Candidate: CAN-1999-0550
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A router's routing tables can be obtained from arbitrary hosts.

CONTENT-DECISIONS: CF-NETCONFIG

INFERRED ACTION: CAN-1999-0550 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   MODIFY(1) Frech
   RECAST(1) Northcutt

Comments:
 Northcutt> Don't you mean obtained by arbitrary hosts
 Frech> XF:routed
 Frech> XF:decod-rip-entry
 Frech> XF:rip


=================================
Candidate: CAN-1999-0571
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Feb5,1999

A router allows arbitrary hosts to connect to its configuration
service, or related services such as telnet.

CONTENT-DECISIONS: CF-NETCONFIG

INFERRED ACTION: CAN-1999-0571 MOREVOTES (0 accept, 0 ack, 1 review) HAS_CDS

Current Votes:
   NOOP(1) Northcutt
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0588
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A filter in a router or firewall allows unusual fragmented packets.

CONTENT-DECISIONS: CF-NETCONFIG

INFERRED ACTION: CAN-1999-0588 REJECT (1 reject, 1 accept, 0 review) HAS_CDS

Current Votes:
   MODIFY(1) Frech
   REJECT(1) Northcutt

Comments:
 Northcutt> I want to vote to accept this one, but unusual is a shade broad.
 Frech> XF:nt-rras
 Frech> XF:cisco-fragmented-attacks
 Frech> XF:ip-frag




--------------------- CLUSTER CDEC ---------------------

CDEC (15 candidates)
--------------------
Proposed: 7/26
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27

Candidates affected by current content decision debates


Voters:
  Frech ACCEPT(2) MODIFY(6) RECAST(1) REJECT(1)
  Wall ACCEPT(5) MODIFY(1) NOOP(4)
  Christey REVIEWING(5)


<FINAL> --> 5
<PROPOSED> --> 10
ACCEPT --> 1
MODIFY --> 2
RECAST --> 1
REJECT --> 1
REVIEWING --> 5

=================================
Candidate: CAN-1999-0015
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.28.Teardrop_Land
Reference: XF:teardrop

Teardrop IP denial of service.

CONTENT-DECISIONS: LOA

INFERRED ACTION: CAN-1999-0015 SMC_REVIEW (2 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   MODIFY(1) Frech
   REVIEWING(1) Christey

Comments:
 Frech> XF: teardrop-mod
 Christey> Not sure how many separate "instances" of Teardrop there are.
 Christey> See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258


=================================
Candidate: CAN-1999-0098
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: XF:smtp-helo-bo

Buffer overflow in SMTP HELO command in Sendmail allows a remote
attacker to hide activities.

INFERRED ACTION: CAN-1999-0098 SMC_REVIEW (1 accept, 1 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey

Comments:
 Frech> (Accept XF reference.)
 Frech> Our references do not mention hiding activities. This issue can crash the
 Frech> SMTP server or execute arbitrary byte-code. Is there another reference
 Frech> available?
 Christey> Should this be merged with CAN-1999-0284, which is Sendmail
 Christey> with SMTP HELO?


=================================
Candidate: CAN-1999-0104
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.28.Teardrop_Land
Reference: XF:teardrop-mod

A later variation on the Teardrop IP denial of service attack,
a.k.a. Teardrop-2

INFERRED ACTION: CAN-1999-0104 SMC_REVIEW (2 accept, 1 review)

Current Votes:
   ACCEPT(2) Wall, Frech
   REVIEWING(1) Christey

Comments:
 Wall> Another reference is Microsoft Knowledge Base Q179129.
 Christey> Not sure how many separate "instances" of Teardrop there are.
 Christey> See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258


=================================
Candidate: CAN-1999-0186
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: SUN:00178
Reference: XF:snmp-backdoor-access

In Solaris, an SNMP subagent has a default community string that allows remote
attackers to execute arbitrary commands as root, or modify system
parameters.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0186 MOREVOTES (1 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Wall

Comments:
 Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr
 Frech> Add ISS:Hidden Community String in SNMP Implementation


=================================
Candidate: CAN-1999-0254
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: ISS:Hidden SNMP community in HP OpenView
Reference: XF:hpov-hidden-snmp-comm

A hidden SNMP community string in HP OpenView allows remote attackers
to modify MIB tables and obtain sensitive information.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0254 MOREVOTES (1 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0257
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

Nestea variation of teardrop IP fragmentation denial of service.

INFERRED ACTION: CAN-1999-0257 SMC_REVIEW (2 accept, 1 review)

Current Votes:
   ACCEPT(1) Wall
   MODIFY(1) Frech
   REVIEWING(1) Christey

Comments:
 Frech> XF:nestea-linux-dos
 Christey> Not sure how many separate "instances" of Teardrop
 Christey> and its ilk.  Also see comments on CAN-1999-0001.
 Christey>
 Christey> See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258
 Christey>
 Christey> Is CAN-1999-0001 the same as CVE-1999-0052?  That one is related
 Christey> to nestea (CAN-1999-0257) and probably the one described in
 Christey> BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
 Christey> The patch for nestea is in ip_input.c around line 750.
 Christey> The patches for CAN-1999-0001 are in lines 388&446.  So,
 Christey> CAN-1999-0001 is different from CAN-1999-0257 and CVE-1999-0052.
 Christey> The FreeBSD patch for CVE-1999-0052 is in line 750.
 Christey> So, CAN-1999-0257 and CVE-1999-0052 may be the same, though
 Christey> CVE-1999-0052 should be RECAST since this bug affects Linux
 Christey> and other OSes besides FreeBSD.
 Christey>
 Christey> Also see BUGTRAQ:19990909 CISCO and nestea.
 Christey>
 Christey> Finally, note that there is no fundamental difference between
 Christey> nestea and nestea2/nestea-v2; they are different ports that
 Christey> exploit the same problem.


=================================
Candidate: CAN-1999-0258
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

Bonk variation of teardrop IP fragmentation denial of service.

INFERRED ACTION: CAN-1999-0258 SMC_REVIEW (2 accept, 1 review)

Current Votes:
   MODIFY(2) Wall, Frech
   REVIEWING(1) Christey

Comments:
 Wall> Reference Q179129
 Frech> XF:teardrop-mod
 Christey> Not sure how many separate "instances" of Teardrop there are.
 Christey> See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258


=================================
Candidate: CAN-1999-0411
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb19,1999
Reference: XF:sco-startup-scripts

Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p,
including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a
symlink attack, allowing a local user to gain root access.

CONTENT-DECISIONS: SF-EXEC

INFERRED ACTION: CAN-1999-0411 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Wall

Comments:
 Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not
 Frech> 19 February) does not mention gaining root access... it says a local user
 Frech> could
 Frech> "delete or overwrite arbitrary files on the system."


=================================
Candidate: CAN-1999-0452
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

A service or application has a backdoor password that was placed there
by the developer.

INFERRED ACTION: CAN-1999-0452 REJECT (1 reject, 1 accept, 0 review)

Current Votes:
   ACCEPT(1) Wall
   REJECT(1) Frech

Comments:
 Frech> Much too broad. Also may be HIGHCARD (or will be in the future).


=================================
Candidate: CAN-1999-0537
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A configuration in a web browser such as Internet Explorer or Netscape
Navigator allows execution of active content such as ActiveX, Java,
Javascript, etc.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0537 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   RECAST(1) Frech

Comments:
 Frech> Good candidate for dot notation.
 Frech> XF:nav-java-enabled
 Frech> XF:nav-javascript-enabled
 Frech> XF:ie-active-content
 Frech> XF:ie-active-download
 Frech> XF:ie-active-scripting
 Frech> XF:ie-activex-execution
 Frech> XF:ie-java-enabled
 Frech> XF:netscape-javascript
 Frech> XF:netscape-java
 Frech> XF:zone-active-scripting
 Frech> XF:zone-activex-execution
 Frech> XF:zone-desktop-install
 Frech> XF:zone-low-channel
 Frech> XF:zone-file-download
 Frech> XF:zone-file-launch
 Frech> XF:zone-java-scripting
 Frech> XF:zone-low-java
 Frech> XF:zone-safe-scripting
 Frech> XF:zone-unsafe-scripting




--------------------- CLUSTER DESIGN ---------------------

DESIGN (27 candidates)
--------------------
Proposed: 7/20
Scheduled Proposed: 7/13
Scheduled Interim Decision: 8/2
Scheduled Final Decision: 8/6

Services or protocols with inherent design problems


Voters:
  Wall ACCEPT(2) NOOP(8)
  Frech ACCEPT(3) MODIFY(6) REVIEWING(2)
  Ozancin ACCEPT(8) RECAST(2)
  Northcutt ACCEPT(4) NOOP(3) REJECT(3)
  Meunier NOOP(1)
  Baker ACCEPT(10)


<FINAL> --> 17
<INTERIM> --> 1
<MODIFIED> --> 1
<PROPOSED> --> 8
ACCEPT --> 1
MODIFY --> 4
RECAST --> 2
REJECT --> 3
REVIEWING --> 1

=================================
Candidate: CAN-1999-0352
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-passwd-encrypt

ControlIT 4.5 and earlier (aka Remotely Possible) has weak password
encryption.

CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION,SF-EXEC

INFERRED ACTION: CAN-1999-0352 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Baker, Frech
   NOOP(2) Wall, Northcutt
   RECAST(1) Ozancin

Comments:
 Ozancin> Can we combine this with CAN-1999-0356 - ControlIT(tm) 4.5 and earlier uses
 Ozancin> weak encryption.


=================================
Candidate: CAN-1999-0356
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-bookfile-access

ControlIT v4.5 and earlier uses weak encryption to store
usernames and passwords in an address book.

CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION,SF-EXEC

INFERRED ACTION: CAN-1999-0356 RECAST (1 recast, 1 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Baker, Frech
   NOOP(2) Wall, Northcutt
   RECAST(1) Ozancin


=================================
Candidate: CAN-1999-0476
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client
Reference: XF:sco-termvision-password

A weak encryption algorithm is used for passwords in SCO TermVision,
allowing them to be easily decrypted by a local user.

Modifications:
  ADDREF BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client

CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION

INFERRED ACTION: CAN-1999-0476 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Baker, Ozancin, Frech
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0613
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SA

The rpc.sprayd service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0613 REJECT (1 reject, 2 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Northcutt

Comments:
 Frech> XF:sprayd


=================================
Candidate: CAN-1999-0618
Published:
Final-Decision:
Interim-Decision:
Modified: 19990921-01
Proposed: 19990721
Assigned: 19990607
Category: SA
Reference: XF:rexec

The rexec service is running.

Modifications:
  ADDREF XF:rexec

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0618 ACCEPT (4 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Wall, Northcutt, Baker, Ozancin
   MODIFY(1) Frech

Comments:
 Frech> XF:decod-rexec
 Frech> XF:rexec


=================================
Candidate: CAN-1999-0624
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990924-01
Proposed: 19990721
Assigned: 19990607
Category: SA
Reference: XF:rstat-out
Reference: XF:rstatd

The rstat/rstatd service is running.

Modifications:
  ADDREF XF:rstat-out
  ADDREF XF:rstatd

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0624 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Northcutt, Baker, Ozancin
   MODIFY(1) Frech
   NOOP(2) Wall, Meunier

Comments:
 Frech> XF:rstat-out
 Frech> XF:rstatd


=================================
Candidate: CAN-1999-0625
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SA

The rpc.rquotad service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0625 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Northcutt, Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall

Comments:
 Frech> XF:rquotad


=================================
Candidate: CAN-1999-0629
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SA

The ident/identd service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0629 REJECT (1 reject, 1 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Baker, Ozancin
   NOOP(1) Wall
   REJECT(1) Northcutt
   REVIEWING(1) Frech

Comments:
 Frech> possibly XF:identd?


=================================
Candidate: CAN-1999-0647
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SA

The bootparam (bootparamd) service is running.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0647 REJECT (1 reject, 2 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Northcutt

Comments:
 Frech> XF:bootp


=================================
Candidate: CAN-1999-0655
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SA

A service may include useful information in its banner or help
function (such as the name and version), making it useful for
information gathering activities.

CONTENT-DECISIONS: SA

INFERRED ACTION: CAN-1999-0655 ACCEPT_REV (3 accept, 0 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(4) Wall, Northcutt, Baker, Ozancin
   REVIEWING(1) Frech




--------------------- CLUSTER NTCONFIG ---------------------

NTCONFIG (13 candidates)
--------------------
Proposed: 7/20
Scheduled Proposed: 7/6
Scheduled Interim Decision: 8/2
Scheduled Final Decision: 8/6

Configuration problems related to NT


Voters:
  Frech MODIFY(11) REVIEWING(2)
  Shostack ACCEPT(12) REJECT(1)
  Wall ACCEPT(12) REVIEWING(1)
  Ozancin ACCEPT(9) MODIFY(3) RECAST(1)
  Christey ACCEPT(2)
  Northcutt ACCEPT(2) MODIFY(1) NOOP(1) RECAST(3) REJECT(6)
  Baker ACCEPT(8) MODIFY(2) REJECT(1) REVIEWING(2)


<PROPOSED> --> 13
MODIFY --> 4
RECAST --> 3
REJECT --> 6

=================================
Candidate: CAN-1999-0499
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

NETBIOS share information may be published through SNMP registry keys
in NT.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0499 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin
   MODIFY(1) Frech

Comments:
 Frech> Change wording to 'Windows NT.'
 Frech> XF:snmp-netbios


=================================
Candidate: CAN-1999-0534
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT user has inappropriate rights or privileges, e.g. Act as
System, Add Workstation, Backup, Change System Time, Create Pagefile,
Create Permanent Object, Create Token Name, Debug, Generate Security
Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory,
Profile Single Process, Remote Shutdown, Replace Process Token,
Restore, System Environment, Take Ownership, or Unsolicited Input.

CONTENT-DECISIONS: CF-PRIVS

INFERRED ACTION: CAN-1999-0534 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(5) Wall, Baker, Shostack, Ozancin, Christey
   MODIFY(2) Northcutt, Frech

Comments:
 Northcutt> If we are going to write a laundry list put access to the scheduler in it.
 Christey> The list of privileges is very useful for lookup.
 Frech> XF:nt-create-token
 Frech> XF:nt-replace-token
 Frech> XF:nt-lock-memory
 Frech> XF:nt-increase-quota
 Frech> XF:nt-unsol-input
 Frech> XF:nt-act-system
 Frech> XF:nt-create-object
 Frech> XF:nt-sec-audit
 Frech> XF:nt-add-workstation
 Frech> XF:nt-manage-log
 Frech> XF:nt-take-owner
 Frech> XF:nt-load-driver
 Frech> XF:nt-profile-system
 Frech> XF:nt-system-time
 Frech> XF:nt-single-process
 Frech> XF:nt-increase-priority
 Frech> XF:nt-create-pagefile
 Frech> XF:nt-backup
 Frech> XF:nt-restore
 Frech> XF:nt-debug
 Frech> XF:nt-system-env
 Frech> XF:nt-remote-shutdown


=================================
Candidate: CAN-1999-0535
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT account policy for passwords has inappropriate,
security-critical settings, e.g. for password length, password age, or
uniqueness.

CONTENT-DECISIONS: CF-POLICY

INFERRED ACTION: CAN-1999-0535 RECAST (2 recast, 3 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(2) Wall, Shostack
   MODIFY(2) Baker, Frech
   RECAST(2) Northcutt, Ozancin

Comments:
 Northcutt> inappropriate implies there is appropriate.  As a guy who has been
 Northcutt> monitoring
 Northcutt> networks for years I have deep reservations about justiying the existance
 Northcutt> of any fixed cleartext password. For appropriate to exist, some "we" would
 Northcutt> have to establish some criteria for appropriate passwords.
 Baker> Perhaps this could be re-worded a bit.  The CVE CAN-1999-00582
 Baker> specifies "...settings for lockouts".  To remain consistent with the
 Baker> other, maybe it should specify "...settings for passwords" I think
 Baker> most people would agree that passwords should be at least 8
 Baker> characters; contain letters (upper and lowercase), numbers and at
 Baker> least one non-alphanumeric; should only be good a limited time 30-90
 Baker> days; and should not contain character combinations from user's prior
 Baker> 2 or 3 passwords.
 Baker> Suggested rewrite -
 Baker> A Windows NT account policy does not enforce reasonable minimum
 Baker> security-critical settings for passwords, e.g. passwords of sufficient
 Baker> length, periodic required password changes, or new password uniqueness
 Ozancin> What is appropriate?
 Frech> XF:nt-autologonpwd
 Frech> XF:nt-pwlen
 Frech> XF:nt-maxage
 Frech> XF:nt-minage
 Frech> XF:nt-pw-history
 Frech> XF:nt-user-pwnoexpire
 Frech> XF:nt-unknown-pwdfilter
 Frech> XF:nt-pwd-never-expire
 Frech> XF:nt-pwd-nochange
 Frech> XF:nt-pwdcache-enable
 Frech> XF:nt-guest-change-passwords


=================================
Candidate: CAN-1999-0546
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

The Windows NT guest account is enabled.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0546 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin
   MODIFY(1) Frech

Comments:
 Frech> XF:nt-guest-account


=================================
Candidate: CAN-1999-0562
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

The registry in Windows NT can be accessed remotely by users who are
not administrators.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0562 RECAST (1 recast, 4 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Wall, Baker, Shostack, Ozancin
   MODIFY(1) Frech
   RECAST(1) Northcutt

Comments:
 Northcutt> This isn't all or nothing, users may be allowed to access part of the
 Northcutt> registry.
 Frech> XF:nt-winreg-all
 Frech> XF:nt-winreg-net


=================================
Candidate: CAN-1999-0572
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

.reg files are associated with the Windows NT registry editor, making
the registry susceptible to Trojan Horse attacks.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0572 ACCEPT (4 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Wall, Baker, Shostack, Ozancin
   MODIFY(1) Frech
   NOOP(1) Northcutt

Comments:
 Northcutt> I don't quite get what this means, sorry
 Frech> XF:nt-regfile


=================================
Candidate: CAN-1999-0575
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's user audit policy does not log an event success
or failure, e.g. for Logon and Logoff, File and Object Access, Use of
User Rights, User and Group Management, Security Policy Changes,
Restart, Shutdown, and System, and Process Tracking.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0575 RECAST (1 recast, 4 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(4) Wall, Shostack, Ozancin, Christey
   MODIFY(1) Frech
   RECAST(1) Northcutt
   REVIEWING(1) Baker

Comments:
 Northcutt> It isn't a great truth that you should enable all or the above, if you
 Northcutt> do you potentially introduce a vulnerbility of filling up the file
 Northcutt> system with stuff you will never look at.
 Ozancin> It is far less interesting what a user does successfully that what they
 Ozancin> attempt and fail at.
 Christey> The list of event types is very useful for lookup.
 Frech> XF:nt-system-audit
 Frech> XF:nt-logon-audit
 Frech> XF:nt-object-audit
 Frech> XF:nt-privil-audit
 Frech> XF:nt-process-audit
 Frech> XF:nt-policy-audit
 Frech> XF:nt-account-audit


=================================
Candidate: CAN-1999-0576
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's file audit policy does not log an event success
or failure for security-critical files or directories.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0576 REJECT (1 reject, 4 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Wall, Baker, Shostack
   MODIFY(2) Ozancin, Frech
   REJECT(1) Northcutt

Comments:
 Northcutt> 1.) Too general are we ready to state what the security-critical files
 Northcutt> and directories are
 Northcutt> 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability
 Ozancin> Some files and directories are clearly understood to be critical. Others are
 Ozancin> unclear. We need to clarify that critical is.
 Frech> XF:nt-object-audit


=================================
Candidate: CAN-1999-0577
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's file audit policy does not log an event success
or failure for non-critical files or directories.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0577 REJECT (1 reject, 4 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Wall, Shostack
   MODIFY(2) Ozancin, Frech
   REJECT(1) Northcutt
   REVIEWING(1) Baker

Comments:
 Ozancin> It is far less interesting what a user does successfully that what they
 Ozancin> attempt and fail at.
 Ozancin> Perhaps only failure should be logged.
 Frech> XF:nt-object-audit


=================================
Candidate: CAN-1999-0578
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's registry audit policy does not log an event
success or failure for security-critical registry keys.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0578 REJECT (1 reject, 3 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(4) Wall, Baker, Shostack, Ozancin
   REJECT(1) Northcutt
   REVIEWING(1) Frech

Comments:
 Ozancin> with reservation
 Ozancin> Again what is defined as critical


=================================
Candidate: CAN-1999-0579
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's registry audit policy does not log an event
success or failure for non-critical registry keys.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0579 REJECT (1 reject, 3 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(3) Wall, Baker, Shostack
   MODIFY(1) Ozancin
   REJECT(1) Northcutt
   REVIEWING(1) Frech

Comments:
 Ozancin> Again only failure may be of interest. It would be impractical to wad
 Ozancin> through the incredibly large amount of logging that this would generate. It
 Ozancin> could overwhelm log entries that you might find interesting.


=================================
Candidate: CAN-1999-0582
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT account policy has inappropriate, security-critical
settings for lockout, e.g. lockout duration, lockout after bad logon
attempts, etc.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0582 REJECT (1 reject, 4 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Wall, Shostack, Ozancin
   MODIFY(2) Baker, Frech
   REJECT(1) Northcutt

Comments:
 Northcutt> The definition is?
 Baker> Maybe a rewording of this one too.  I think most people would agree on
 Baker> some "minimum" policies like 3-5 bad attempts lockout for an hour or
 Baker> until the administrator unlocks the account.
 Baker> Suggested rewrite -
 Baker> A Windows NT account policy does not enforce reasonable minimum
 Baker> security-critical settings for lockouts, e.g. lockout duration,
 Baker> lockout after bad logon attempts, etc.
 Ozancin> with reservations
 Ozancin> What is appropriate?
 Frech> XF:nt-thres-lockout
 Frech> XF:nt-lock-duration
 Frech> XF:nt-lock-window
 Frech> XF:nt-perm-lockout
 Frech> XF:lockout-disabled


=================================
Candidate: CAN-1999-0585
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT administrator account has the default name of
Administrator.

CONTENT-DECISIONS: CF

INFERRED ACTION: CAN-1999-0585 REJECT (3 reject, 2 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   REJECT(3) Northcutt, Baker, Shostack
   REVIEWING(1) Wall

Comments:
 Wall> Some sources say this is not a vulnerability, but a warning.  It just
 Wall> slows down the search for the admin account (SID = 500) which can
 Wall> always be found.
 Northcutt> I change this on all NT systems I am responsible for, but is
 Northcutt> root a vulnerability?
 Baker> There are ways to identify the administrator account anyway, so this
 Baker> is only a minor delay to someone that is knowledgeable.  This, in and
 Baker> of itself, doesn't really strike me as a vulnerability, anymore than
 Baker> the root account on a Unix box.
 Shostack> (there is no way to hide the account name today)
 Frech> XF:nt-adminexists




--------------------- CLUSTER PASS ---------------------

PASS (14 candidates)
--------------------
Proposed: 7/14
Scheduled Proposed: 7/6
Scheduled Interim Decision: 7/26
Scheduled Final Decision: 7/30

Configuration problems related to passwords


Voters:
  Shostack ACCEPT(14)
  Northcutt ACCEPT(14)
  Baker ACCEPT(14)
  Meunier ACCEPT(14)


<PROPOSED> --> 14
ACCEPT --> 14

=================================
Candidate: CAN-1999-0501
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Unix account has a guessable password.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0501 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0502
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Unix account has a default, null, blank, or missing password.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0502 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0503
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Windows NT local user or administrator account has a guessable
password.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0503 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0504
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Windows NT local user or administrator account has a default, null,
blank, or missing password.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0504 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0505
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Windows NT domain user or administrator account has a guessable
password.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0505 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0506
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Windows NT domain user or administrator account has a default, null,
blank, or missing password.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0506 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0507
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

An account on a router, firewall, or other network device has a guessable
password.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0507 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0508
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

An account on a router, firewall, or other network device has a
default, null, blank, or missing password.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0508 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0516
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

An SNMP community name is guessable.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0516 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0517
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

An SNMP community name is the default (e.g. public), null, or
missing.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0517 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0518
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A NETBIOS/SMB share password is guessable.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0518 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0519
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A NETBIOS/SMB share password is the default, null, or missing.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0519 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0521
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

An NIS domain name is easily guessable.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0521 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0541
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A password for accessing a WWW URL is guessable.

CONTENT-DECISIONS: CF-PASS

INFERRED ACTION: CAN-1999-0541 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker




--------------------- CLUSTER MULT2 ---------------------

MULT2 (14 candidates)
--------------------
Proposed: 7/13
Scheduled Interim Decision: 7/26
Scheduled Final Decision: 7/30

other vuln's with multiple executables/LOA content decision


Voters:
  Frech ACCEPT(2) REVIEWING(2)
  Shostack ACCEPT(1) NOOP(1) REJECT(2)
  Christey REVIEWING(1)
  Northcutt ACCEPT(4)


<FINAL> --> 10
<PROPOSED> --> 4
REJECT --> 2
REVIEWING --> 2

=================================
Candidate: CAN-1999-0169
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nfs-uid

NFS allows attackers to read and write any file on the system by
specifying a false UID.

INFERRED ACTION: CAN-1999-0169 REJECT (1 reject, 2 accept, 0 review)

Current Votes:
   ACCEPT(2) Northcutt, Frech
   REJECT(1) Shostack

Comments:
 Shostack> this is not a vulnerability but a design feature.


=================================
Candidate: CAN-1999-0171
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:syslog-flood

Denial of service in syslog by sending it a large number of
superfluous messages.

INFERRED ACTION: CAN-1999-0171 REJECT (1 reject, 2 accept, 1 review)

Current Votes:
   ACCEPT(2) Northcutt, Frech
   REJECT(1) Shostack
   REVIEWING(1) Christey

Comments:
 Shostack> design issue, not a vulnerability.  Alternately, add:
 Shostack> DOS on server by opening a large number of telnet sessions..
 Christey> Duplicate of CVE-1999-0566?


=================================
Candidate: CAN-1999-0193
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Denial of service in Ascend and 3com routers, which can be rebooted by
sending a zero length TCP option.

INFERRED ACTION: CAN-1999-0193 MOREVOTES (2 accept, 0 ack, 1 review)

Current Votes:
   ACCEPT(2) Northcutt, Shostack
   REVIEWING(1) Frech

Comments:
 Frech> possibly XF:ascend-kill
 Frech> I can't find a reference that lists both routers in the same reference.


=================================
Candidate: CAN-1999-0298
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: NAI:NAI-6

ypbind with -ypset and -ypsetme options activated
in Linux Slackware and SunOS allows local and remote attackers to
overwrite files.

INFERRED ACTION: CAN-1999-0298 MOREVOTES (1 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(1) Northcutt
   NOOP(1) Shostack
   REVIEWING(1) Frech




--------------------- CLUSTER MULT ---------------------

MULT (35 candidates)
--------------------
Proposed: 6/23
Scheduled Interim Decision: 7/5
Scheduled Final Decision: 7/9

Multiple executables split into


Voters:
  Wall ACCEPT(2) MODIFY(2)
  Levy ACCEPT(3) MODIFY(1)
  Ozancin ACCEPT(1) MODIFY(1) REVIEWING(1)
  Landfield ACCEPT(3) MODIFY(1) NOOP(1)
  Frech ACCEPT(4) MODIFY(11) RECAST(2) REVIEWING(2)
  Christey NOOP(3) RECAST(1) REJECT(1) REVIEWING(2)
  Northcutt ACCEPT(1) NOOP(3)
  Balinsky NOOP(1)
  Prosser ACCEPT(3) MODIFY(1) RECAST(2)
  Blake ACCEPT(2)


<FINAL> --> 15
<INTERIM> --> 1
<MODIFIED> --> 7
<PROPOSED> --> 11
ACCEPT --> 3
MODIFY --> 8
RECAST --> 4
REJECT --> 1
REVIEWING --> 3

=================================
Candidate: CAN-1999-0030
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul
Reference: XF:sgi-xlockbo
Reference: SGI:19970508-02-PX

root privileges via buffer overflow in xlock command on SGI IRIX
systems.

INFERRED ACTION: CAN-1999-0030 SMC_REJECT (1 reject, 3 accept, 0 review)

Current Votes:
   ACCEPT(3) Prosser, Levy, Ozancin
   RECAST(1) Frech
   REJECT(1) Christey

Comments:
 Frech> XF:xlock-bo (also add)
 Frech> As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and
 Frech> several Linii.
 Frech> Also, don't you mean to cite SGI:19970502-02-PX? The one you list is
 Frech> login/scheme.
 Levy> Notice that this xlock overflow is the same as in
 Levy> CA-97.13. CA-97.21 simply is a reminder.
 Christey> As pointed out by Elias, CA-97.21 states: "For more
 Christey> information about vulnerabilities in xlock... see CA-97.13"
 Christey> CA-97.13 = CVE-1999-0038.
 Christey> This may also be a duplicate with CAN-1999-0306.


=================================
Candidate: CAN-1999-0076
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:ftp-args

Buffer overflow in wu-ftp from PASV command causes a core dump.

Modifications:
  DESC make more explicit to distinguish from CAN-1999-0075

INFERRED ACTION: CAN-1999-0076 MOREVOTES (1 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(1) Frech
   NOOP(1) Balinsky

Comments:
 Balinsky> Don't know what this is.  Is this the LIST Core dump vulnerability?


=================================
Candidate: CAN-1999-0092
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:006.1

Various vulnerabilities in the AIX portmir command allows
local users to obtain root access.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0092 MOREVOTES (1 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> XF:ibm-portmir


=================================
Candidate: CAN-1999-0101
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000105-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:001.1
Reference: ERS:ERS-SVA-E01-1996:007.1
Reference: SUN:00137a
Reference: CIAC:H-13
Reference: NAI:NAI-1
Reference: XF:ghbn-bo

Buffer overflow in AIX and Solaris "gethostbyname" library call allows
root access through corrupt DNS host names.

Modifications:
  ADDREF CIAC:H-13
  CHANGEREF SUN:00137 SUN:00137a
  ADDREF XF:ghbn-bo

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0101 ACCEPT_ACK (2 accept, 3 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Prosser
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> XF:ghbn-bo
 Frech> in addition to ERS:1997:001.1, also include 1996:007.1
 Frech> Sun's bulletin is 137a, not 137.
 Prosser> concur wtih Andre, sun bul is 137a
 Christey> The NAI advisory discusses a problem with programs trusting
 Christey> the length field that is returned from gethostbyname().
 Christey> The ERS and SUN advisories implicitly refer to
 Christey> BUGTRAQ:19961118 Serious hole in Solaris 2.5[.1]
 Christey> gethostbyname() (exploit included)
 Christey> which allows local users to gain access by providing
 Christey> arguments *to* gethostbyname().
 Christey> As both Andre and Mike's comments relate to the advisories,
 Christey> NAI-1 will be deleted as a reference for this candidate, and
 Christey> a new candidate will be proposed later on.


=================================
Candidate: CAN-1999-0124
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability
Reference: XF:gopher-vuln

Vulnerabilities in UMN gopher and gopher+ allow an intruder to read
any files that can be accessed by the gopher daemon.

INFERRED ACTION: CAN-1999-0124 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Frech


=================================
Candidate: CAN-1999-0127
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.27.hp_sw_install
Reference: AUSCERT:AA-96.04
Reference: XF:hpux-swinstall

swinstall and swmodify commands in SD-UX package in HP-UX systems
allow local users to create or overwrite arbitrary files to gain root
access.

CONTENT-DECISIONS: SF-EXEC

INFERRED ACTION: CAN-1999-0127 ACCEPT_ACK (2 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Prosser
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> (keep current XF: reference, and add)
 Frech> XF:hpux-sqwmodify
 Christey> Perhaps this should be split, per SF-LOC.


=================================
Candidate: CAN-1999-0231
Published:
Final-Decision:
Interim-Decision:
Modified: 19991207-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also

Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6
packages using a long VRFY command, causing a denial of service and
possibly remote access.

Modifications:
  ADDREF BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0231 RECAST (1 recast, 1 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(1) Levy
   NOOP(2) Northcutt, Landfield
   RECAST(1) Frech
   REVIEWING(1) Ozancin

Comments:
 Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below)
 Frech> XF:smtp-vrfy-bo (many mail packages)
 Northcutt> (There is no way I will have access to these systems)


=================================
Candidate: CAN-1999-0261
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19980504 Netmanage Holes
Reference: INSECURE:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html

Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0261 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   MODIFY(2) Frech, Landfield
   NOOP(1) Northcutt

Comments:
 Frech> XF:chamelion-smtp-dos
 Landfield> - Specify what "a crash" means.


=================================
Candidate: CAN-1999-0282
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.12.sun.loadmodule.vul

Vulnerabilities in loadmodule and modload programs in SunOS and OpenWindows

INFERRED ACTION: CAN-1999-0282 RECAST (1 recast, 1 accept, 0 review)

Current Votes:
   MODIFY(1) Frech
   RECAST(1) Prosser

Comments:
 Frech> XF:sun-loadmodule
 Frech> XF:sun-modload (CERT CA-93.18 very old!)
 Prosser> Believe the reference given, 95-12,  is referencing a later
 Prosser> loadmodule(8) setuid problem in the X11/NeWS windowing system.  There is an
 Prosser> earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories
 Prosser> for the SunOS 4.1.x/Solbourne and OpenWindow 3.0.  In fact, there may be the
 Prosser> same as the HP patches are 100448-02 for the 93 loadmodule/modload
 Prosser> vulnerability and 100448-03 for the 95 loadmodule vulnerability which
 Prosser> normally indicated a patch update.  Looks like the original patch either
 Prosser> didn't completely fix the problem or it resurfaced in X11 NeWS.  Can't tell
 Prosser> much beyond that and this is my opinion only as have no way to check it.
 Prosser> Which one is this CVE referencing?  I accept both.


=================================
Candidate: CAN-1999-0284
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:smtp-helo-bo

Denial of service to NT mail servers including Ipswitch, Mdaemon, and
Exchange through a buffer overflow in the SMTP HELO command.

CONTENT-DECISIONS: SF-CODEBASE/DUPE CAN-1999-0098

INFERRED ACTION: CAN-1999-0284 SMC_REVIEW (5 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Blake, Northcutt
   MODIFY(3) Frech, Levy, Ozancin
   REVIEWING(1) Christey

Comments:
 Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification)
 Frech> XF:mdaemon-helo-bo
 Frech> XF:lotus-notes-helo-crash
 Frech> XF:slmail-helo-overflow
 Frech> XF:smtp-helo-bo (mentions several products)
 Frech> XF:smtp-exchangedos
 Levy> - Need one per software. Each one should be its own
 Levy> vulnerability.
 Ozancin> => Windows NT is correct
 Christey> These are probably multiple codebases, so we'll need to use
 Christey> dot notation.  Also need to see if this should be merged
 Christey> with CAN-1999-0098 (Sendmail SMTP HELO).


=================================
Candidate: CAN-1999-0333
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK
Reference: HP:HPSBUX9810-085
Reference: XF:omniback-remote

HP OpenView Omniback allows remote execution of commands as root via
spoofing, and local users can gain root access via a symlink attack.

Modifications:
  ADDREF HP:HPSBUX9810-085

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0333 RECAST (1 recast, 2 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Frech
   MODIFY(1) Prosser
   RECAST(1) Christey

Comments:
 Prosser> additional source
 Prosser> HP Security Bulletin 85
 Prosser> http://us-support.external.hp.com
 Prosser> http://europe-support.external.hp.com
 Christey> Two separate bugs, so SF-LOC says this candidate should be
 Christey> split


=================================
Candidate: CAN-1999-0354
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NTBUGTRAQ:Jan27,1999
Reference: MS:MS99-002

Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution
of Visual Basic programs to the IE client through the Word 97
template, which doesn't warn the user that the template contains
executable content.  Also applies to Outlook when the client views a
malicious email message.

CONTENT-DECISIONS: SF-EXEC, SF-LOC

INFERRED ACTION: CAN-1999-0354 MOREVOTES (1 accept, 1 ack, 1 review) HAS_CDS

Current Votes:
   ACCEPT(1) Wall
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0415
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers

The Clickstart web server in Cisco 700 series routers allows remote
attackers to execute commands on the router, or perform information
gathering, without authentication.

INFERRED ACTION: CAN-1999-0415 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> Reference: ISS:March11,1999 (consistent with cluster 1, CAN-1999-0008)
 Frech> XF:cisco-router-commands
 Frech> XF:cisco-web-config


=================================
Candidate: CAN-1999-0416
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers

The Clickstart web server in Cisco 700 series routers allows remote
attackers to perform a denial of service.

INFERRED ACTION: CAN-1999-0416 MOREVOTES (1 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> Reference: ISS:March11,1999
 Frech> XF:cisco-web-crash


=================================
Candidate: CAN-1999-0435
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9903-096

MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain
privileges through SAM.

CONTENT-DECISIONS: SF-EXEC

INFERRED ACTION: CAN-1999-0435 MOREVOTES (1 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   MODIFY(1) Frech

Comments:
 Frech> XF:hp-servicegaurd


=================================
Candidate: CAN-1999-0467
Published:
Final-Decision:
Interim-Decision:
Modified: 20000106-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Reference: XF:http-cgi-webcom-guestbook

The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a
remote attacker to read arbitrary files using the "template"
parameter.

Modifications:
  ADDREF NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
  DESC Add "read file via templates."

CONTENT-DECISIONS: SF-EXEC

INFERRED ACTION: CAN-1999-0467 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(3) Frech, Landfield, Blake
   NOOP(2) Northcutt, Christey

Comments:
 Christey> CAN-1999-0287 is probably a duplicate of CAN-1999-0467.  In
 Christey> NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
 Christey> Mnemonix says that he had previously reported on a similar
 Christey> problem.  Let's refer to the NTBugtraq posting as
 Christey> CAN-1999-0467.  We will refer to the "previous report" as
 Christey> CAN-1999-0287, which can be found at:
 Christey> http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
 Christey>
 Christey> 0287 describes an exploit via the "template" hidden variable.
 Christey> The exploit describes manually editing the HTML form to
 Christey> change the filename to read from the template variable.
 Christey>
 Christey> The exploit as described in 0467 encodes the template variable
 Christey> directly into the URL.  However, hidden variables are also
 Christey> encoded into the URL, which would have looked the same to
 Christey> the web server regardless of the exploit.  Therefore 0287
 Christey> and 0467 are the same.


=================================
Candidate: CAN-1999-0488
Published:
Final-Decision:
Interim-Decision:
Modified: 19991205-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MS:MS99-012

Internet Explorer 4.0 and 5.0 allows a remote attacker to execute
security scripts in a different security context using malicious
URLs, a variant of the "cross frame" vulnerability.

Modifications:
  DESC added cross-frame and version details

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0488 ACCEPT (3 accept, 1 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Landfield
   MODIFY(2) Frech, Wall

Comments:
 Frech> XF:ie-mshtml-crossframe
 Wall> (source: MSKB:Q168485)


=================================
Candidate: CAN-1999-0489
Published:
Final-Decision:
Interim-Decision:
Modified: 19991205-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MS:MS99-015

MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste
a file name into the file upload intrinsic control, a variant of
"untrusted scripted paste" as described in MS:MS98-013.

Modifications:
  DESC modified to discriminate more from "untrusted scripted
  paste" as described in MS:MS98-013.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0489 RECAST (1 recast, 2 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(1) Levy
   MODIFY(1) Wall
   RECAST(1) Prosser
   REVIEWING(1) Frech

Comments:
 Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a
 Frech> clipboard in either.
 Frech> I cannot proceed on this one without further clarification.
 Wall> (source: MS:MS99-012)
 Prosser> agree with Andre here.  The Untrusted Scripted paste
 Prosser> vulnerability was originally addressed in MS98-015 and it is in the file
 Prosser> upload intrinsic control in which an attacker can paste the name of a file
 Prosser> on the target's drive in the control and a form submission would then send
 Prosser> that file from the attacked machine to the remote web site.  This one has
 Prosser> nothing to do with the clipboard.  What the advisory mentioned here,
 Prosser> MS99-012, does is replace the MSHTML parsing engine which is supposed to fix
 Prosser> the original Untrusted Scripted Paste issue and a variant, as well as the
 Prosser> two Cross-Frame variants and a privacy issue in IMG SRC.
 Prosser> The vulnerability that allowed reading of a user's clipboard is the Forms
 Prosser> 2.0 Active X control vulnerability discussed in MS99-01


=================================
Candidate: CAN-1999-0490
Published:
Final-Decision:
Interim-Decision:
Modified: 19991205-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MS:MS99-012

MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn
information about a local user's files via an IMG SRC tag.

Modifications:
  DESC added "IMG SRC" details.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0490 SMC_REVIEW (3 accept, 1 review) HAS_CDS

Current Votes:
   ACCEPT(2) Wall, Landfield
   MODIFY(1) Frech
   REVIEWING(1) Christey

Comments:
 Frech> XF:ie-scriplet-fileread
 Christey> Duplicate of CAN-1999-0347?

 
Page Last Updated: May 22, 2007