|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [TECH] High-level candidates for recent SNMP problems
The LDAP problems that were found using PROTOS are probably the closest precedent for the current situation, though there have been other less dramatic cases in which a problem has been discovered simultaneously in many products (consider last year's "strange attractors" paper by Michal Zalewski, which dealt with new methods of TCP sequence number prediction). While it took me a few hours to grasp the initial LDAP report when it came out, my general approach of distinguishing between flaw types and vendors works rather cleanly. This is expected to produce somewhere between 30 and 45 candidates without major headaches (unless you ask the poor content team member who's still working to create the actual CANs.) The detailed SNMP analysis as published on the PROTOS site identifies several test groups. This might be a natural breakdown for candidates. These SNMP issues are on a larger scale than the LDAP problems, with approximately 40 affected vendors. At 1-4 candidates each, that's between 40 and 160 candidates. The number of candidates may feel wrong simply because of the volume, but it's a reflection of the fact that many vendors make the exact same mistake in implementing the same protocol. There are at least 24 CVE's or candidates that describe buffer overflows in the GET commands of HTTP servers. As Sean Hernan suggested, these were discovered over time. I suspect there's a similar issue with FTP GET, SMTP VRFY, etc., since I seem to run into them a lot. I don't think many people would like to see a single candidate for HTTP GET buffer overflows. Most security products and databases that I know of will distinguish between these. (For IDS people who are thinking about "generic" attack signatures on HTTP GET, that will be covered by CIEL.) And how many researchers who found the GET overflow also tried long MIME headers, format strings, ".." encodings, etc.? Not many, I don't think, based on all the later discoveries of new types of problems in the same protocol command of the same software. The PROTOS approach tests many products and many vulnerabilities all at once, not haphazardly. I think that the fact that they generate a large number of candidates reflects the power of their approach. If we tried to apply the CVE content decisions as they were written a year and a half ago, we would be trying to distinguish between every single buffer overflow. That obviously isn't practical. But a principled breakdown, by either test suite or high-level problem types, is much more feasible. I think that there is a quantifiable difference between what PROTOS did and what Jane.Doe@hotmail.com does in her spare time. CVE content decisions, if applied properly, reflect that difference. David LeBlanc said: >I well understand the academic arguments, but there's a pragmatic >concern - I don't think we want to double the size of the CVE database >(oops, list pretending not to be a database, sorry) just to cover a >bazillion variants of this particular bug. If a vulnerability database maintainer or product vendor wants to make this simplification, they can do so without worrying too much about the repurcussions to their users. I think that there is a stronger need for CVE to be as consistent as possible, and the reasons are more than academic. There are at least 2 main uses for CVE: 1) Making sure that everyone uses the same name for the same vulnerability (all together, now! ;-) 2) Providing a consistent mechanism to facilitate quantitative comparisons of vulnerability data. We all know and understand the reason for #1, but this email thread is about deciding what "same vulnerability" means. There hasn't been much consideration of #2, but I think that in the long term, it is pretty important. Consider: - There are quantifiable differences in the level of abstraction used by CVE and its 4 primary data sources, which affects about 15% of all CVE entries/candidates. Examples are included below. - We have dozens of security vendors who have declared their intentions to become CVE-compatible (BTW, our updated requirements are now on the CVE web site). Once real CVE compatibility happens, this will enable product comparisons on an unprecedented level of detail, for hundreds of vulnerabilities, not just a dozen or two. We haven't seen vendors actively advertising how many CVE's they check yet, but I think that will happen. - I think that there will be an increasing emphasis on objectively evaluating software products based on the severity and frequency of the security problems that are discovered in them. It appears that the insurance industry is moving in this direction. For another example, look at any recent issue of Information Security magazine - there is a firewall vendor that touts their security over others by saying how many vulnerabilities have been discovered in their competitors' products. CVE is well-positioned to be part of the metrics used in comparative analysis. It then becomes more important that CVE be consistent, at least within itself. We won't be able to make CVE perfectly consistent. That would require perfect knowledge and far more time and resources than is available. But CVE's major abstraction-related content decisions have been stable for a year, to the point where I'm almost ready to promote the affected candidates to entries, or recast the ones that we initially got wrong. The CVE content team applies the abstraction CD's consistently, which is good evidence that determining the level of abstraction may be a repeatable process. The practical solution is to do what's reasonable and document places where we may have made an error in our analysis. One way to do that is by more closely associating CVE candidates with their related content decisions, so that people who care about metrics can understand how CVE tries to be consistent. These CDs have become better documented internally, and I plan to publish them on the CVE web site so that Candidate Numbering Authorities and others may reference them. This would be a way to recognize the serious problem of distinguishing between codebases in the SNMP implementations. We make our best guess about codebases, and all related CVE items are "labeled" with the CD:SF-CODEBASE content decision. The experienced CVE consumer would then know the potential issues related to the abstraction choices made for that item and others. I tried to think of a clean way to wrap up this email, but I couldn't. But take a look at the candidates below to see some examples that demonstrate how CVE can act as a normalizer. Feedback is welcome, as always. - Steve VARIANCES IN ABSTRACTION ------------------------ Note: these examples merely illustrate differences. They are not meant to criticize how ISS and SecurityFocus decide to distinguish between issues in their own databases. Example 1: single X-Force record, multiple Bugtraq IDs, single CAN content decision: CD:SF-LOC Example 2: single X-Force record, multiple Bugtraq IDs, multiple CANs content decision: CD:SF-CODEBASE Example 3: multiple X-Force records, single Bugtraq ID, multiple CANs content decision: CD:SF-LOC Example 4: multiple X-Force records, multiple Bugtraq IDs, single CAN content decisions: various Example 5: single X-Force record, single Bugtraq ID, multiple CANs content decisions: various ******************************************************** Example 1: single X-Force record, multiple Bugtraq IDs, single CAN content decision: CD:SF-LOC ******************************************************** ====================================================== Candidate: CAN-2001-0949 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0949 Final-Decision: Interim-Decision: Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011204 NMRC Advisory - Multiple Valicert Problems Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100749428517090&w=2 Reference: CONFIRM:http://www.valicert.com/support/security_advisory_eva.html Reference: XF:eva-forms-bo(7652) Reference: URL:http://xforce.iss.net/static/7652.php Reference: BID:3621 Reference: URL:http://www.securityfocus.com/bid/3621 Reference: BID:3622 Reference: URL:http://www.securityfocus.com/bid/3622 Reference: BID:3624 Reference: URL:http://www.securityfocus.com/bid/3624 Reference: BID:3625 Reference: URL:http://www.securityfocus.com/bid/3625 Reference: BID:3627 Reference: URL:http://www.securityfocus.com/bid/3627 Reference: BID:3628 Reference: URL:http://www.securityfocus.com/bid/3628 Reference: BID:3629 Reference: URL:http://www.securityfocus.com/bid/3629 Reference: BID:3630 Reference: URL:http://www.securityfocus.com/bid/3630 Reference: BID:3631 Reference: URL:http://www.securityfocus.com/bid/3631 Reference: BID:3632 Reference: URL:http://www.securityfocus.com/bid/3632 Reference: BID:3633 Reference: URL:http://www.securityfocus.com/bid/3633 Reference: BID:3634 Reference: URL:http://www.securityfocus.com/bid/3634 Reference: BID:3635 Reference: URL:http://www.securityfocus.com/bid/3635 Reference: BID:3636 Reference: URL:http://www.securityfocus.com/bid/3636 Buffer overflows in forms.exe CGI program in ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 allows remote attackers to execute arbitrary code via long arguments to the parameters (1) Mode, (2) Certificate_File, (3) useExpiredCRLs, (4) listenLength, (5) maxThread, (6) maxConnPerSite, (7) maxMsgLen, (8) exitTime, (9) blockTime, (10) nextUpdatePeriod, (11) buildLocal, (12) maxOCSPValidityPeriod, (13) extension, and (14) a particular combination of parameters associated with private key generation that form a string of a certain length. Analysis ---------------- Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC ABSTRACTION: CF:SF-LOC suggests combining problems of the same type in the same version, so all buffer overflows are included in this item. This is a good example of CVE's "content decisions" at work - XF chose one level of abstraction and BID chose another. CD:SF-LOC also suggests splitting between problems of different types, so the Valicert overflows, path disclosure, and other types of problems are separated. ******************************************************** Example 2: single X-Force record, multiple Bugtraq IDs, multiple CANs content decision: CD:SF-CODEBASE ******************************************************** ====================================================== Candidate: CAN-2001-1049 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1049 Final-Decision: Interim-Decision: Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html Reference: CONFIRM:http://phorecast.org/ Reference: BID:3388 Reference: URL:http://www.securityfocus.com/bid/3388 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://xforce.iss.net/static/7215.php Phorecast PHP script before 0.40 allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. Analysis ---------------- Vendor Acknowledgement: yes advisory ACKNOWLEDGEMENT: on the home page in the News section, the news item dated 2001-10-14 says "IMPORTANT SECURITY NEWS" and includes a link to the Bugtraq post. The entry for 2001-12-22 says "version 0.40 ... corrects the security flaw." ====================================================== Candidate: CAN-2001-1050 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1050 Final-Decision: Interim-Decision: Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html Reference: BID:3389 Reference: URL:http://www.securityfocus.com/bid/3389 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://xforce.iss.net/static/7215.php CCCSoftware CCC PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. Analysis ---------------- Vendor Acknowledgement: no ACKNOWLEDGEMENT: information about this product cannot be found on the web, so acknowledgement cannot be determined. ====================================================== Candidate: CAN-2001-1051 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1051 Final-Decision: Interim-Decision: Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html Reference: MISC:http://sourceforge.net/tracker/index.php?func=detail&aid=440666&group_id=20971&atid=120971 Reference: BID:3390 Reference: URL:http://www.securityfocus.com/bid/3390 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://xforce.iss.net/static/7215.php Dark Hart Portal (darkportal) PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. Analysis ---------------- Vendor Acknowledgement: unknown vague ====================================================== Candidate: CAN-2001-1052 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1052 Final-Decision: Interim-Decision: Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html Reference: BID:3391 Reference: URL:http://www.securityfocus.com/bid/3391 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://xforce.iss.net/static/7215.php Empris PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. Analysis ---------------- Vendor Acknowledgement: ====================================================== Candidate: CAN-2001-1053 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1053 Final-Decision: Interim-Decision: Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010713 AdCycle SQL Command Insertion Vulnerability - qDefense Advisory Number QDAV-2001-7-2 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0249.html Reference: CONFIRM:http://www.adcycle.com/cgi-bin/download.cgi?type=UNIX&version=1.17 Reference: XF:adcycle-insert-sql-command(6837) Reference: URL:http://xforce.iss.net/static/6837.php Reference: BID:3032 Reference: URL:http://www.securityfocus.com/bid/3032 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://xforce.iss.net/static/7215.php AdLogin.pm in AdCycle 1.15 and earlier allows remote attackers to bypass authentication and gain privileges by injecting SQL code in the $password argument. Analysis ---------------- Vendor Acknowledgement: yes changelog ACKNOWLEDGEMENT: In the README.txt file bundled with the software, the "[v1.16] July 5, 2001" entry states "fixed security hole (with help from qDefense.com)." ====================================================== Candidate: CAN-2001-1054 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1054 Final-Decision: Interim-Decision: Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20011002 results of semi-automatic source code audit Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html Reference: CONFIRM:http://sourceforge.net/forum/forum.php?thread_id=148900&forum_id=117952 Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=117952 Reference: BID:3392 Reference: URL:http://www.securityfocus.com/bid/3392 Reference: XF:php-includedir-code-execution(7215) Reference: URL:http://xforce.iss.net/static/7215.php PHPAdsNew PHP script allows remote attackers to include arbitrary files from remote web sites via an HTTP request that sets the includedir variable. Analysis ---------------- Vendor Acknowledgement: yes ******************************************************** Example 3: multiple X-Force records, single Bugtraq ID, multiple CANs content decision: CD:SF-LOC ******************************************************** ====================================================== Candidate: CAN-1999-0833 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0833 Final-Decision: 20000104 Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: BID:788 Reference: XF:bind-nxt-bo Buffer overflow in BIND 8.2 via NXT records. Modifications: ADDREF BID:788 ADDREF XF:bind-nxt-bo Analysis ---------------- Vendor Acknowledgement: yes ====================================================== Candidate: CAN-1999-0835 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0835 Final-Decision: 20000104 Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: XF:bind-sigrecord-dos Reference: BID:788 Denial of service in BIND named via malformed SIG records. Modifications: DESC Add "malformed" ADDREF XF:bind-sigrecord-dos ADDREF BID:788 Analysis ---------------- Vendor Acknowledgement: unknown ====================================================== Candidate: CAN-1999-0837 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0837 Final-Decision: 20000104 Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: XF:bind-solinger-dos Reference: BID:788 Denial of service in BIND by improperly closing TCP sessions via so_linger. Modifications: ADDREF XF:bind-solinger-dos ADDREF BID:788 Analysis ---------------- Vendor Acknowledgement: yes ====================================================== Candidate: CAN-1999-0848 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0848 Final-Decision: 20000104 Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: BID:788 Reference: XF:bind-fdmax-dos Denial of service in BIND named via consuming more than "fdmax" file descriptors. Modifications: ADDREF XF:bind-fdmax-dos ADDREF BID:788 Analysis ---------------- Vendor Acknowledgement: yes ====================================================== Candidate: CAN-1999-0849 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0849 Final-Decision: 20000104 Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: XF:bind-maxdname-bo Denial of service in BIND named via maxdname. Modifications: ADDREF XF:bind-maxdname-bo Analysis ---------------- Vendor Acknowledgement: yes ====================================================== Candidate: CAN-1999-0851 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0851 Final-Decision: 20000104 Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: CERT:CA-99-14 Reference: XF:bind-naptr-dos Denial of service in BIND named via naptr. Modifications: ADDREF XF:bind-naptr-dos Analysis ---------------- Vendor Acknowledgement: unknown ******************************************************** Example 4: multiple X-Force records, multiple Bugtraq IDs, single CAN content decisions: various ******************************************************** ====================================================== Candidate: CAN-2001-0955 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0955 Final-Decision: Interim-Decision: Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: VULN-DEV:20010922 XFree86 DOS / Buffer overflow local and remote. Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=100118958310463&w=2 Reference: BUGTRAQ:20011207 Crashing X Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100776624224549&w=2 Reference: BUGTRAQ:20011208 Re: Crashing X Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100784290015880&w=2 Reference: CONFIRM:http://www.xfree86.org/4.2.0/RELNOTES2.html#2 Reference: CONFIRM:http://www.xfree86.org/security/ Reference: MISC:http://cvsweb.xfree86.org/cvsweb/xc/programs/Xserver/fb/fbglyph.c Reference: BID:3663 Reference: URL:http://www.securityfocus.com/bid/3663 Reference: BID:3657 Reference: URL:http://www.securityfocus.com/bid/3657 Reference: XF:xfree86-konqueror-bo(7673) Reference: URL:http://xforce.iss.net/static/7673.php Reference: XF:xfree86-xterm-title-bo(7683) Reference: URL:http://xforce.iss.net/static/7683.php Buffer overflow in fbglyph.c in XFree86 before 4.2.0, related to glyph clipping for large origins, allows attackers to cause a denial of service and possibly gain privileges via a large number of characters, possibly through the web page search form of KDE Konqueror or from an xterm command with a long title. Analysis ---------------- Vendor Acknowledgement: yes Content Decisions: SF-EXEC, SF-CODEBASE ABSTRACTION: It is possible that the Konqueror and xterm bugs have different issues, both of which may or may not be due to the same problem in XFree86. However, both of the reports involve X clients that crash the server - which shouldn't be doable by a client - so that suggests a common problem that is "exploitable" through different means. Various Bugtraq discussions seem to eventually agree that it is something in XFree86. However, the XFree86 security reports do not provide sufficient details to be certain that it is the same underlying problem. ACKNOWLEDGEMENT: Some posts on Bugtraq imply that there are patches in the fbglyph.c file. The XFree86 security page has the following comment for version 4.2.0: "Fix a buffer overflow in glyph clipping for large origin" which could be the same as the issue being discussed here. Section 2.3 in the release notes for 4.2.0 says "A security problem related to glyph clipping for large origins is fixed." However, the patch was applied on September 16th - a week before the problem was initially posted to VULN-DEV. While the vendor's descriptions of the problems do not cleanly match the exploit scenarios described in the mailing lists - which affects the certainty of this candidate's description - there seems to be enough evidence that XFree86 was aware of and fixed this problem. ====================================================== Candidate: CAN-2001-1047 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1047 Final-Decision: Interim-Decision: Modified: Proposed: 20020131 Assigned: 20020131 Category: SF Reference: BUGTRAQ:20010602 Locally exploitable races in OpenBSD VFS Reference: URL:http://www.securityfocus.com/archive/1/188474 Reference: BID:2817 Reference: URL:http://www.securityfocus.com/bid/2817 Reference: BID:2818 Reference: URL:http://www.securityfocus.com/bid/2818 Reference: XF:openbsd-pipe-race-dos(6661) Reference: URL:http://xforce.iss.net/static/6661.php Reference: XF:openbsd-dup2-race-dos(6660) Reference: URL:http://xforce.iss.net/static/6660.php Race condition in OpenBSD VFS allows local users to cause a denial of service (kernel panic) by (1) creating a pipe in one thread and causing another thread to set one of the file descriptors to NULL via a close, or (2) calling dup2 on a file descriptor in one process, then setting the descriptor to NULL via a close in another process that is created via rfork. Analysis ---------------- Vendor Acknowledgement: unknown Content Decisions: SF-LOC ABSTRACTION: CD:SF-LOC suggests that problems of the same type (in this case, race condition) that appear in the same version should be combined into a single item. ====================================================== Candidate: CAN-2000-0384 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0384 Final-Decision: Interim-Decision: Modified: Proposed: 20000615 Assigned: 20000614 Category: CF Reference: L0PHT:20000508 NetStructure 7180 remote backdoor vulnerability Reference: URL:http://www.lopht.com/advisories/ipivot7110.html Reference: L0PHT:20000508 NetStructure 7110 console backdoor Reference: URL:http://www.l0pht.com/advisories/ipivot7180.html Reference: CONFIRM:http://216.188.41.136/ Reference: XF:netstructure-root-compromise Reference: XF:netstructure-wizard-mode Reference: BID:1182 Reference: URL:http://www.securityfocus.com/bid/1182 Reference: BID:1183 Reference: URL:http://www.securityfocus.com/bid/1183 NetStructure 7110 and 7180 have undocumented accounts (servnow, root, and wizard) whose passwords are easily guessable from the NetStructure's MAC address, which could allow remote attackers to gain root access. Analysis ---------------- Vendor Acknowledgement: yes Content Decisions: CF-PASS ******************************************************** Example 5: single X-Force record, single Bugtraq ID, multiple CANs content decisions: SF-EXEC, SF-CODEBASE ******************************************************** ====================================================== Candidate: CAN-2000-1020 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1020 Final-Decision: Interim-Decision: Modified: Proposed: 20001129 Assigned: 20001124 Category: SF Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2 Reference: BID:1689 Reference: URL:http://www.securityfocus.com/bid/1689 Reference: XF:mdaemon-url-dos Reference: URL:http://xforce.iss.net/static/5250.php Heap overflow in Worldclient in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL. Analysis ---------------- Vendor Acknowledgement: unknown claimed Content Decisions: SF-EXEC This would appear to be a duplicate of CAN-1999-0844 at first glance, but VIGILANTE says this is not the case in their advisory. CD:SF-EXEC also suggests that separate entries might need to be created for WorldClient and WebConfig. Since Board members have voted to RECAST CAN-1999-0844 (which combines WorldClient and WebConfig), that also suggests that separate items should be recorded for WorldClient versus WebConfig. ====================================================== Candidate: CAN-2000-1021 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1021 Final-Decision: Interim-Decision: Modified: Proposed: 20001129 Assigned: 20001124 Category: SF Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2 Reference: BID:1689 Reference: URL:http://www.securityfocus.com/bid/1689 Reference: XF:mdaemon-url-dos Reference: URL:http://xforce.iss.net/static/5250.php Heap overflow in WebConfig in Mdaemon 3.1.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long URL. Analysis ---------------- Vendor Acknowledgement: unknown claimed Content Decisions: SF-EXEC This would appear to be a duplicate of CAN-1999-0844 at first glance, but VIGILANTE says this is not the case in their advisory. CD:SF-EXEC also suggests that separate entries might need to be created for WorldClient and WebConfig. Since Board members have voted to RECAST CAN-1999-0844 (which combines WorldClient and WebConfig), that also suggests that separate items should be recorded for WorldClient versus WebConfig.
|
||||
