|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [VOTES] Vote details for remaining older clusters
This OLD-OTHER meta-cluster includes all other clusters that were proposed in summer 1999. A number of these candidates are for important issues (e.g. related to CERT or vendor advisories), but are mostly being held back due to unresolved content decisions or lack of sufficient details. DESC VERIFY-TOOL VERIFY-BUGTRAQ IDS FINGER NOREFS ONEREF RESTLOW DENY NTLOW BUF CGI VEN-BSD VEN-OTHERS VEN-SGI VEN-HP VEN-SUN VEN-AIX CERT - Steve --------------------- CLUSTER DESC --------------------- DESC (2 candidates) -------------------- Proposed: 7/28 Scheduled Proposed: 7/27 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Description/information problems Voters: Frech MODIFY(1) Wall MODIFY(1) NOOP(1) Christey NOOP(1) REVIEWING(1) Northcutt NOOP(2) <MODIFIED> --> 1 <PROPOSED> --> 1 MODIFY --> 1 REVIEWING --> 1 ================================= Candidate: CAN-1999-0001 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: CERT:CA-98-13-tcp-denial-of-service Reference: BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service Denial of service in BSD-derived TCP/IP implementations, as described in CERT CA-98-13. Modifications: ADDREF BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service INFERRED ACTION: CAN-1999-0001 SMC_REVIEW (0 accept, 1 review) Current Votes: NOOP(2) Wall, Northcutt REVIEWING(1) Christey Comments: Christey> A Bugtraq posting indicates that the bug has to do with Christey> "short packets with certain options set," so the description Christey> should be modified accordingly. Christey> Christey> But is this the same as CVE-1999-0052? That one is related Christey> to nestea (CAN-1999-0257) and probably the one described in Christey> BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release Christey> The patch for nestea is in ip_input.c around line 750. Christey> The patches for CAN-1999-0001 are in lines 388&446. So, Christey> CAN-1999-0001 is different from CAN-1999-0257 and CVE-1999-0052. Christey> The FreeBSD patch for CVE-1999-0052 is in line 750. Christey> So, CAN-1999-0257 and CVE-1999-0052 may be the same, though Christey> CVE-1999-0052 should be RECAST since this bug affects Linux Christey> and other OSes besides FreeBSD. ================================= Candidate: CAN-1999-0345 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. INFERRED ACTION: CAN-1999-0345 MOREVOTES (2 accept, 0 ack, 0 review) Current Votes: MODIFY(2) Wall, Frech NOOP(2) Northcutt, Christey Comments: Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and Wall> Windows NT systems. Wall> Reference: Q154174. Wall> Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. Wall> It is a modified teardrop 2 attack. Frech> XF:nt-ssping Frech> ADDREF XF:ping-death Frech> ADDREF XF:teardrop-mod Frech> ADDREF XF:mpeix-echo-request-dos Christey> I can't tell whether the Jolt exploit at: Christey> Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net Christey> Christey> is exploiting any different flaw than teardrop does. --------------------- CLUSTER VERIFY-TOOL --------------------- VERIFY-TOOL (7 candidates) -------------------- Proposed: 7/27 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Problems mentioned in a tool, but not seen in other VDB's Voters: Frech NOOP(1) Shostack MODIFY(1) Christey NOOP(1) REJECT(1) Northcutt ACCEPT(5) NOOP(2) <MODIFIED> --> 2 <PROPOSED> --> 5 ACCEPT --> 3 MODIFY --> 1 NOOP --> 2 REJECT --> 1 ================================= Candidate: CAN-1999-0220 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Attackers can do a denial of service of IRC by crashing the server. INFERRED ACTION: CAN-1999-0220 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: NOOP(1) Northcutt ================================= Candidate: CAN-1999-0226 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. INFERRED ACTION: CAN-1999-0226 SMC_REJECT (1 reject, 1 accept, 0 review) Current Votes: ACCEPT(1) Northcutt REJECT(1) Christey Comments: Christey> Too general, and no references. ================================= Candidate: CAN-1999-0240 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. INFERRED ACTION: CAN-1999-0240 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0247 Published: Final-Decision: Interim-Decision: Modified: 19991130-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: NAI:17 Buffer overflow in nnrpd program in INN up to version 1.6 allows remote users to execute arbitrary commands. Modifications: ADDREF NAI:17 add version number INFERRED ACTION: CAN-1999-0247 MOREVOTES (0 accept, 1 ack, 0 review) Current Votes: NOOP(1) Northcutt ================================= Candidate: CAN-1999-0248 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF sshd 1.2.17 can be compromised through the SSH protocol. INFERRED ACTION: CAN-1999-0248 MOREVOTES (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Northcutt MODIFY(1) Shostack NOOP(1) Frech Comments: Shostack> http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html Shostack> looks to me to be about the correct message that came from Tatu. Shostack> There are comments in changelog: * Improved the security of Shostack> auth_input_request_forwarding(). Shostack> Shostack> I'm not in favor of moving this forward without additional detail, but Shostack> thought I'd add a confirming URL and comment. We have insufficient Shostack> detail to accept it as a CVE. Frech> Try http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1; to wit Frech> (see asterisked section): Frech> ... Frech> ***** Frech> Versions of ssh prior to 1.2.17 had problems with authentication agent Frech> handling on some machines. There is a chance (a race condition) that a Frech> malicious user could steal another user's credentials. This should be fixed Frech> in 1.2.17. Frech> ***** ================================= Candidate: CAN-1999-0493 Published: Final-Decision: Interim-Decision: Modified: 19991203-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: CERT:CA-99-05 Reference: SUN:00186 Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd) rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd. Modifications: Added numerous references INFERRED ACTION: CAN-1999-0493 MOREVOTES (1 accept, 2 ack, 0 review) Current Votes: ACCEPT(1) Northcutt NOOP(1) Christey Comments: Christey> This candidate has been modified heavily. ================================= Candidate: CAN-1999-0495 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares. INFERRED ACTION: CAN-1999-0495 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Northcutt --------------------- CLUSTER VERIFY-BUGTRAQ --------------------- VERIFY-BUGTRAQ (23 candidates) -------------------- Proposed: 7/27 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Problems discussed on Bugtraq but not seen in VDB's, or not confirmed Voters: Frech MODIFY(21) REJECT(1) REVIEWING(1) Christey NOOP(6) REVIEWING(2) REVOTE(1) <MODIFIED> --> 15 <PROPOSED> --> 8 MODIFY --> 19 REJECT --> 1 REVIEWING --> 3 ================================= Candidate: CAN-1999-0378 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990222 BlackHats Advisory -- InterScan VirusWall Reference: BUGTRAQ:19990225 Patch for InterScan VirusWall for Unix now available Reference: XF:viruswall-http-request InterScan VirusWall for Solaris doesn't scan files for viruses when a single HTTP request includes two GET commands. Modifications: ADDREF XF:viruswall-http-request ADDREF BUGTRAQ:19990225 Patch for InterScan VirusWall for Unix now available INFERRED ACTION: CAN-1999-0378 MOREVOTES (1 accept, 1 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> XF:viruswall-http-request ================================= Candidate: CAN-1999-0387 Published: Final-Decision: Interim-Decision: Modified: 19991206-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: MS:MS99-052 Reference: MSKB:Q168115 Reference: BID:829 A legacy credential caching mechanism used in Windows 95 and Windows 98 systems allows attackers to read plaintext network passwords. Modifications: ADDREF MS:MS99-052 ADDREF MSKB:Q168115 ADDREF BID:829 INFERRED ACTION: CAN-1999-0387 REVOTE (0 accept, 1 review) Current Votes: REVIEWING(1) Frech REVOTE(1) Christey Comments: Frech> Term 'legacy' is vague and can be subject to interpretation. Require a Frech> reference to establish this vulnerability. Christey> added refs ================================= Candidate: CAN-1999-0393 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19981212 ** Sendmail 8.9.2 DoS - exploit ** get what you want! Reference: XF:sendmail-parsing-redirection Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers. Modifications: ADDREF XF:sendmail-parsing-redirection CHANGEREF BUGTRAQ [change date to 19981212] ADDREF BUGTRAQ:19990121 Sendmail 8.8.x/8.9.x bugware INFERRED ACTION: CAN-1999-0393 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> I assume that Reference: BUGTRAQ:Dec12,1999 is not attesting to the power of Frech> CVE to foresee events in the future. This reference should be 12/12/98. Frech> ADDREF XF:sendmail-parsing-redirection ================================= Candidate: CAN-1999-0394 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990115 DPEC Online Courseware DPEC Online Courseware allows an attacker to change another user's password without knowing the original password. INFERRED ACTION: CAN-1999-0394 REJECT (1 reject, 0 accept, 0 review) Current Votes: REJECT(1) Frech Comments: Frech> If I understand the issue, this HIGHCARD involves insecure web programming. Frech> If I don't understand, mark this as my first NOOP. ================================= Candidate: CAN-1999-0398 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990123 SSH 1.x and 2.x Daemon Reference: BUGTRAQ:19990124 SSH Daemon Reference: XF:ssh-exp-account-access In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login. Modifications: ADDREF XF:ssh-exp-account-access ADDREF BUGTRAQ:19990124 SSH Daemon INFERRED ACTION: CAN-1999-0398 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet Frech> released. v1.2.26 should be substituted in the description for '27. Frech> XF:ssh-exp-account-access ================================= Candidate: CAN-1999-0399 Published: Final-Decision: Interim-Decision: Modified: 20000105-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole Reference: XF:mirc-dcc-metachar-filename The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands. Modifications: ADDREF XF:mirc-dcc-metachar-filename INFERRED ACTION: CAN-1999-0399 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> XF:mirc-dcc-metachar-filename ================================= Candidate: CAN-1999-0400 Published: Final-Decision: Interim-Decision: Modified: 20000105-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990127 2.2.0 SECURITY (fwd) Reference: XF:linux-kernel-ldd-dos Reference: BID:344 Denial of service in Linux 2.2.0 running the ldd command on a core file. Modifications: ADDREF BUGTRAQ:19990127 2.2.0 SECURITY (fwd) ADDREF XF:linux-kernel-ldd-dos ADDREF BID:344 INFERRED ACTION: CAN-1999-0400 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> BUGTRAQ:Jan27,1999 Frech> (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22&; Frech> msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com) Frech> XF:linux-kernel-ldd-dos ================================= Candidate: CAN-1999-0401 Published: Final-Decision: Interim-Decision: Modified: 20000105-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd) Reference: XF:linux-race-condition-proc A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files. Modifications: ADDREF XF:linux-race-condition-proc INFERRED ACTION: CAN-1999-0401 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> XF:linux-race-condition-proc ================================= Candidate: CAN-1999-0406 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb19,1999 Reference: XF:digital-networker-bo Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege. INFERRED ACTION: CAN-1999-0406 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> In description, change 'which' to 'that'. ================================= Candidate: CAN-1999-0407 Published: Final-Decision: Interim-Decision: Modified: 19991203-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS Reference: MSKB:Q184619 Reference: XF:iis-iisadmpwd By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system. Modifications: Modified Bugtraq ref, added KB article and ISS ref INFERRED ACTION: CAN-1999-0407 MOREVOTES (1 accept, 1 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> ADDREF XF:iis-iisadmpwd ================================= Candidate: CAN-1999-0419 Published: Final-Decision: Interim-Decision: Modified: 20000105-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid Reference: XF:smtp-4xx-error-dos When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service. Modifications: ADDREF XF:smtp-4xx-error-dos INFERRED ACTION: CAN-1999-0419 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> XF:smtp-4xx-error-dos ================================= Candidate: CAN-1999-0426 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure. The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing. INFERRED ACTION: CAN-1999-0426 SMC_REVIEW (1 accept, 1 review) Current Votes: MODIFY(1) Frech REVIEWING(1) Christey Comments: Frech> XF:linux-dev-kmem-spoof Christey> DUPE CVE-1999-0414? Christey> XF:linux-dev-kmem-spoof does not exist. ================================= Candidate: CAN-1999-0427 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990320 Eudora Attachment Buffer Overflow Reference: XF:eudora-long-attachments Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names. INFERRED ACTION: CAN-1999-0427 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq Frech> reference states: "Both the Win 95 and Win NT versions, along with the 4.2 Frech> beta of Eudora are affected." ================================= Candidate: CAN-1999-0431 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug Reference: XF:linux-zerolength-fragment Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service. Modifications: ADDREF XF:linux-zerolength-fragment INFERRED ACTION: CAN-1999-0431 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> XF:linux-zerolength-fragment ================================= Candidate: CAN-1999-0434 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990331 Bug in xfs Reference: BID:359 XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0434 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech NOOP(1) Christey Comments: Frech> XF:xfree86-xfs-symlink-dos Christey> Is this the same problem as CVE-1999-0433? CVE-1999-0433 Christey> deals with a symlink attack on one file (/tmp/.X11-unix), Christey> while xfs (this candidate) deals with /tmp/.font-unix Christey> XF:xfree86-xfs-symlink-dos doesn't exist. ================================= Candidate: CAN-1999-0443 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990409 Patrol security bugs Reference: XF:bmc-patrol-replay Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password. INFERRED ACTION: CAN-1999-0443 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> Change "Patrol management software" to "The PATROL management product from Frech> BMC Software". ================================= Candidate: CAN-1999-0444 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990412 ARP problem in Windows9X/NT Reference: XF:windows-arp-dos Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files. Modifications: ADDREF XF:windows-arp-dos INFERRED ACTION: CAN-1999-0444 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> ADDREF: XF:windows-arp-dos ================================= Candidate: CAN-1999-0461 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address. INFERRED ACTION: CAN-1999-0461 SMC_REVIEW (1 accept, 1 review) Current Votes: MODIFY(1) Frech REVIEWING(1) Christey Comments: Frech> ADDREF XF:pmap-sset Christey> CAN-1999-0195 = CAN-1999-0461 ? ================================= Candidate: CAN-1999-0462 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990114 Secuity hole with perl (suidperl) and nosuid mounts on Linux Reference: BID:339 suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk. INFERRED ACTION: CAN-1999-0462 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech NOOP(1) Christey Comments: Frech> XF:perl-suidperl-bo Christey> XF:perl-suidperl-bo doesn't exist. ================================= Candidate: CAN-1999-0464 Published: Final-Decision: Interim-Decision: Modified: 19991205-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990104 Tripwire mess.. Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames. Modifications: ADDREF BUGTRAQ:19990104 Tripwire mess.. INFERRED ACTION: CAN-1999-0464 MOREVOTES (1 accept, 1 ack, 0 review) Current Votes: MODIFY(1) Frech NOOP(1) Christey Comments: Frech> XF:tripwire-long-filename-dos Christey> XF:tripwire-long-filename-dos doesn't exist. ================================= Candidate: CAN-1999-0480 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19980315 Midnight Commander /tmp race Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack. Modifications: CHANGEREF BUGTRAQ [date,title] INFERRED ACTION: CAN-1999-0480 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech NOOP(1) Christey Comments: Frech> XF:midnight-commander-symlink-dos Christey> XF:midnight-commander-symlink-dos ================================= Candidate: CAN-1999-0486 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990420 AOL Instant Messenger URL Crash Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash. Modifications: CHANGEREF BUGTRAQ [add title] INFERRED ACTION: CAN-1999-0486 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech NOOP(1) Christey Comments: Frech> XF:aol-im. Christey> XF:aol-im appears to be related to the problem discussed in Christey> BUGTRAQ:19980224 AOL Instant Messanger Bug Christey> Christey> This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash ================================= Candidate: CAN-1999-0491 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990420 Bash Bug Reference: BID:119 The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute. Modifications: CHANGEREF BUGTRAQ [title] INFERRED ACTION: CAN-1999-0491 MOREVOTES (1 accept, 1 ack, 0 review) Current Votes: MODIFY(1) Frech NOOP(1) Christey Comments: Frech> bash-prompt-pars-dir Christey> XF:bash-prompt-pars-dir doesn't exist. --------------------- CLUSTER IDS --------------------- IDS (5 candidates) -------------------- Proposed: 7/26 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Problems with IDSes Voters: Northcutt ACCEPT(5) <PROPOSED> --> 5 ACCEPT --> 5 ================================= Candidate: CAN-1999-0598 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection. INFERRED ACTION: CAN-1999-0598 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0599 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers. INFERRED ACTION: CAN-1999-0599 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0600 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not verify the checksum on a packet. INFERRED ACTION: CAN-1999-0600 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0601 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets. INFERRED ACTION: CAN-1999-0601 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0602 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A network intrusion detection system (IDS) does not properly reassemble fragmented packets. INFERRED ACTION: CAN-1999-0602 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Northcutt --------------------- CLUSTER FINGER --------------------- FINGER (6 candidates) -------------------- Proposed: 7/26 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Problems related to finger Voters: Frech MODIFY(3) REVIEWING(3) Shostack ACCEPT(1) MODIFY(5) Christey REVIEWING(1) Northcutt ACCEPT(2) NOOP(1) REJECT(3) <INTERIM> --> 1 <PROPOSED> --> 5 MODIFY --> 1 REJECT --> 3 REVIEWING --> 2 ================================= Candidate: CAN-1999-0105 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF finger allows recursive searches by using a long string of @ symbols. INFERRED ACTION: CAN-1999-0105 REJECT (1 reject, 2 accept, 0 review) Current Votes: MODIFY(2) Shostack, Frech REJECT(1) Northcutt Comments: Shostack> fingerD Frech> XF:finger-bomb ================================= Candidate: CAN-1999-0106 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Finger redirection allows finger bombs. INFERRED ACTION: CAN-1999-0106 SMC_REVIEW (3 accept, 1 review) Current Votes: ACCEPT(1) Northcutt MODIFY(2) Shostack, Frech REVIEWING(1) Christey Comments: Shostack> fingerd allows redirection Shostack> This is a larger modification, since there are two applications of the Shostack> vulnerability, one that I can finger anonymously, and the other that I Shostack> can finger bomb anonymously. Frech> XF:finger-bomb Christey> need more refs ================================= Candidate: CAN-1999-0197 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF finger 0@host on some systems may print information on some user accounts. INFERRED ACTION: CAN-1999-0197 REJECT (1 reject, 1 accept, 1 review) Current Votes: MODIFY(1) Shostack REJECT(1) Northcutt REVIEWING(1) Frech Comments: Shostack> fingerd may respond to 'finger 0@host' with account info Frech> Need more reference to establish this 'exposure'. ================================= Candidate: CAN-1999-0198 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF finger .@host on some systems may print information on some user accounts. INFERRED ACTION: CAN-1999-0198 REJECT (1 reject, 1 accept, 1 review) Current Votes: MODIFY(1) Shostack REJECT(1) Northcutt REVIEWING(1) Frech Comments: Shostack> as above Frech> Need more reference to establish this 'exposure'. ================================= Candidate: CAN-1999-0259 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000106-01 Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19970523 cfingerd vulnerability Reference: XF:cfinger-user-enumeration cfingerd lists all users on a system via search.**@target. Modifications: ADDREF BUGTRAQ:19970523 cfingerd vulnerability ADDREF XF:cfinger-user-enumeration INFERRED ACTION: CAN-1999-0259 ACCEPT_ACK (2 accept, 1 ack, 0 review) Current Votes: ACCEPT(1) Shostack MODIFY(1) Frech NOOP(1) Northcutt Comments: Frech> XF:cfinger-user-enumeration ================================= Candidate: CAN-1999-0492 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr23,1999 The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses. INFERRED ACTION: CAN-1999-0492 MOREVOTES (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(1) Northcutt MODIFY(1) Shostack REVIEWING(1) Frech Comments: Shostack> isn't that what finger is supposed to do? --------------------- CLUSTER NOREFS --------------------- NOREFS (23 candidates) -------------------- Proposed: 7/13 Scheduled Proposed: 7/6 Scheduled Interim Decision: 7/26 Scheduled Final Decision: 7/30 Vulnerability has no references, but is tested by some tool Voters: Frech MODIFY(16) REVIEWING(2) Wall MODIFY(3) NOOP(15) Shostack ACCEPT(5) MODIFY(4) NOOP(9) Christey NOOP(4) RECAST(1) REJECT(4) REVIEWING(3) REVOTE(3) Northcutt NOOP(18) Blake NOOP(1) <FINAL> --> 5 <INTERIM> --> 1 <MODIFIED> --> 12 <PROPOSED> --> 5 MODIFY --> 9 RECAST --> 1 REJECT --> 4 REVIEWING --> 4 ================================= Candidate: CAN-1999-0020 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990714 Assigned: 19990607 Category: SF ** REJECT ** Duplicate of CVE-1999-0032 ** REJECT ** Buffer overflow in Linux lpr command gives root access. Modifications: DESC Add REJECT header. INFERRED ACTION: CAN-1999-0020 SMC_REJECT (1 reject, 1 accept, 0 review) Current Votes: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall REJECT(1) Christey Comments: Frech> XF:lpr-bo Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo ================================= Candidate: CAN-1999-0107 Published: Final-Decision: Interim-Decision: Modified: 19991223-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:apache-dos Reference: BUGTRAQ:19971230 Apache DoS attack? Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters. Modifications: ADDREF XF:apache-dos ADDREF BUGTRAQ:19971230 Apache DoS attack? DESC make more explicit INFERRED ACTION: CAN-1999-0107 REVOTE (1 accept, 0 review) Current Votes: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall REVOTE(1) Christey Comments: Wall> - Although this is probably the phf hack. Frech> XF:apache-dos ================================= Candidate: CAN-1999-0110 Published: Final-Decision: Interim-Decision: 19990810 Modified: 20000106-01 Proposed: 19990714 Assigned: 19990607 Category: SF ** REJECT ** Duplicate of CVE-1999-0315 (this has a typo) ** REJECT ** Buffer overflow in fbformat command in Solaris. INFERRED ACTION: CAN-1999-0110 SMC_REJECT (1 reject, 1 accept, 0 review) Current Votes: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall REJECT(1) Christey Comments: Frech> XF:fdformat-bo Christey> Duplicate of CAN-1999-0315 ================================= Candidate: CAN-1999-0114 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990912 elm filter program Reference: BUGTRAQ:19951226 filter (elm package) security hole Reference: XF:elm-filter2 Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack. Modifications: ADDREF XF:elm-filter2 ADDREF BUGTRAQ:19951226 filter (elm package) security hole ADDREF BUGTRAQ:19990912 elm filter program INFERRED ACTION: CAN-1999-0114 MOREVOTES (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Shostack MODIFY(1) Frech NOOP(2) Northcutt, Wall Comments: Frech> XF:elm-filter2 ================================= Candidate: CAN-1999-0115 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19970909 AIX bugfiler Reference: XF:ibm-bugfiler AIX bugfiler program allows local users to gain root access. Modifications: ADDREF BUGTRAQ:19970909 AIX bugfiler ADDREF XF:ibm-bugfiler INFERRED ACTION: CAN-1999-0115 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech NOOP(4) Northcutt, Shostack, Wall, Christey Comments: Frech> XF:ibm-bugfiler Christey> I could not find any acknowledgement of this bug on the IBM Christey> web site. ================================= Candidate: CAN-1999-0118 Published: Final-Decision: Interim-Decision: Modified: 20000106-02 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD Reference: XF:aix-infod AIX infod allows local users to gain root access through an X display. Modifications: ADDREF XF:aix-infod ADDREF BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD INFERRED ACTION: CAN-1999-0118 MOREVOTES (1 accept, 1 ack, 0 review) Current Votes: MODIFY(1) Frech NOOP(4) Northcutt, Shostack, Wall, Christey Comments: Frech> XF:aix-infod Christey> See BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD Christey> An AIX patch list confirms this problem. ================================= Candidate: CAN-1999-0195 Published: Final-Decision: Interim-Decision: Modified: 19991130-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1. Modifications: Add Bugtraq reference, expand description INFERRED ACTION: CAN-1999-0195 SMC_REVIEW (2 accept, 1 review) Current Votes: ACCEPT(1) Shostack MODIFY(1) Frech NOOP(2) Northcutt, Wall REVIEWING(1) Christey Comments: Frech> XF:rpcbind-spoof Christey> CAN-1999-0195 = CAN-1999-0461 ? ================================= Candidate: CAN-1999-0200 Published: Final-Decision: Interim-Decision: Modified: 19991130-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: MSKB:Q137853 Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password. Modifications: Expand WFTP to Windows FTP, clarify situation ADDREF MSKB:Q137853 INFERRED ACTION: CAN-1999-0200 REVOTE (2 accept, 0 review) Current Votes: MODIFY(2) Shostack, Frech NOOP(2) Northcutt, Wall REVOTE(1) Christey Comments: Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another? Frech> Other have mentioned this before, but it may be WU-FTP. Frech> POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root Frech> access without anon FTP or a regular account? Frech> POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a Frech> non-anon FTP account and gain root privs. Christey> added MSKB reference ================================= Candidate: CAN-1999-0210 Published: Final-Decision: Interim-Decision: Modified: 19991130-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd) Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd) Reference: HP:HPSBUX9910-104 Reference: CERT:CA-99-05 Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters. Modifications: Changed description and added references. INFERRED ACTION: CAN-1999-0210 SMC_REVIEW (2 accept, 1 review) Current Votes: MODIFY(2) Shostack, Frech NOOP(2) Northcutt, Wall REVIEWING(1) Christey Comments: Shostack> I think there was an SNI advisory on this Frech> Not enough information; POSSIBLY XF:sun-automountd (changing mount options) Christey> This is a tough one. There's an old automount bug that's Christey> only locally exploitable, then a newer rpc.statd bug allows Christey> it to be remotely exploitable. There's at least two bugs, Christey> but should there be three? Also see CERT:CA-99-05 Christey> Christey> Also see CAN-1999-0088 and CAN-1999-0493 ================================= Candidate: CAN-1999-0222 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL. INFERRED ACTION: CAN-1999-0222 SMC_REVIEW (2 accept, 1 review) Current Votes: MODIFY(2) Shostack, Frech NOOP(2) Northcutt, Wall REVIEWING(1) Christey Comments: Shostack> I follow cisco announcements and problems pretty closely, and haven't Shostack> seen this. Source? Frech> XF:cisco-web-crash Christey> XF:cisco-web-crash has no additional references. I can't find Christey> any references in Bugtraq or Cisco either. This bug is Christey> supposedly tested by at least one security product, but that Christey> product's database doesn't have any references either. So Christey> a question becomes, how did it make it into at least two Christey> security companies' databases? ================================= Candidate: CAN-1999-0223 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19961109 Syslogd and Solaris 2.4 Reference: XF:sol-syslogd-crash Solaris syslogd crashes when receiving a message from a host that doesn't have an inverse DNS entry. Modifications: ADDREF BUGTRAQ:19961109 Syslogd and Solaris 2.4 ADDREF XF:sol-syslogd-crash INFERRED ACTION: CAN-1999-0223 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall Comments: Frech> XF:sol-syslogd-crash ================================= Candidate: CAN-1999-0229 Published: Final-Decision: Interim-Decision: Modified: 19991228-02 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: MSKB:Q115052 Denial of service in Windows NT IIS server using ..\.. Modifications: ADDREF MSKB:Q115052 ADDREF XF:http-dotdot DELREF XF:http-dotdot INFERRED ACTION: CAN-1999-0229 REVOTE (3 accept, 0 review) Current Votes: ACCEPT(1) Shostack MODIFY(2) Wall, Frech NOOP(1) Northcutt REVOTE(1) Christey Comments: Wall> Denial of service in Windows NT IIS Server 1.0 using ..\... Wall> Source: Microsoft Knowledge Base Article Q115052 - IIS Server. Frech> XF:http-dotdot (not necessarily IIS?) Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot Christey> problem. ================================= Candidate: CAN-1999-0242 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole Reference: XF:linux-pop3d Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords. Modifications: ADDREF BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole ADDREF XF:linux-pop3d INFERRED ACTION: CAN-1999-0242 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech NOOP(4) Northcutt, Shostack, Wall, Christey Comments: Frech> Ambiguous description: need more detail. Possibly: Frech> XF:linux-pop3d (mktemp() leads to reading e-mail) Christey> At first glance this might look like CAN-1999-0123 or Christey> CVE-1999-0125, however this particular candidate arises out Christey> of a brief mention of the problem in a larger posting which Christey> discusses CAN-1999-0123 (which may be the same bug as Christey> CVE-1999-0125). See the following phrase in the Bugtraq Christey> post: "one such example of this is in.pop3d" Christey> Christey> However, the original source of this candidate's description Christey> explicitly mentions shadowed passwords, though it has no Christey> references to help out here. ================================= Candidate: CAN-1999-0243 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Linux cfingerd could be exploited to gain root access. INFERRED ACTION: CAN-1999-0243 SMC_REJECT (1 reject, 1 accept, 1 review) Current Votes: ACCEPT(1) Shostack NOOP(2) Northcutt, Wall REJECT(1) Christey REVIEWING(1) Frech Comments: Christey> This has no sources; neither does the original database that Christey> this entry came from. It's a likely duplicate of Christey> CAN-1999-0813. ================================= Candidate: CAN-1999-0249 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Windows NT RSHSVC program allows remote users to execute arbitrary commands. INFERRED ACTION: CAN-1999-0249 RECAST (1 recast, 2 accept, 0 review) Current Votes: MODIFY(2) Wall, Frech NOOP(2) Northcutt, Shostack RECAST(1) Christey Comments: Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows Wall> remote Wall> users to execute arbitrary commands. Wall> Source: rshsvc.txt from the Windows NT Resource Kit. Frech> XF:rsh-svc Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case Christey> where remote users coming from authorized machines are Christey> allowed access regardless of what .rhosts says. XF:rsh-svc Christey> refers to a bug circa 1997 where any remote entity could Christey> execute commands as system. ================================= Candidate: CAN-1999-0286 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages. INFERRED ACTION: CAN-1999-0286 MOREVOTES (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(1) Shostack MODIFY(1) Wall NOOP(2) Northcutt, Christey REVIEWING(1) Frech Comments: Wall> In some NT web servers, appending a dot at the end of a URL may Wall> allows attackers to read source code for active pages. Wall> Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears Wall> in Browser" Frech> In the meantime, reword description as 'Windows NT' (trademark issue) Christey> Q163485 does not refer to a space, it refers to a dot. Christey> However, I don't have other references. Christey> Christey> Reading source code with a dot appended is in CAN-1999-0154, Christey> which will be proposed. A subsequent bug similar to the Christey> dot bug is CAN-1999-0253. ================================= Candidate: CAN-1999-0287 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Vulnerability in the Wguest CGI program. INFERRED ACTION: CAN-1999-0287 SMC_REJECT (1 reject, 2 accept, 0 review) Current Votes: MODIFY(2) Shostack, Frech NOOP(3) Northcutt, Wall, Blake REJECT(1) Christey Comments: Shostack> allows file reading Frech> XF:http-cgi-webcom-guestbook Christey> CAN-1999-0287 is probably a duplicate of CAN-1999-0467. In Christey> NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Christey> Mnemonix says that he had previously reported on a similar Christey> problem. Let's refer to the NTBugtraq posting as Christey> CAN-1999-0467. We will refer to the "previous report" as Christey> CAN-1999-0287, which could be found at: Christey> http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html Christey> Christey> 0287 describes an exploit via the "template" hidden variable. Christey> The exploit describes manually editing the HTML form to Christey> change the filename to read from the template variable. Christey> Christey> The exploit as described in 0467 encodes the template variable Christey> directly into the URL. However, hidden variables are also Christey> encoded into the URL, which would have looked the same to Christey> the web server regardless of the exploit. Therefore 0287 Christey> and 0467 are the same. ================================= Candidate: CAN-1999-0330 Published: Final-Decision: Interim-Decision: Modified: 20000105-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19940101 (No Subject) Reference: XF:bdash-bo Linux bdash game has a buffer overflow that allows local users to gain root access. Modifications: ADDREF BUGTRAQ:19940101 (No Subject) ADDREF XF:bdash-bo INFERRED ACTION: CAN-1999-0330 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall Comments: Frech> XF:bdash-bo --------------------- CLUSTER ONEREF --------------------- ONEREF (43 candidates) -------------------- Proposed: 7/13 Scheduled Proposed: 7/6 Scheduled Interim Decision: 7/26 Scheduled Final Decision: 7/30 Vulnerability only has one reference Voters: Frech ACCEPT(5) MODIFY(1) RECAST(1) Shostack ACCEPT(1) MODIFY(2) NOOP(3) RECAST(1) Christey NOOP(1) RECAST(2) REJECT(2) REVIEWING(2) Northcutt ACCEPT(7) Baker ACCEPT(3) NOOP(4) Prosser MODIFY(2) NOOP(3) RECAST(1) REVIEWING(1) <FINAL> --> 36 <MODIFIED> --> 2 <PROPOSED> --> 5 RECAST --> 4 REJECT --> 2 REVIEWING --> 2 ================================= Candidate: CAN-1999-0156 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:ftp-pwless wu-ftpd FTP daemon allows any user and password combination. INFERRED ACTION: CAN-1999-0156 RECAST (1 recast, 2 accept, 1 review) Current Votes: ACCEPT(2) Northcutt, Shostack NOOP(1) Baker RECAST(1) Frech REVIEWING(1) Prosser Comments: Prosser> but so far can find no reference to this one Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie, Frech> also affects IIS FTP server). ================================= Candidate: CAN-1999-0163 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:smtp-pipe In older versions of Sendmail, an attacker could use a pipe character to execute root commands. INFERRED ACTION: CAN-1999-0163 RECAST (1 recast, 3 accept, 0 review) Current Votes: ACCEPT(2) Northcutt, Frech MODIFY(1) Prosser NOOP(2) Baker, Christey RECAST(1) Shostack Comments: Shostack> there was a 'To: |' and a 'From: |' attack, which I Shostack> think are seperate. Prosser> older vulnerability, but one additional reference is- Prosser> The Ultimate Sendmail Hole List by Markus Hübner @ Prosser> bau2.uibk.ac.at/matic/buglist.htm Prosser> '|PROGRAM ' Christey> Description needs to be more specific to distinguish between Christey> this and CAN-1999-0203, as alluded to by Adam Shostack ================================= Candidate: CAN-1999-0165 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:nfs-cache NFS cache poisoning INFERRED ACTION: CAN-1999-0165 SMC_REVIEW (3 accept, 1 review) Current Votes: ACCEPT(3) Northcutt, Baker, Frech MODIFY(1) Shostack NOOP(1) Prosser REVIEWING(1) Christey Comments: Shostack> need more data Christey> need more refs ================================= Candidate: CAN-1999-0306 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:hp-xlock buffer overflow in HP xlock program. CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0306 SMC_REJECT (1 reject, 3 accept, 0 review) HAS_CDS Current Votes: ACCEPT(3) Northcutt, Baker, Frech MODIFY(1) Prosser NOOP(1) Shostack REJECT(1) Christey Comments: Prosser> This is another of those with multiple affected OSs. Prosser> Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt, Prosser> HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150 Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is Christey> the same problem as in CERT:CA-97.13, which is CVE-1999-0038. ================================= Candidate: CAN-1999-0307 Published: Final-Decision: Interim-Decision: Modified: 19991207-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19961116 This week: turn me on, dead man Reference: XF:hpux-cstm-bo Buffer overflow in HP-UX cstm program allows local users to gain root privileges. Modifications: ADDREF BUGTRAQ:19961116 This week: turn me on, dead man CONTENT-DECISIONS: SF-EXEC INFERRED ACTION: CAN-1999-0307 RECAST (1 recast, 2 accept, 0 review) HAS_CDS Current Votes: ACCEPT(2) Northcutt, Frech NOOP(3) Shostack, Prosser, Baker RECAST(1) Christey Comments: Prosser> only ref I can find is an old SOD exploit on Prosser> www.outpost9.com Christey> MERGE CAN-1999-0336 (likely same codebase) Christey> Also, there does not seem to be any recognition of this problem Christey> by HP. The only other information besides the Bugtraq post Christey> is the SOD exploit. ================================= Candidate: CAN-1999-0331 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:msie-bo Buffer overflow in Internet Explorer 4.0(1) INFERRED ACTION: CAN-1999-0331 SMC_REJECT (1 reject, 3 accept, 0 review) Current Votes: ACCEPT(2) Northcutt, Baker MODIFY(2) Shostack, Frech RECAST(1) Prosser REJECT(1) Christey Comments: Shostack> this is a high cardinality item Prosser> needs to be more specific. Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague Frech> duplicate) Frech> Description (from xfdb): Some versions of Internet Explorer for Windows Frech> contain a vulnerability that may crash the broswer when a malicious web site Frech> contains a certain kind of URL (that begins with "mk://") with more Frech> characters than the browser supports. Christey> The description is too vague. ================================= Candidate: CAN-1999-0336 Published: Final-Decision: Interim-Decision: Modified: 19991207-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19961116 This week: turn me on, dead man Reference: XF:hpux-mstm-bo Buffer overflow in mstm in HP-UX allows local users to gain root access. Modifications: ADDREF BUGTRAQ:19961116 This week: turn me on, dead man CONTENT-DECISIONS: SF-EXEC INFERRED ACTION: CAN-1999-0336 RECAST (1 recast, 2 accept, 0 review) HAS_CDS Current Votes: ACCEPT(2) Northcutt, Frech NOOP(3) Shostack, Prosser, Baker RECAST(1) Christey Comments: Prosser> same as CAN-1999-0307, only ref I can find is an old SOD Prosser> exploit on www.outpost9.com Christey> MERGE CAN-1999-0307 (likely same codebase) Christey> Also, there does not seem to be any recognition of this problem Christey> by HP. The only other information besides the Bugtraq post Christey> is the SOD exploit. --------------------- CLUSTER RESTLOW --------------------- RESTLOW (39 candidates) -------------------- Proposed: 6/29 Scheduled Interim Decision: 7/12 Scheduled Final Decision: 7/16 The rest of the low-controversy vuln's Voters: Ozancin ACCEPT(1) REVIEWING(1) Landfield NOOP(1) Frech ACCEPT(2) MODIFY(5) REVIEWING(2) Proctor ACCEPT(2) Hill ACCEPT(9) Northcutt ACCEPT(7) NOOP(1) REJECT(1) Christey NOOP(2) RECAST(2) REVIEWING(3) Balinsky ACCEPT(2) Prosser ACCEPT(1) MODIFY(3) Blake ACCEPT(3) <FINAL> --> 30 <MODIFIED> --> 4 <PROPOSED> --> 5 MODIFY --> 1 RECAST --> 2 REJECT --> 1 REVIEWING --> 5 ================================= Candidate: CAN-1999-0061 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: NAI:NAI-20 Reference: XF:bsd-lpd File creation and deletion, and remote execution, in the BSD line printer daemon (lpd). INFERRED ACTION: CAN-1999-0061 RECAST (1 recast, 2 accept, 0 review) Current Votes: ACCEPT(3) Hill, Frech, Northcutt RECAST(1) Christey Comments: Christey> This should be split into three separate problems. ================================= Candidate: CAN-1999-0145 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Sendmail WIZ command enabled, allowing root access. INFERRED ACTION: CAN-1999-0145 REJECT (1 reject, 5 accept, 0 review) Current Votes: ACCEPT(4) Hill, Blake, Proctor, Balinsky MODIFY(2) Frech, Prosser NOOP(1) Christey REJECT(1) Northcutt Comments: Frech> XF:smtp-wiz Northcutt> I have voted against this before as well. This raises the case of a Northcutt> historic but no longer existant vulnerability. Or is there any data Northcutt> that wiz still exists on any operational systems? Prosser> additional sources Prosser> Bugtraq Prosser> "sendmail wizard thing" Prosser> http://securityfocus/ Prosser> CERT Advisory CA-93.14 Prosser> http://www.cert.org Christey> While this may not be active anywhere (we hope), it is still Christey> of historic interest and potentially useful for academic Christey> study. Therefore it should be included. ================================= Candidate: CAN-1999-0203 Published: Final-Decision: Interim-Decision: Modified: 19991228-01 Proposed: 19990630 Assigned: 19990607 Category: SF Reference: CERT:CA-95.08 Reference: CIAC:E-03 In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program. Modifications: ADDREF CERT:CA-95.08 ADDREF CIAC:E-03 INFERRED ACTION: CAN-1999-0203 ACCEPT_REV (4 accept, 2 ack, 1 review) Current Votes: ACCEPT(5) Hill, Blake, Balinsky, Ozancin, Northcutt NOOP(1) Christey REVIEWING(1) Frech Comments: Christey> Description needs to be more specific to distinguish between Christey> this and CAN-1999-0163, as alluded to by Adam Shostack ================================= Candidate: CAN-1999-0205 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990630 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990708 SM 8.6.12 Denial of service in Sendmail 8.6.11 and 8.6.12. Modifications: ADDREF BUGTRAQ:19990708 SM 8.6.12 INFERRED ACTION: CAN-1999-0205 SMC_REVIEW (3 accept, 2 review) Current Votes: ACCEPT(2) Hill, Northcutt MODIFY(2) Frech, Prosser REVIEWING(2) Ozancin, Christey Comments: Frech> XF:sendmail-alias-dos Prosser> additional source Prosser> Bugtraq Prosser> "Re: SM 8.6.12" Prosser> http://www.securityfocus.com Christey> The Bugtraq thread does not provide any proof, including a Christey> comment by Eric Allman that he hadn't been provided any Christey> details either. Christey> Christey> See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu Christey> for the thread. ================================= Candidate: CAN-1999-0241 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990630 Assigned: 19990607 Category: SF Reference: XF:http-xguess-cookie Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm. INFERRED ACTION: CAN-1999-0241 SMC_REVIEW (4 accept, 1 review) Current Votes: ACCEPT(3) Hill, Northcutt, Proctor MODIFY(2) Frech, Prosser REVIEWING(1) Christey Comments: Frech> Also add to references: Frech> XF:sol-mkcookie Prosser> additional source Prosser> Bugtraq Prosser> "X11 cookie hijacker" Prosser> http://www.securityfocus.com Christey> The cookie hijacker thread has to do with stealing cookies Christey> through a file with bad permissions. I'm not sure the Christey> X-Force reference identifies this problem either. ================================= Candidate: CAN-1999-0246 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: XF:hp-remote HP Remote Watch allows a remote user to gain root access. INFERRED ACTION: CAN-1999-0246 RECAST (1 recast, 3 accept, 0 review) Current Votes: ACCEPT(4) Hill, Frech, Northcutt, Prosser RECAST(1) Christey Comments: Frech> Comment: Determine if it's RemoteWatch or Remote Watch. Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in Christey> Remote Watch (the advisory uses two words, not one, for the Christey> "Remote Watch" name) Prosser> agree that the advisory mentions two vulnerabilities in Remote Prosser> Watch, one being a socket connection and other with the showdisk utility Prosser> which seems to be a suid vulnerability. Never get much details on this Prosser> anywhere since the recommendation is to remove the program since it is Prosser> obsolete and superceded by later tools. Believe the biggest concern here is Prosser> to just not run the tool at all. ================================= Candidate: CAN-1999-0323 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: FreeBSD:FreeBSD-SA-98:04 FreeBSD mmap function allows users to modify append-only or immutable files. INFERRED ACTION: CAN-1999-0323 MOREVOTES (1 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Hill, Northcutt REVIEWING(1) Frech Comments: Frech> probably XF:bsd-mmap ================================= Candidate: CAN-1999-0395 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: ISS:Vulnerability in the BackWeb Polite Agent Protocol A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server. INFERRED ACTION: CAN-1999-0395 MOREVOTES (1 accept, 1 ack, 0 review) Current Votes: ACCEPT(1) Hill MODIFY(1) Frech NOOP(2) Northcutt, Landfield Comments: Frech> XF:backweb-polite-agent-protocol ================================= Candidate: CAN-1999-0498 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990630 Assigned: 19990607 Category: CF Reference: CERT:CA-91.18.Active.Internet.tftp.Attacks TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files. Modifications: ADDREF CERT:CA-91.18.Active.Internet.tftp.Attacks CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0498 SMC_REVIEW (3 accept, 1 review) HAS_CDS Current Votes: ACCEPT(3) Hill, Blake, Northcutt MODIFY(1) Frech REVIEWING(1) Christey Comments: Frech> XF:linux-tftp Christey> XF:linux-tftp refers to CAN-1999-0183 --------------------- CLUSTER DENY --------------------- DENY (13 candidates) -------------------- Proposed: 6/29 Scheduled Interim Decision: 7/12 Scheduled Final Decision: 7/16 Some (not all) denial of service Voters: Frech ACCEPT(1) MODIFY(4) Hill ACCEPT(5) Christey NOOP(1) REVIEWING(2) Meunier ACCEPT(2) MODIFY(1) NOOP(1) RECAST(1) <FINAL> --> 8 <MODIFIED> --> 1 <PROPOSED> --> 4 MODIFY --> 2 RECAST --> 1 REVIEWING --> 2 ================================= Candidate: CAN-1999-0140 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Denial of service in RAS/PPTP on NT systems. INFERRED ACTION: CAN-1999-0140 MOREVOTES (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Hill MODIFY(2) Meunier, Frech NOOP(1) Christey Comments: Meunier> Add "pptp invalid packet length in header" to distinguish from other Meunier> vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be Meunier> discovered in the future. Frech> XF:nt-ras-bo Frech> ONLY IF reference is to MS:MS99-016 Christey> According to my mappings, this is not the MS:MS99-016 problem Christey> referred to by Andre. However, I have yet to dig up a Christey> source. ================================= Candidate: CAN-1999-0144 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: XF:qmail-rcpt Denial of service in Qmail by specifying a large number of recipients with the RCPT command. INFERRED ACTION: CAN-1999-0144 SMC_REVIEW (2 accept, 1 review) Current Votes: ACCEPT(3) Hill, Meunier, Frech REVIEWING(1) Christey Comments: Christey> DUPE CAN-1999-0418 and CAN-1999-0250? ================================= Candidate: CAN-1999-0213 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind. INFERRED ACTION: CAN-1999-0213 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Hill MODIFY(1) Frech NOOP(1) Meunier Comments: Frech> XF:sun-libnsl ================================= Candidate: CAN-1999-0216 Published: Final-Decision: Interim-Decision: Modified: 19991203-01 Proposed: 19990630 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19971130 Linux inetd.. Reference: XF:linux-inetd-dos Reference: HP:HPSBUX9803-077 Reference: XF:hp-inetd Denial of service of inetd on Linux through SYN and RST packets. Modifications: ADDREF BUGTRAQ:19971130 Linux inetd.. ADDREF XF:linux-inetd-dos ADDREF HP:HPSBUX9803-077 ADDREF XF:hp-inetd INFERRED ACTION: CAN-1999-0216 RECAST (1 recast, 1 accept, 0 review) Current Votes: ACCEPT(1) Hill MODIFY(1) Frech RECAST(1) Meunier Comments: Meunier> The location of the vulnerability, whether in the Linux kernel or the Meunier> application, is debatable. Any program making the same (reasonnable) Meunier> assumption is vulnerable, i.e., implements the same vulnerability: Meunier> "Assumption that TCP-three-way handshake is complete after calling Linux Meunier> kernel function accept(), which returns socket after getting SYN. Result Meunier> is process death by SIGPIPE" Meunier> Moreover, whether it results in DOS (to third parties) depends on the Meunier> process that made the assumption. Meunier> I think that the present entry should be split, one entry for every Meunier> application that implements the vulnerability (really describing threat Meunier> instances, which is what other people think about when we talk about Meunier> vulnerabilities), and one entry for the Linux kernel that allows the Meunier> vulnerability to happen. Frech> XF:hp-inetd Frech> XF:linux-inetd-dos ================================= Candidate: CAN-1999-0250 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Reference: XF:qmail-leng Denial of service in Qmail through long SMTP commands. INFERRED ACTION: CAN-1999-0250 SMC_REVIEW (2 accept, 1 review) Current Votes: ACCEPT(2) Hill, Meunier MODIFY(1) Frech REVIEWING(1) Christey Comments: Frech> XF:qmail-rcpt Christey> DUPE CAN-1999-0418 and CAN-1999-0144? --------------------- CLUSTER NTLOW --------------------- NTLOW (19 candidates) -------------------- Proposed: 6/29 Scheduled Interim Decision: 7/12 Scheduled Final Decision: 7/16 Some low controversy NT vulnerabilities Voters: Frech MODIFY(1) REVIEWING(2) Wall NOOP(3) Hill ACCEPT(3) Blake MODIFY(1) <FINAL> --> 16 <MODIFIED> --> 1 <PROPOSED> --> 2 MODIFY --> 1 REVIEWING --> 2 ================================= Candidate: CAN-1999-0225 Published: Final-Decision: Interim-Decision: Modified: 19991220-01 Proposed: 19990630 Assigned: 19990607 Category: SF Reference: SNI:SNI-25 Reference: MSKB:Q180963 Denial of service in Windows NT using a malformed SMB logon request before logging in and accessing shares. Modifications: ADDREF MSKB:Q180963 reword description INFERRED ACTION: CAN-1999-0225 MOREVOTES (1 accept, 2 ack, 0 review) Current Votes: ACCEPT(1) Hill MODIFY(1) Frech NOOP(1) Wall Comments: Frech> XF:nt-logondos ================================= Candidate: CAN-1999-0285 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: SF Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection. INFERRED ACTION: CAN-1999-0285 MOREVOTES (0 accept, 0 ack, 1 review) Current Votes: ACCEPT(1) Hill NOOP(1) Wall REVIEWING(1) Frech ================================= Candidate: CAN-1999-0549 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990630 Assigned: 19990607 Category: CF Windows NT automatically logs in an administrator upon rebooting. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0549 MOREVOTES (1 accept, 0 ack, 1 review) HAS_CDS Current Votes: ACCEPT(1) Hill MODIFY(1) Blake NOOP(1) Wall REVIEWING(1) Frech Comments: Wall> Don't know what this is. Don't think it is a vulnerability and would Wall> initially reject. This is different than just renaming the Wall> administrator account. Frech> Would appreciate more information on this one, as in a reference. Blake> Reference: XF:nt-autologin --------------------- CLUSTER BUF --------------------- BUF (33 candidates) -------------------- Proposed: 6/23 Scheduled Interim Decision: 7/5 Scheduled Final Decision: 7/9 Some (not all) buffer overflows in single applications Voters: Frech ACCEPT(2) MODIFY(3) RECAST(1) Hill ACCEPT(6) Christey REJECT(2) REVIEWING(4) Northcutt ACCEPT(6) Prosser ACCEPT(1) NOOP(4) RECAST(1) <FINAL> --> 26 <MODIFIED> --> 4 <PROPOSED> --> 2 RECAST --> 1 REJECT --> 2 REVIEWING --> 3 ================================= Candidate: CAN-1999-0187 Published: Final-Decision: Interim-Decision: Modified: 19990805 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: SUN:00179 ** REJECT ** Duplicate of CAN-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist) The rdist program in Solaris has some buffer overflows that allow attackers to gain root access. INFERRED ACTION: CAN-1999-0187 RECAST (2 recast, 1 accept, 1 review) Current Votes: ACCEPT(2) Northcutt, Hill RECAST(2) Prosser, Frech REVIEWING(1) Christey Comments: Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in Prosser> rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() Prosser> (ref CERT 97-23) and various vendor bulletins. However both of these rdist Prosser> BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, Prosser> FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content Prosser> decision Frech> XF:rdist-bo (error msg formation) Frech> XF:rdist-bo2 (execute code) Frech> XF:rdist-bo3 (execute user-created code) Frech> XF:rdist-sept97 (root from local) Christey> Duplicate of CAN-1999-0022 (SUN:00179 is referenced in Christey> CERT:CA-97.23.rdist), but as Mike and Andre noted, there Christey> are multiple flaws here, so a RECAST may be necessary. ================================= Candidate: CAN-1999-0232 Published: Final-Decision: Interim-Decision: Modified: 19991220-01 Proposed: 19990623 Assigned: 19990607 Category: SF Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. INFERRED ACTION: CAN-1999-0232 SMC_REVIEW (2 accept, 1 review) Current Votes: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech NOOP(1) Prosser REVIEWING(1) Christey Comments: Frech> Unable to provide a match due to vague/insufficient description/references. Frech> Possible matches are: Frech> XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) Frech> XF:http-ncsa-longurl (highest probability) Christey> CAN-1999-0235 is the one associated with XF:http-ncsa-longurl Christey> More research is necessary for this one. ================================= Candidate: CAN-1999-0235 Published: Final-Decision: Interim-Decision: Modified: 19991220-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-95:04 Reference: CIAC:F-11 Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access. Modifications: ADDREF CERT:CA-95:04 ADDREF CIAC:F-11 INFERRED ACTION: CAN-1999-0235 SMC_REJECT (1 reject, 3 accept, 0 review) Current Votes: ACCEPT(3) Northcutt, Hill, Prosser MODIFY(1) Frech REJECT(1) Christey Comments: Frech> XF:http-ncsa-longurl Christey> CAN-1999-0235 has the same ref's as CVE-1999-0267 ================================= Candidate: CAN-1999-0255 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Buffer overflow in ircd allows arbitrary command execution. INFERRED ACTION: CAN-1999-0255 SMC_REJECT (1 reject, 2 accept, 0 review) Current Votes: ACCEPT(2) Northcutt, Hill MODIFY(1) Frech NOOP(1) Prosser REJECT(1) Christey Comments: Frech> XF:irc-bo Christey> This is too general and doesn't have any references. The Christey> XF reference doesn't appear toe xist any more. Christey> Christey> Perhaps this reference would help: Christey> BUGTRAQ:19970701 ircd buffer overflow ================================= Candidate: CAN-1999-0317 Published: Final-Decision: Interim-Decision: Modified: 19991216-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow Reference: XF:su-bo Buffer overflow in Linux su command gives root access to local users. Modifications: ADDREF BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow INFERRED ACTION: CAN-1999-0317 SMC_REVIEW (2 accept, 1 review) Current Votes: ACCEPT(3) Northcutt, Hill, Frech NOOP(1) Prosser REVIEWING(1) Christey Comments: Christey> DUPE CAN-1999-0845? Christey> A report summary by Aleph One states that nobody was able to Christey> confirm this problem on any Linux distribution. ================================= Candidate: CAN-1999-0319 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:xmcd-tiflestr Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting. INFERRED ACTION: CAN-1999-0319 SMC_REVIEW (2 accept, 1 review) Current Votes: ACCEPT(3) Northcutt, Hill, Frech NOOP(1) Prosser REVIEWING(1) Christey Comments: Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1 Christey> A followup to this post says that xmcd is not suid here. --------------------- CLUSTER CGI --------------------- CGI (31 candidates) -------------------- Proposed: 6/23 Scheduled Interim Decision: 7/5 Scheduled Final Decision: 7/9 CGI programs Voters: Levy ACCEPT(1) Wall ACCEPT(1) Frech ACCEPT(2) MODIFY(1) REVIEWING(6) Christey NOOP(4) REVIEWING(1) Northcutt ACCEPT(9) Prosser ACCEPT(3) MODIFY(1) NOOP(5) Blake ACCEPT(2) <FINAL> --> 22 <INTERIM> --> 2 <MODIFIED> --> 4 <PROPOSED> --> 3 ACCEPT --> 2 MODIFY --> 1 REVIEWING --> 6 ================================= Candidate: CAN-1999-0233 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: MSKB:Q148188 Reference: XF:http-iis-cmd IIS allows users to execute arbitrary commands using .bat or .cmd files. Modifications: ADDREF MSKB:Q148188 DESC Remove WebSite reference. INFERRED ACTION: CAN-1999-0233 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Northcutt, Prosser NOOP(1) Christey REVIEWING(1) Frech Comments: Frech> XF reference is correct, but cannot find supporting reference for WebSite Frech> vulnerability. Frech> No further action to be taken unless more information forthcoming. Christey> Can't find the WebSite mention now, so I will remove it. ================================= Candidate: CAN-1999-0238 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-phpfileread php.cgi allows attackers to read any file on the system. CONTENT-DECISIONS: SF-EXEC,SF-LOC INFERRED ACTION: CAN-1999-0238 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(3) Northcutt, Prosser, Frech Comments: Prosser> additional source Prosser> AUSCERT External Security Bulletin ESB-97.047 Prosser> http://www.auscert.org.au Prosser> Published: Prosser> Final-Decision: Prosser> Interim-Decision: Prosser> Modified: Prosser> Announced: 19990623 Prosser> Assigned: 19990607 Prosser> Category: SF Prosser> Reference: XF:http-iis-2e Prosser> IIS 3.0 allows remote intruders to read source code for ASP programs Prosser> by using a "2e" instead of a "." in the URL. ================================= Candidate: CAN-1999-0253 Published: Final-Decision: Interim-Decision: Modified: 2000106-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-iis-2e Reference: L0PHT:19970319 IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. INFERRED ACTION: CAN-1999-0253 MOREVOTES (2 accept, 0 ack, 0 review) Current Votes: ACCEPT(2) Northcutt, Frech NOOP(2) Prosser, Christey Comments: Christey> This is a problem that was introduced after patching a Christey> previous dot bug with the iis-fix hotfix (see CAN-1999-0154). Christey> Since the hotfix introduced the problem, this should be Christey> treated as a seaprate issue. ================================= Candidate: CAN-1999-0268 Published: Final-Decision: Interim-Decision: Modified: 19991205-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19980630 Security vulnerabilities in MetaInfo products MetaInfo MetaWeb web server allows users to upload and execute scripts. INFERRED ACTION: CAN-1999-0268 MOREVOTES (1 accept, 0 ack, 1 review) Current Votes: ACCEPT(1) Northcutt NOOP(1) Prosser REVIEWING(1) Frech ================================= Candidate: CAN-1999-0270 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000111-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CIAC:I-041 Reference: XF:sgi-pfdispaly pfdispaly CGI program for SGI's Performer API Search Tool allows read access to files. Modifications: ADDREF CIAC:I-041 ADDREF XF:sgi-pfdispaly INFERRED ACTION: CAN-1999-0270 ACCEPT (3 accept, 1 ack, 0 review) Current Votes: ACCEPT(2) Northcutt, Prosser MODIFY(1) Frech NOOP(1) Christey Comments: Prosser> additional source Prosser> CIAC Security Bulletin I-041 Prosser> http://www.ciac.org Frech> XF:sgi-pfdispaly Frech> XF:sgi-dispaly-patch-vuln Christey> There are two bugs here, as described in Bugtraq. The first one Christey> allowed read access to files outside of a document root (a dot dot Christey> problem). The second one was a shell metacharacter problem. Christey> Reference: BUGTRAQ:19980407: perfomer_tools again Christey> CAN-1999-0270 refers to the first problem only. ================================= Candidate: CAN-1999-0271 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19980115 pnserver exploit.. Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug? Progressive Networks Real Video server (pnserver) can be crashed remotely. Modifications: ADDREF BUGTRAQ:19980115 pnserver exploit.. ADDREF BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug? INFERRED ACTION: CAN-1999-0271 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review) Current Votes: ACCEPT(2) Northcutt, Blake NOOP(2) Prosser, Christey REVIEWING(1) Frech Comments: Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq Christey> posting), but may be multiple codebases since several Christey> Real Audio servers are affected. Christey> Christey> Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow. Christey> See CAN-1999-0896 ================================= Candidate: CAN-1999-0283 Published: Final-Decision: Interim-Decision: Modified: 19991203-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer The Java Web Server would allow remote users to obtain the source code for CGI programs. Modifications: ADDREF BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer DESC Augment the description to include .jhtml INFERRED ACTION: CAN-1999-0283 MOREVOTES (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Northcutt, Blake NOOP(1) Prosser REVIEWING(1) Frech ================================= Candidate: CAN-1999-0347 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan26,1999 Reference: NTBUGTRAQ:Jan28,1999 Javascript bug in Internet Explorer 4.01 by adding %01URL allows reading local files and spoofing of web pages from other sites. INFERRED ACTION: CAN-1999-0347 SMC_REVIEW (3 accept, 2 review) Current Votes: ACCEPT(2) Northcutt, Levy MODIFY(1) Prosser REVIEWING(2) Frech, Christey Comments: Prosser> this is a modified Cross-Frame vulnerability that circumvents Prosser> the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012 Prosser> http://www.microsoft.com/security/bulletins/ms99-012.asp Christey> Duplicate of CAN-1999-0490? ================================= Candidate: CAN-1999-0360 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan29,1999 Reference: NTBUGTRAQ:Jan29,1999 MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely. INFERRED ACTION: CAN-1999-0360 MOREVOTES (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Northcutt, Wall NOOP(1) Prosser REVIEWING(1) Frech --------------------- CLUSTER VEN-BSD --------------------- VEN-BSD (13 candidates) -------------------- Proposed: 6/17 Scheduled Interim Decision: 6/28 Scheduled Final Decision: 7/2 candidates with advisories from BSD vendors Voters: Frech ACCEPT(1) MODIFY(8) <FINAL> --> 13 ACCEPT --> 1 MODIFY --> 8 --------------------- CLUSTER VEN-OTHERS --------------------- VEN-OTHERS (2 candidates) -------------------- Proposed: 6/17 Scheduled Interim Decision: 6/28 Scheduled Final Decision: 7/2 candidates with advisories from other vendors Voters: Frech MODIFY(1) Shostack ACCEPT(1) Hill ACCEPT(1) Northcutt ACCEPT(1) Prosser MODIFY(1) <FINAL> --> 1 <PROPOSED> --> 1 MODIFY --> 1 ================================= Candidate: CAN-1999-0358 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990125 Digital Unix 4.0 exploitable buffer overflows Reference: COMPAQ:SSRT0583U Digital Unix 4.0 has a buffer overflow in the inc program of the mh package. CONTENT-DECISIONS: SF-CODEBASE/DUPE INFERRED ACTION: CAN-1999-0358 ACCEPT (4 accept, 1 ack, 0 review) HAS_CDS Current Votes: ACCEPT(3) Shostack, Northcutt, Hill MODIFY(2) Prosser, Frech Comments: Prosser> Ref'd SSRT has an 'at' vulnerable as well supposedly fixed by Prosser> the patch. Shouldn't this be included as a seperate CVE in this Prosser> cluster. ref:BugTraq "Digital Unix Buffer Overflows: Exploits" from Prosser> Lamont Granquist for both as well. Frech> Reference: XF:du-inc --------------------- CLUSTER VEN-SGI --------------------- VEN-SGI (7 candidates) -------------------- Proposed: 6/17 Scheduled Interim Decision: 6/28 Scheduled Final Decision: 7/2 candidates with advisories from SGI vendor Voters: <FINAL> --> 7 --------------------- CLUSTER VEN-HP --------------------- VEN-HP (11 candidates) -------------------- Proposed: 6/17 Scheduled Interim Decision: 6/28 Scheduled Final Decision: 7/2 candidates with advisories from HP vendor Voters: <FINAL> --> 11 --------------------- CLUSTER VEN-SUN --------------------- VEN-SUN (18 candidates) -------------------- Proposed: 6/17 Scheduled Interim Decision: 6/28 Scheduled Final Decision: 7/2 candidates with advisories from SUN vendor Voters: Frech MODIFY(2) Christey REVIEWING(2) Northcutt ACCEPT(2) Prosser ACCEPT(1) MODIFY(1) <FINAL> --> 16 <MODIFIED> --> 1 <PROPOSED> --> 1 REVIEWING --> 2 ================================= Candidate: CAN-1999-0121 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00164 Reference: ERS:ERS-SVA-E01-1997:005.1 Buffer overflow in dtaction command gives root access. CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0121 SMC_REVIEW (3 accept, 1 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt MODIFY(2) Frech, Prosser REVIEWING(1) Christey Comments: Frech> Reference: XF:dtaction-bo Frech> Reference: XF:sun-dtaction Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a Prosser> library in AIX 4.x, but reference for this Sun vulnerability should Prosser> only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Prosser> Bulletin Christey> This is the Same Codebase as CAN-1999-0089, so the two entries Christey> should be merged. ================================= Candidate: CAN-1999-0370 Published: Final-Decision: Interim-Decision: Modified: 19991210-01 Proposed: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00184 Reference: BID:165 In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files. Modifications: ADDREF BID:165 INFERRED ACTION: CAN-1999-0370 SMC_REVIEW (3 accept, 1 review) Current Votes: ACCEPT(2) Northcutt, Prosser MODIFY(1) Frech REVIEWING(1) Christey Comments: Frech> Reference: XF:sun-man Christey> Is the Linux man symlink problem the same as the one for Sun? Christey> See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1 --------------------- CLUSTER VEN-AIX --------------------- VEN-AIX (10 candidates) -------------------- Proposed: 6/17 Scheduled Interim Decision: 6/28 Scheduled Final Decision: 7/2 candidates with advisories from AIX vendor Voters: Frech MODIFY(3) Shostack ACCEPT(3) Christey REJECT(1) REVIEWING(2) Northcutt ACCEPT(3) Prosser MODIFY(3) <FINAL> --> 7 <INTERIM> --> 2 <PROPOSED> --> 1 REJECT --> 1 REVIEWING --> 2 ================================= Candidate: CAN-1999-0086 Published: Final-Decision: Interim-Decision: 19990630 Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1998:001.1 Reference: XF:ibm-routed AIX routed allows remote users to modify sensitive files. Modifications: ADDREF XF:ibm-routed CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0086 SMC_REJECT (1 reject, 4 accept, 0 review) HAS_CDS Current Votes: ACCEPT(2) Shostack, Northcutt MODIFY(2) Frech, Prosser REJECT(1) Christey Comments: Frech> Reference: XF:ibm-routed Prosser> This vulnerability allows debug mode to be turned on which is Prosser> the problem. Should this be more specific in the description? This Prosser> one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which Prosser> is in the SGI cluster, shouldn't these be cross-referenced as the same Prosser> vuln affects multiple OSes. Christey> This appears to be subsumed by CVE-1999-0215 ================================= Candidate: CAN-1999-0088 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1998:004.1 IRIX and AIX automountd services (autofsd) allow remote users to execute root commands. CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0088 SMC_REVIEW (4 accept, 1 review) HAS_CDS Current Votes: ACCEPT(2) Shostack, Northcutt MODIFY(2) Frech, Prosser REVIEWING(1) Christey Comments: Frech> ERS (and other references, BTW) explicitly stipulate 'local and Frech> remote'. Frech> Reference: XF:irix-autofsd Prosser> Include the SGI Alert as well since it is mentioned in the Prosser> description. Prosser> SGI Security Advisory 19981005-01-PX Christey> DUPE CAN-1999-0210? ================================= Candidate: CAN-1999-0089 Published: Final-Decision: Interim-Decision: 19990630 Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1997:005.1 Reference: XF:ibm-libDtSvc Buffer overflow in AIX libDtSvc library can allow local users to gain root access. Modifications: ADDREF XF:ibm-libDtSvc CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0089 SMC_REVIEW (4 accept, 1 review) HAS_CDS Current Votes: ACCEPT(2) Shostack, Northcutt MODIFY(2) Frech, Prosser REVIEWING(1) Christey Comments: Frech> Reference: XF:ibm-libDtSvc Prosser> The overflow is in the dtaction utility. Also affects Prosser> dtaction in the CDE on versions of SunOS (SUN 164). Probably should be Prosser> specific. Christey> Same Codebase as CAN-1999-0121, so the two entries should be Christey> merged. --------------------- CLUSTER CERT --------------------- CERT (60 candidates) -------------------- Proposed: 6/7 Scheduled Final Decision: 7/2 candidates associated with CERT advisories Voters: Wall ACCEPT(3) Shostack ACCEPT(3) REVIEWING(1) Frech ACCEPT(1) MODIFY(2) RECAST(1) Hill ACCEPT(2) Christey RECAST(1) REVIEWING(2) Landfield ACCEPT(2) Northcutt ACCEPT(3) RECAST(1) <FINAL> --> 56 <MODIFIED> --> 2 <PROPOSED> --> 2 RECAST --> 3 REVIEWING --> 2 ================================= Candidate: CAN-1999-0004 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-98.10.mime_buffer_overflows Reference: XF:outlook-long-name Reference: SUN:00175 Reference: MS:MS98-008 MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook. Modifications: ADDREF MS:MS98-008 DESC include Outlook CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0004 ACCEPT_REV (4 accept, 3 ack, 1 review) HAS_CDS Current Votes: ACCEPT(3) Northcutt, Landfield, Wall MODIFY(1) Frech REVIEWING(1) Shostack Comments: Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject Frech> this suggestion, I will not be devastated.) :-) ================================= Candidate: CAN-1999-0033 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-97.18.at Reference: SUN:00160 Reference: XF:sun-atbo Command execution in Sun systems via buffer overflow in the at program CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0033 RECAST (1 recast, 3 accept, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Hill, Shostack, Wall RECAST(1) Frech Comments: Frech> This vulnerability also manifests itself for the following = Frech> platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, Frech> please add the = following: Frech> Reference: XF:at-bo ================================= Candidate: CAN-1999-0078 Published: Final-Decision: Interim-Decision: Modified: 19990621-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-96.08.pcnfsd Reference: XF:rpc-pcnfsd pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. Modifications: DELREF XF:nfs-pcnfsd INFERRED ACTION: CAN-1999-0078 RECAST (1 recast, 4 accept, 0 review) Current Votes: ACCEPT(4) Frech, Shostack, Northcutt, Landfield RECAST(1) Christey Comments: Christey> This candidate should be SPLIT, since there are two separate Christey> software flaws. One is a symlink race and the other is a Christey> shell metacharacter problem. ================================= Candidate: CAN-1999-0142 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-96.05.java_applet_security_mgr Java Applet Security Manager allows an applet to connect to arbitrary hosts. INFERRED ACTION: CAN-1999-0142 RECAST (1 recast, 3 accept, 1 review) Current Votes: ACCEPT(3) Hill, Shostack, Wall MODIFY(1) Frech RECAST(1) Northcutt REVIEWING(1) Christey Comments: Northcutt> Please note I am not a Java expert, but I think jdk 2.0 and Northcutt> so forth do not have a sandbox notion and applets (perhaps trusted Northcutt> applets) can connect to arbitrary hosts as a matter of course. You Northcutt> might want to contact Li Gong (li.gong@sun.com) or a similar Northcutt> expert before issuing this one. NOTE: another reason to consider Northcutt> the original date!!! Christey> Noting Steve Northcutt's comments, perhaps we would need to modify the Christey> description somewhat to distinguish between current Java versions and Christey> the one that had this vulnerability. However, the CERT reference Christey> associates a general place and time for where this vulnerability Christey> arose, so I don't think it's too big of a deal. Frech> Reference: XF:http-java-appletsecmgr
|
||||
