|
|
CVE Candidates as of 20080715Name: CVE-1999-0001
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Northcutt, Wall REVIEWING(1) ChristeyVoter Comments: Christey> A Bugtraq posting indicates that the bug has to do with "short packets with certain options set," so the description should be modified accordingly. But is this the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Frech> XF:teardrop(338) This assignment was based solely on references to the CERT advisory. Christey> The description for BID:190, which links to CVE-1999-0052 (a FreeBSD advisory), notes that the patches provided by FreeBSD in CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without further analysis. Name: CVE-1999-0004
Description:
Status: Candidate Votes: ACCEPT(8) Magdych, Northcutt, Wall, Baker, Landfield, Cole, Dik, Collins MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) ShostackVoter Comments: Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject this suggestion, I will not be devastated.) :-) Christey> This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Christey> CVE-2000-0415 may be a later rediscovery of this problem for Outlook. Dik> Sun bug 4163471, Christey> ADDREF BID:125 Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2 Name: CVE-1999-0015
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> XF: teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q154174 MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) indicate that CVE-1999-0015 was fixed in NT SP3, but CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the problems keep separate candidates because one problem appears in a different version than the other. Christey> BID:124 http://www.securityfocus.com/bid/124 Consider MSKB:Q154174 http://support.microsoft.com/support/kb/articles/q154/1/74.asp Consider BUGTRAQ:19971113 Linux IP fragment overlap bug http://www.securityfocus.com/archive/1/8014 Name: CVE-1999-0020
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(4) Levy, Northcutt, Wall, Shostack REJECT(2) Christey, BakerVoter Comments: Frech> XF:lpr-bo Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo Name: CVE-1999-0030
Description:
Status: Candidate Votes: ACCEPT(3) Ozancin, Levy, Prosser NOOP(1) Baker RECAST(1) Frech REJECT(1) ChristeyVoter Comments: Frech> XF:xlock-bo (also add) As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and several Linii. Also, don't you mean to cite SGI:19970502-02-PX? The one you list is login/scheme. Levy> Notice that this xlock overflow is the same as in CA-97.13. CA-97.21 simply is a reminder. Christey> As pointed out by Elias, CA-97.21 states: "For more information about vulnerabilities in xlock... see CA-97.13" CA-97.13 = CVE-1999-0038. This may also be a duplicate with CVE-1999-0306. See exploits at: http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 Sun also has this problem, at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba Name: CVE-1999-0033
Description:
Status: Candidate Votes: ACCEPT(8) Hill, Northcutt, Wall, Baker, Cole, Dik, Shostack, Collins NOOP(1) Christey RECAST(1) FrechVoter Comments: Frech> This vulnerability also manifests itself for the following platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, please add the following: Reference: XF:at-bo Dik> Sun bug 1265200, 4063161 Christey> ADDREF SGI:19971102-01-PX ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX SCO:SB.97:01 ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a Christey> CIAC:F-15 http://ciac.llnl.gov/ciac/bulletins/f-15.shtml HP:HPSBUX9502-023 Christey> Add period to the end of the description. Name: CVE-1999-0061
Description:
Status: Candidate Votes: ACCEPT(3) Hill, Northcutt, Frech RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Christey> This should be split into three separate problems based on the SNI advisory. But there's newer information to further complicate things. What do we do about this one? in 1997 or so, SNI did an advisory on this problem. In early 2000, it was still discovered to be present in some Linux systems. So an SF-DISCOVERY content decision might say that this is a long enough time between the two, so this should be recorded separately. But they're the same codebase... so if we keep them in the same entry, how do we make sure that this entry reflects that some new information has been discovered? The use of dot notation may help in this regard, to use one dot for the original problem as discovered in 1997, and another dot for the resurgence of the problem in 2000. Baker> We should merge these. Christey> Perhaps this should be NAI-19 instead of NAI-20? The original Bugtraq post for the SNI advisory suggests SNI-19: BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability URL:SNI-19:BSD lpd vulnerability Also add: BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 However, archives of "NAI-0020" point to the lpd vuln. If I recall correctly, some of the NAI advisory numbers got switched when NAI acquired SNI. Name: CVE-1999-0076
Description:
Status: Candidate Votes: ACCEPT(3) Ozancin, Baker, Frech NOOP(1) Balinsky REVIEWING(1) ChristeyVoter Comments: Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability? Christey> Need to add more references and details. Name: CVE-1999-0078
Description:
Status: Candidate Votes: ACCEPT(5) Collins, Northcutt, Landfield, Frech, Shostack NOOP(1) Baker RECAST(1) ChristeyVoter Comments: Christey> This candidate should be SPLIT, since there are two separate software flaws. One is a symlink race and the other is a shell metacharacter problem. Christey> The permissions part of this vulnerability appears to overlap with CVE-1999-0353 Christey> SGI:20020802-01-I Name: CVE-1999-0086
Description:
Status: Candidate Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Prosser, Frech NOOP(1) Baker REJECT(1) ChristeyVoter Comments: Frech> Reference: XF:ibm-routed Prosser> This vulnerability allows debug mode to be turned on which is the problem. Should this be more specific in the description? This one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which is in the SGI cluster, shouldn't these be cross-referenced as the same vuln affects multiple OSes. Christey> This appears to be subsumed by CVE-1999-0215 Name: CVE-1999-0088
Description:
Status: Candidate Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Prosser, Frech RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> ERS (and other references, BTW) explicitly stipulate 'local and remote'. Reference: XF:irix-autofsd Prosser> Include the SGI Alert as well since it is mentioned in the description. SGI Security Advisory 19981005-01-PX Christey> DUPE CVE-1999-0210? Christey> ADDREF CIAC:J-014 Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry Name: CVE-1999-0089
Description:
Status: Candidate Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Prosser, Frech RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> Reference: XF:ibm-libDtSvc Prosser> The overflow is in the dtaction utility. Also affects dtaction in the CDE on versions of SunOS (SUN 164). Probably should be specific. Christey> Same Codebase as CVE-1999-0121, so the two entries should be merged. Name: CVE-1999-0092
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Bollinger MODIFY(1) Frech NOOP(1) OzancinVoter Comments: Frech> XF:ibm-portmir Name: CVE-1999-0098
Description:
Status: Candidate Votes: MODIFY(2) Baker, Frech NOOP(1) Wall REVIEWING(1) ChristeyVoter Comments: Frech> (Accept XF reference.) Our references do not mention hiding activities. This issue can crash the SMTP server or execute arbitrary byte-code. Is there another reference available? Christey> Should this be merged with CVE-1999-0284, which is Sendmail with SMTP HELO? Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 Baker> Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference. Name: CVE-1999-0104
Description:
Status: Candidate Votes: ACCEPT(2) Wall, Frech REVIEWING(1) ChristeyVoter Comments: Wall> Another reference is Microsoft Knowledge Base Q179129. Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Note that the hotfix name is teardrop2, but the keywords included in the KB article specifically name bonk (CVE-1999-0258) and boink. Since teardrop2 was fixed in a slightly different version (at least in a separate patch) than Teardrop, CD:SF-LOC suggests keeping them separate. Christey> Add period to the end of the description. Name: CVE-1999-0105
Description:
Status: Candidate Votes: MODIFY(3) Shostack, Baker, Frech NOOP(1) Christey REJECT(1) NorthcuttVoter Comments: Shostack> fingerD Frech> XF:finger-bomb Christey> aka redirection or forwarding requests? (but then might overlap CVE-1999-0106) Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS. Name: CVE-1999-0106
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt MODIFY(2) Shostack, Frech RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Shostack> fingerd allows redirection This is a larger modification, since there are two applications of the vulnerability, one that I can finger anonymously, and the other that I can finger bomb anonymously. Frech> XF:finger-bomb Christey> need more refs Baker> This should be merged with 1999-0105 Name: CVE-1999-0107
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Shostack, Northcutt, Wall REVIEWING(1) Levy REVOTE(1) ChristeyVoter Comments: Wall> - Although this is probably the phf hack. Frech> XF:apache-dos Christey> This sounds like the incident reported in: NTBUGTRAQ:20000810 Apache Distributed Denial of Service Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. BUGTRAQ: http://www.securityfocus.com/archive/1/10228 BUGTRAQ: http://www.securityfocus.com/archive/1/10516 Name: CVE-1999-0110
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(4) Shostack, Levy, Northcutt, Wall REJECT(3) Dik, Christey, BakerVoter Comments: Frech> XF:fdformat-bo Christey> Duplicate of CVE-1999-0315 Dik> dup Name: CVE-1999-0114
Description:
Status: Candidate Votes: ACCEPT(7) Shostack, Bishop, Blake, Wall, Landfield, Cole, Armstrong MODIFY(2) Baker, Frech NOOP(3) Ozancin, Christey, Northcutt REVIEWING(1) LevyVoter Comments: Frech> XF:elm-filter2 CHANGE> [Wall changed vote from NOOP to ACCEPT] Landfield> with Frech modifications Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm Need to make sure that this CERT advisory describes the right problem, especially since the CERT advisory is dated December 18, 1995 and the original Bugtraq post was December 26, 1995. Christey> BID:1802 URL:http://www.securityfocus.com/bid/1802 BID:1802 doesn't include the 1999 posting - does Security Focus think that the 1999 post describes a different vulnerability? Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? Its references point to the December 26, 1995 BUgtraq post. Also consider CIAC:G-36 and CERT:VB-95:10 Frech> DELREF:XF:elm-filter2(711) ADDREF:XF:elm-filter(402) Name: CVE-1999-0119
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Northcutt, Baker REJECT(1) WallVoter Comments: Wall> Reject based on beta copy. Frech> XF:nt-beta(11) Reconsider reject, because this beta was in widespread use. Name: CVE-1999-0121
Description:
Status: Candidate Votes: ACCEPT(2) Dik, Northcutt MODIFY(3) Prosser, Baker, Frech REVIEWING(1) ChristeyVoter Comments: Frech> Reference: XF:dtaction-bo Reference: XF:sun-dtaction Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a library in AIX 4.x, but reference for this Sun vulnerability should only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Bulletin Christey> This is the Same Codebase as CVE-1999-0089, so the two entries should be merged. Frech> Replace sun-dtaction(732) with dtaction-bo(879) Baker> Merge with 1999-0089 Name: CVE-1999-0123
Description:
Status: Candidate Votes: ACCEPT(3) Ozancin, Baker, Frech NOOP(1) Wall Name: CVE-1999-0127
Description:
Status: Candidate Votes: ACCEPT(2) Prosser, Baker MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> (keep current XF: reference, and add) XF:hpux-sqwmodify Christey> Perhaps this should be split, per SF-LOC. Christey> CIAC:H-81 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml HP:HPSBUX9707-064 references CERT:CA-96.27 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml The original AUSCERT advisory says that the programs "create files in an insecure manner" and "Exploit details involving this vulnerability have been made publicly available." which leads one to assume that the following original Bugtraq post provides the details for a standard symlink problem: BUGTRAQ:19961005 swinst,bug http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2 Name: CVE-1999-0140
Description:
Status: Candidate Votes: ACCEPT(1) Hill MODIFY(2) Frech, Meunier NOOP(1) Baker REJECT(1) ChristeyVoter Comments: Meunier> Add "pptp invalid packet length in header" to distinguish from other vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be discovered in the future. Frech> XF:nt-ras-bo ONLY IF reference is to MS:MS99-016 Christey> According to my mappings, this is not the MS:MS99-016 problem referred to by Andre. However, I have yet to dig up a source. CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> This is too general to know which problem is being discussed. More precise candidates should be created. Christey> Consider adding BID:2111 Name: CVE-1999-0144
Description:
Status: Candidate Votes: ACCEPT(4) Frech, Meunier, Hill, Baker REVIEWING(1) ChristeyVoter Comments: Christey> DUPE CVE-1999-0418 and CVE-1999-0250? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> http://cr.yp.to/qmail/venema.html Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. His page states this is not a qmail problem, rather it is a UNIX problem that many apps can consume all available memory, and that the administrator is responsible to set limits in the OS, rather than expect applications to individually prevent memory exhaustion. CAN 1999-0250 does appear to be a duplicate of this entry, based on the research I have done so far. There were two different bugtraq postings, but the second one references the first, stating that the new exploit uses perl instead of shell scripting to accomplish the same attack/exploit. Baker> http://www.securityfocus.com/archive/1/6970 http://www.securityfocus.com/archive/1/6969 http://cr.yp.to/qmail/venema.html Should probably reject CVE-1999-0250, and add these references to this Candidate. Baker> http://www.securityfocus.com/bid/2237 CHANGE> [Baker changed vote from REVIEWING to ACCEPT] Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. NOTE: the ufo.org domain was purchased by another party in 2003, so the current owner is not associated with any statements by "super@ufo.org" that were made before 2003. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BID:2237 ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." Name: CVE-1999-0154
Description:
Status: Candidate Votes: ACCEPT(4) Frech, Stracener, Wall, Foat NOOP(3) Christey, Baker, ColeVoter Comments: Christey> This is the precursor to the problem that is identified in CVE-1999-0253. Christey> CIAC:H-48 URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml CHANGE> [Foat changed vote from NOOP to ACCEPT] Name: CVE-1999-0156
Description:
Status: Candidate Votes: ACCEPT(2) Shostack, Northcutt NOOP(1) Baker RECAST(1) Frech REVIEWING(2) Christey, ProsserVoter Comments: Prosser> but so far can find no reference to this one Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie, also affects IIS FTP server). Christey> The references for XF:ftp-pwless are not specific enough, e.g. in terms of version numbers. Perhaps this candidate should be rejected due to insufficient information. Name: CVE-1999-0163
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Prosser NOOP(2) Christey, Baker RECAST(1) ShostackVoter Comments: Shostack> there was a 'To: |' and a 'From: |' attack, which I think are seperate. Prosser> older vulnerability, but one additional reference is- The Ultimate Sendmail Hole List by Markus Hübner @ bau2.uibk.ac.at/matic/buglist.htm '|PROGRAM ' Christey> Description needs to be more specific to distinguish between this and CVE-1999-0203, as alluded to by Adam Shostack Name: CVE-1999-0165
Description:
Status: Candidate Votes: ACCEPT(3) Frech, Northcutt, Baker MODIFY(1) Shostack NOOP(1) Prosser REVIEWING(1) ChristeyVoter Comments: Shostack> need more data Christey> need more refs Christey> Add period to the end of the description. Name: CVE-1999-0169
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Baker REJECT(1) ShostackVoter Comments: Shostack> this is not a vulnerability but a design feature. Baker> Maybe we should reword it so that it is clear that this was a problem to something like: "A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID." Name: CVE-1999-0171
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Northcutt NOOP(1) Baker REJECT(2) Shostack, ChristeyVoter Comments: Shostack> design issue, not a vulnerability. Alternately, add: DOS on server by opening a large number of telnet sessions.. Christey> Duplicate of CVE-1999-0566 Name: CVE-1999-0186
Description:
Status: Candidate Votes: ACCEPT(2) Dik, Baker MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) ChristeyVoter Comments: Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr Add ISS:Hidden Community String in SNMP Implementation Christey> What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. Christey> ADDREF BID:177 Christey> ISS:19981102 Hidden community string in SNMP implementation http://xforce.iss.net/alerts/advise11.php Change description to include "hidden" Christey> XF:snmp-backdoor-access is missing. Name: CVE-1999-0187
Description:
Status: Candidate Votes: ACCEPT(2) Hill, Northcutt RECAST(3) Frech, Prosser, Baker REJECT(1) Dik REVIEWING(1) ChristeyVoter Comments: Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() (ref CERT 97-23) and various vendor bulletins. However both of these rdist BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content decision Frech> XF:rdist-bo (error msg formation) XF:rdist-bo2 (execute code) XF:rdist-bo3 (execute user-created code) XF:rdist-sept97 (root from local) Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist), but as Mike and Andre noted, there are multiple flaws here, so a RECAST may be necessary. Dik> As currently phrasedm thissa duplicate of CVE-1999-0022 Baker> Based on our new philosophy, this should be recast/merged or re-described. Name: CVE-1999-0193
Description:
Status: Candidate Votes: ACCEPT(5) Shostack, Bishop, Ozancin, Northcutt, Cole MODIFY(2) Blake, Baker NOOP(4) Frech, Wall, Landfield, Armstrong REVIEWING(2) Levy, ChristeyVoter Comments: Frech> possibly XF:ascend-kill I can't find a reference that lists both routers in the same reference. Wall> Comment: There is a reference about the zero length TCP option in BugTraq on Feb 5, 1999 and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 mentions vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 mentions 3Com vulnerabilities, but not TCP. Too confusing withour better references. Landfield> What are the references for this ? I cannot find a means to check it out. CHANGE> [Frech changed vote from REVIEWING to NOOP] Frech> Cannot reconcile to our database without further references. Blake> I'm with Andre. I only remember and can find reference to the Ascend issue. Do we have a refernce to the 3Coms? If not, that should be removed from the description. Baker> http://xforce.iss.net/static/614.php Misc Defensive Info http://www.securityfocus.com/archive/1/5682 Misc Offensive Info http://www.securityfocus.com/archive/1/5647 Misc Defensive Info http://www.securityfocus.com/archive/1/5640 Misc Defensive Info CHANGE> [Armstrong changed vote from REVIEWING to NOOP] Name: CVE-1999-0195
Description:
Status: Candidate Votes: ACCEPT(2) Shostack, Balinsky MODIFY(1) Frech NOOP(3) Northcutt, Wall, Baker REVIEWING(2) Levy, ChristeyVoter Comments: Frech> XF:rpcbind-spoof Christey> CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0461, make sure it gets XF:pmap-sset Name: CVE-1999-0197
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) NorthcuttVoter Comments: Shostack> fingerd may respond to 'finger 0@host' with account info Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 Finger 0@host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host feature) Name: CVE-1999-0198
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) NorthcuttVoter Comments: Shostack> as above Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 Finger .@target-host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host check ) http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host feature) Name: CVE-1999-0200
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack NOOP(2) Northcutt, Wall REJECT(1) Christey REVIEWING(1) LevyVoter Comments: Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another? Frech> Other have mentioned this before, but it may be WU-FTP. POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root access without anon FTP or a regular account? POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a non-anon FTP account and gain root privs. Christey> added MSKB reference CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> The MSKB article may have confused things even more. There were reports of problems in a Windows-based FTP server called WFTP (http://www.wftpd.com/) that is not a Microsft FTP server. It's best to just kill this candidate where it stands and start fresh. Name: CVE-1999-0205
Description:
Status: Candidate Votes: ACCEPT(2) Hill, Northcutt MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(2) Ozancin, ChristeyVoter Comments: Frech> XF:sendmail-alias-dos Prosser> additional source Bugtraq "Re: SM 8.6.12" http://www.securityfocus.com Christey> The Bugtraq thread does not provide any proof, including a comment by Eric Allman that he hadn't been provided any details either. See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu for the thread. Christey> Change Bugtraq reference date to 19950708. Name: CVE-1999-0213
Description:
Status: Candidate Votes: ACCEPT(6) Dik, Ozancin, Hill, Blake, Landfield, Cole MODIFY(3) Frech, Levy, Baker NOOP(4) Bishop, Meunier, Wall, Armstrong REVIEWING(1) ChristeyVoter Comments: Frech> XF:sun-libnsl Dik> Sun bug #4305859 Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info http://www.securityfocus.com/archive/1/9749 Misc Defensive Info Christey> I don't think this is the bug that everyone thinks it is. This candidate came from CyberCop Scanner 2.4/2.5, which only reports this as a DoS problem. If SUN:00172 is an advisory for this, then it may be a duplicate of CVE-1999-0055. There appears to be overlap with other references as well. HOWEVER, this particular one deals with a DoS in rpcbind - which isn't mentioned in the sources for CVE-1999-0055. Levy> BID 148 Name: CVE-1999-0216
Description:
Status: Candidate Votes: ACCEPT(1) Hill MODIFY(2) Frech, Baker RECAST(1) MeunierVoter Comments: Meunier> The location of the vulnerability, whether in the Linux kernel or the application, is debatable. Any program making the same (reasonnable) assumption is vulnerable, i.e., implements the same vulnerability: "Assumption that TCP-three-way handshake is complete after calling Linux kernel function accept(), which returns socket after getting SYN. Result is process death by SIGPIPE" Moreover, whether it results in DOS (to third parties) depends on the process that made the assumption. I think that the present entry should be split, one entry for every application that implements the vulnerability (really describing threat instances, which is what other people think about when we talk about vulnerabilities), and one entry for the Linux kernel that allows the vulnerability to happen. Frech> XF:hp-inetd XF:linux-inetd-dos Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast Name: CVE-1999-0220
Description:
Status: Candidate Votes: NOOP(2) Northcutt, Baker REJECT(2) Frech, ChristeyVoter Comments: Frech> Would reconsider if any references were available. Christey> No references available, combined with extremely vague description, equals REJECT. Name: CVE-1999-0222
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(3) Frech, Shostack, Levy NOOP(3) Balinsky, Northcutt, Wall RECAST(1) Ziese REJECT(1) ChristeyVoter Comments: Shostack> I follow cisco announcements and problems pretty closely, and haven't seen this. Source? Frech> XF:cisco-web-crash Christey> XF:cisco-web-crash has no additional references. I can't find any references in Bugtraq or Cisco either. This bug is supposedly tested by at least one security product, but that product's database doesn't have any references either. So a question becomes, how did it make it into at least two security companies' databases? Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 BID 1154 Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if recast to reflect that "...after using a long url..." should be replaced with "...A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled, browsing to "http://router-ip/anytext?/" is attempted, and the enable password is supplied when requested. This defect can be exploited to produce a denial of service (DoS) attack." Then I can accept this and mark it as "Verfied by my Company". If it can't be recast because this (long uri) is diffferent then our release (special url construction). CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> Elias Levy's suggested reference is CVE-2000-0380. I don't think that Kevin's description is really addressing this either. The lack of references and a specific description make this candidate unusable, so it should be rejected. Name: CVE-1999-0226
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) ChristeyVoter Comments: Christey> Too general, and no references. Frech> XF:nt-frag(528) See reference from BugTraq Mailing List, "A New Fragmentation Attack" at http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net Name: CVE-1999-0229
Description:
Status: Candidate Votes: ACCEPT(2) Shostack, Baker MODIFY(2) Frech, Wall NOOP(1) Northcutt REJECT(1) Christey REVIEWING(1) LevyVoter Comments: Wall> Denial of service in Windows NT IIS Server 1.0 using ..\... Source: Microsoft Knowledge Base Article Q115052 - IIS Server. Frech> XF:http-dotdot (not necessarily IIS?) Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot problem. Christey> This actually looks like XF:iis-dot-dot-crash(1638) http://xforce.iss.net/static/1638.php If so, include the version number (2.0) CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> Bill Wall intended to suggest Q155052, but the affected IIS version there is 1.0; the effect is to read files, so this sounds like a directory traversal problem, instead of an inability to process certain strings. As a result, this candidate is too general, since it could apply to 2 different problems, so it should be REJECTed. Christey> Consider adding BID:2218 Name: CVE-1999-0231
Description:
Status: Candidate Votes: ACCEPT(2) Levy, Baker NOOP(3) Christey, Northcutt, Landfield RECAST(1) Frech REVIEWING(1) OzancinVoter Comments: Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) XF:smtp-vrfy-bo (many mail packages) Northcutt> (There is no way I will have access to these systems) Christey> Some sources report that VRFY and EXPN are both affected. Name: CVE-1999-0232
Description:
Status: Candidate Votes: ACCEPT(2) Hill, Northcutt MODIFY(1) Frech NOOP(1) Prosser REJECT(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> Unable to provide a match due to vague/insufficient description/references. Possible matches are: XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) XF:http-ncsa-longurl (highest probability) Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl More research is necessary for this one. Baker> Since this has no references at all, and is vague and we have a CAN for the most likely issue, we should kill this one Name: CVE-1999-0235
Description:
Status: Candidate Votes: ACCEPT(3) Hill, Prosser, Northcutt MODIFY(1) Frech REJECT(2) Christey, BakerVoter Comments: Frech> XF:http-ncsa-longurl Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267 Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both refer to the same problem. This should be rejected as 1999-0267 is the same problem. Name: CVE-1999-0238
Description:
Status: Candidate Votes: ACCEPT(5) Frech, Collins, Prosser, Northcutt, Baker NOOP(1) ChristeyVoter Comments: Prosser> additional source AUSCERT External Security Bulletin ESB-97.047 http://www.auscert.org.au Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole URL:http://www.dataguard.no/bugtraq/1997_2/0069.html The attacker specifies the filename as an argument to the program. Add "PHP/FI" to description to facilitate search. AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 Christey> Consider adding BID:2250 Name: CVE-1999-0240
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt NOOP(1) Baker REJECT(1) FrechVoter Comments: Frech> Would reconsider if any references were available. Name: CVE-1999-0241
Description:
Status: Candidate Votes: ACCEPT(3) Hill, Northcutt, Proctor MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> Also add to references: XF:sol-mkcookie Prosser> additional source Bugtraq "X11 cookie hijacker" http://www.securityfocus.com Christey> The cookie hijacker thread has to do with stealing cookies through a file with bad permissions. I'm not sure the X-Force reference identifies this problem either. Christey> CIAC:G-04 URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml SGI:19960601-01-I URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I CERT:VB-95:08 Name: CVE-1999-0242
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Shostack, Christey, Northcutt, Wall REVIEWING(1) LevyVoter Comments: Frech> Ambiguous description: need more detail. Possibly: XF:linux-pop3d (mktemp() leads to reading e-mail) Christey> At first glance this might look like CVE-1999-0123 or CVE-1999-0125, however this particular candidate arises out of a brief mention of the problem in a larger posting which discusses CVE-1999-0123 (which may be the same bug as CVE-1999-0125). See the following phrase in the Bugtraq post: "one such example of this is in.pop3d" However, the original source of this candidate's description explicitly mentions shadowed passwords, though it has no references to help out here. Name: CVE-1999-0243
Description:
Status: Candidate Votes: ACCEPT(1) Shostack NOOP(4) Levy, Northcutt, Wall, Baker REJECT(2) Frech, ChristeyVoter Comments: Christey> This has no sources; neither does the original database that this entry came from. It's a likely duplicate of CVE-1999-0813. Frech> I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> If the reference I previously supplied is correct, then it appears as if the poster modified the source using authorized access to make it vulnerable. Modifying the source in this manner does not qualify as being listed a vulnerability. I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. Name: CVE-1999-0246
Description:
Status: Candidate Votes: ACCEPT(4) Frech, Hill, Prosser, Northcutt NOOP(1) Baker RECAST(1) ChristeyVoter Comments: Frech> Comment: Determine if it's RemoteWatch or Remote Watch. Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in Remote Watch (the advisory uses two words, not one, for the "Remote Watch" name) ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit) URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com Prosser> agree that the advisory mentions two vulnerabilities in Remote Watch, one being a socket connection and other with the showdisk utility which seems to be a suid vulnerability. Never get much details on this anywhere since the recommendation is to remove the program since it is obsolete and superceded by later tools. Believe the biggest concern here is to just not run the tool at all. Christey> CIAC:H-16 Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp And possibly AUSCERT:AA-96.07 at ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2 Include "remwatch" in the description to facilitate search. Name: CVE-1999-0249
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, Wall NOOP(2) Shostack, Northcutt RECAST(1) Christey REVIEWING(1) LevyVoter Comments: Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows remote users to execute arbitrary commands. Source: rshsvc.txt from the Windows NT Resource Kit. Frech> XF:rsh-svc Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case where remote users coming from authorized machines are allowed access regardless of what .rhosts says. XF:rsh-svc refers to a bug circa 1997 where any remote entity could execute commands as system. Name: CVE-1999-0250
Description:
Status: Candidate Votes: ACCEPT(2) Meunier, Hill MODIFY(1) Frech REJECT(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> XF:qmail-rcpt Christey> DUPE CVE-1999-0418 and CVE-1999-0144? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading through both bugtraq postings, the one that is referenced by 0144 is based on a shell code exploit to cause memory exhaustion. The bugtraq posting referenced by this entry refers explicitly to the prior posting for 0144, and states that the same effect could be accomplished by a perl exploit, which was then attached. Baker> http://www.securityfocus.com/archive/1/6969 CVE-1999-0144 http://www.securityfocus.com/archive/1/6970 CVE-1999-0250 Both references should be added to CVE-1999-0144, and CVE-1999-0250 should likely be rejected. CHANGE> [Baker changed vote from REVIEWING to REJECT] Christey> XF:qmail-leng no longer exists; check with Andre to see if they regarded it as a duplicate as well. qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd) ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." Name: CVE-1999-0253
Description:
Status: Candidate Votes: ACCEPT(9) Frech, Bishop, Collins, Blake, Northcutt, Baker, Landfield, Cole, Armstrong MODIFY(1) LeBlanc NOOP(3) Ozancin, Prosser, Wall REVIEWING(1) ChristeyVoter Comments: Christey> This is a problem that was introduced after patching a previous dot bug with the iis-fix hotfix (see CVE-1999-0154). Since the hotfix introduced the problem, this should be treated as a seaprate issue. Wall> Agree with the comment. LeBlanc> - this one is so old, I don't remember it at all and can't verify or deny the issue. If you can find some documentation that says we fixed it (KB article, hotfix, something), then I would change this to ACCEPT CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:1814 URL:http://www.securityfocus.com/bid/1814 Name: CVE-1999-0254
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Baker NOOP(1) Wall REVIEWING(1) ChristeyVoter Comments: Christey> What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. Name: CVE-1999-0255
Description:
Status: Candidate Votes: ACCEPT(3) Hill, Northcutt, Baker MODIFY(1) Frech NOOP(1) Prosser REJECT(1) ChristeyVoter Comments: Frech> XF:irc-bo Christey> This is too general and doesn't have any references. The XF reference doesn't appear toe xist any more. Perhaps this reference would help: BUGTRAQ:19970701 ircd buffer overflow Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post. Name: CVE-1999-0257
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> XF:nestea-linux-dos Christey> Not sure how many separate "instances" of Teardrop and its ilk. Also see comments on CVE-1999-0001. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Is CVE-1999-0001 the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Also see BUGTRAQ:19990909 CISCO and nestea. Finally, note that there is no fundamental difference between nestea and nestea2/nestea-v2; they are different ports that exploit the same problem. The original nestea advisory is at http://www.technotronic.com/rhino9/advisories/06.htm but notice that the suggested fix is in line 375 of ip_fragment.c, not ip_input.c. Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> BUGTRAQ:19980501 nestea does other things http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2 BUGTRAQ:19980508 nestea2 and HP Jet Direct cards. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2 BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2 Nestea source code is in MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html Name: CVE-1999-0258
Description:
Status: Candidate Votes: MODIFY(2) Frech, Wall REVIEWING(1) ChristeyVoter Comments: Wall> Reference Q179129 Frech> XF:teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> BUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2 NTBUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2 NTBUGTRAQ:19980109 Re: Bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2 NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2 BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2 CIAC:I-031a http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml CERT summary CS-98.02 implies that bonk, boink, and newtear all exploit the same vulnerability. Name: CVE-1999-0261
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, Landfield NOOP(3) Ozancin, Christey, NorthcuttVoter Comments: Frech> XF:chamelion-smtp-dos Landfield> - Specify what "a crash" means. Christey> ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site) Christey> Consider adding BID:2387 Name: CVE-1999-0271
Description:
Status: Candidate Votes: ACCEPT(3) Blake, Northcutt, Baker MODIFY(1) Frech NOOP(1) Prosser REVIEWING(1) ChristeyVoter Comments: Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq posting), but may be multiple codebases since several Real Audio servers are affected. Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow. See CVE-1999-0896 CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:realvideo-telnet-dos Name: CVE-1999-0282
Description:
Status: Candidate Votes: ACCEPT(2) Dik, Baker MODIFY(1) Frech NOOP(1) Ozancin RECAST(1) Prosser REJECT(1) ChristeyVoter Comments: Frech> XF:sun-loadmodule XF:sun-modload (CERT CA-93.18 very old!) Prosser> Believe the reference given, 95-12, is referencing a later loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the same as the HP patches are 100448-02 for the 93 loadmodule/modload vulnerability and 100448-03 for the 95 loadmodule vulnerability which normally indicated a patch update. Looks like the original patch either didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell much beyond that and this is my opinion only as have no way to check it. Which one is this CVE referencing? I accept both. Dik> There are three similar Sun bug ids associated with the patches. 1076118 loadmodule has a security vulnerability 1148753 loadmodule has a security vulnerability 1222192 loadmodule has a security vulnerability as well as: 1137491 Ancient stuff. Christey> Add period to the end of the description. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> This is distinct from CVE-1999-1584 - CVE-1999-1584 is for CA-93.18. CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> This candidate combines two separate issues. It uses the CERT alert reference from 1995, from one issue, but a description that is associated with a separate issue. Name: CVE-1999-0283
Description:
Status: Candidate Votes: ACCEPT(7) Dik, Collins, Blake, Northcutt, Wall, Baker, Cole MODIFY(1) Frech NOOP(5) Armstrong, Bishop, Christey, Prosser, Landfield REVIEWING(1) OzancinVoter Comments: Wall> Acknowledged by vendor at http://www.sun.com/software/jwebserver/techinfo/jws112info.html. Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/7260 Misc Defensive Info http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info Christey> BID:1891 URL:http://www.securityfocus.com/bid/1891 Christey> Add version number (1.1 beta) and details of attack (appending a . or a \) The Sun URL referenced by Dave Baker no longer exists, so I wasn't able to verify that it addressed the problem described in the Bugtraq post. This might not even be Sun's "Java Web Server," as CVE-2001-0186 describes some product called "Free Java Web Server" Dik> There appears to be some confusion. The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed in 1.1.2 (get foo.jthml source by appending "." of "\" to URL) There are other bugs that give access and that require a configuration change. http://www.sun.com/software/jwebserver/techinfo/security_advisory.html Christey> Need to make sure to create CAN's for the other bugs, as documented in: NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2 BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2 The reported bugs are: 1) file read by appending %20 2) Directly call /servlet/file URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html #2 is explicitly mentioned in the Sun advisory for CVE-1999-0283. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:javawebserver-cgi-source(5383) Name: CVE-1999-0284
Description:
Status: Candidate Votes: ACCEPT(2) Blake, Northcutt MODIFY(3) Frech, Ozancin, Levy NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification) XF:mdaemon-helo-bo XF:lotus-notes-helo-crash XF:slmail-helo-overflow XF:smtp-helo-bo (mentions several products) XF:smtp-exchangedos Levy> - Need one per software. Each one should be its own vulnerability. Ozancin> => Windows NT is correct Christey> These are probably multiple codebases, so we'll need to use dot notation. Also need to see if this should be merged with CVE-1999-0098 (Sendmail SMTP HELO). Name: CVE-1999-0285
Description:
Status: Candidate Votes: ACCEPT(1) Hill NOOP(2) Wall, Baker REJECT(2) Frech, ChristeyVoter Comments: Christey> No references, no information. CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> No references; closest documented match is with CVE-2001-0346, but that's for Windows 2000. Name: CVE-1999-0286
Description:
Status: Candidate Votes: ACCEPT(3) Armstrong, Shostack, Cole MODIFY(3) Levy, Blake, Wall NOOP(5) Bishop, Ozancin, Northcutt, Baker, Landfield REJECT(1) Frech REVIEWING(1) ChristeyVoter Comments: Wall> In some NT web servers, appending a dot at the end of a URL may allows attackers to read source code for active pages. Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears in Browser" Frech> In the meantime, reword description as 'Windows NT' (trademark issue) Christey> Q163485 does not refer to a space, it refers to a dot. However, I don't have other references. Reading source code with a dot appended is in CVE-1999-0154, which will be proposed. A subsequent bug similar to the dot bug is CVE-1999-0253. Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014 NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019 BID 273 Blake> Reference: http://www.allaire.com/handlers/index.cfm?ID=10967 CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> BID articles) Name: CVE-1999-0287
Description:
Status: Candidate Votes: MODIFY(2) Frech, Shostack NOOP(4) Levy, Blake, Northcutt, Wall REJECT(2) Christey, BakerVoter Comments: Shostack> allows file reading Frech> XF:http-cgi-webcom-guestbook Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Mnemonix says that he had previously reported on a similar problem. Let's refer to the NTBugtraq posting as CVE-1999-0467. We will refer to the "previous report" as CVE-1999-0287, which could be found at: http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html 0287 describes an exploit via the "template" hidden variable. The exploit describes manually editing the HTML form to change the filename to read from the template variable. The exploit as described in 0467 encodes the template variable directly into the URL. However, hidden variables are also encoded into the URL, which would have looked the same to the web server regardless of the exploit. Therefore 0287 and 0467 are the same. Christey> BID:2024 Name: CVE-1999-0298
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Dik, Levy, Northcutt MODIFY(1) Frech NOOP(3) Shostack, Christey, BakerVoter Comments: Christey> ADDREF BID:1441 URL:http://www.securityfocus.com/bid/1441 Dik> If you run with "-ypset", then you're always insecure. With ypsetme, only root on the local host can run ypset in Solaris 2.x+. Probably true for SunOS 4, hence my vote. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:ypbind-ypset-root CHANGE> [Dik changed vote from REVIEWING to ACCEPT] Dik> This vulnerability does exist in SunOS 4.x in non default configurations. In Solaris 2.x, the vulnerability only applies to files named "cache_binding" and not all files ending in .2 Both releases are not vulnerable in the default configuration (both disabllow ypset by default which prevents this problem from occurring) Name: CVE-1999-0306
Description:
Status: Candidate Votes: ACCEPT(3) Frech, Northcutt, Baker MODIFY(1) Prosser NOOP(1) Shostack REJECT(1) ChristeyVoter Comments: Prosser> This is another of those with multiple affected OSs. Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt, HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150 Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is the same problem as in CERT:CA-97.13, which is CVE-1999-0038. Name: CVE-1999-0307
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Northcutt NOOP(3) Shostack, Prosser, Baker RECAST(1) ChristeyVoter Comments: Prosser> only ref I can find is an old SOD exploit on www.outpost9.com Christey> MERGE CVE-1999-0336 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. See the original post: http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org Name: CVE-1999-0317
Description:
Status: Candidate Votes: ACCEPT(3) Frech, Hill, Northcutt NOOP(1) Prosser RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Christey> DUPE CVE-1999-0845? Also, ADDREF XF:unixware-su-username-bo A report summary by Aleph One states that nobody was able to confirm this problem on any Linux distribution. Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these. Sounds like the same bug however... Christey> XF:su-bo no longer seems to exist. How about XF:linux-subo(734) ? http://xforce.iss.net/static/734.php BID:475 also seems to describe the same problem (http://www.securityfocus.com/bid/475) in which case, vsyslog is blamed in: BUGTRAQ:19971220 Linux vsyslog() overflow http://www.securityfocus.com/archive/1/8274 Name: CVE-1999-0319
Description:
Status: Candidate Votes: ACCEPT(3) Frech, Hill, Northcutt NOOP(2) Prosser, Baker REVIEWING(1) ChristeyVoter Comments: Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1 A followup to this post says that xmcd is not suid here. Name: CVE-1999-0330
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Shostack, Northcutt, Wall REVIEWING(1) LevyVoter Comments: Frech> XF:bdash-bo Name: CVE-1999-0331
Description:
Status: Candidate Votes: ACCEPT(2) Northcutt, Baker MODIFY(2) Frech, Shostack RECAST(1) Prosser REJECT(2) Christey, LeBlancVoter Comments: Shostack> this is a high cardinality item Prosser> needs to be more specific. Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague duplicate) Description (from xfdb): Some versions of Internet Explorer for Windows contain a vulnerability that may crash the broswer when a malicious web site contains a certain kind of URL (that begins with "mk://") with more characters than the browser supports. Christey> The description is too vague. LeBlanc> too vague Christey> Add period to the end of the description. Name: CVE-1999-0333
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Baker MODIFY(1) Prosser RECAST(1) ChristeyVoter Comments: Prosser> additional source HP Security Bulletin 85 http://us-support.external.hp.com http://europe-support.external.hp.com Christey> Two separate bugs, so SF-LOC says this candidate should be split Christey> ADDREF CIAC:J-007 URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml Name: CVE-1999-0336
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Northcutt NOOP(3) Shostack, Prosser, Baker RECAST(1) ChristeyVoter Comments: Prosser> same as CVE-1999-0307, only ref I can find is an old SOD exploit on www.outpost9.com Christey> MERGE CVE-1999-0307 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. Name: CVE-1999-0345
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Blake MODIFY(2) Frech, Wall NOOP(4) Landfield, Bishop, Ozancin, Northcutt RECAST(1) Meunier REJECT(4) Armstrong, Levy, LeBlanc, Baker REVIEWING(1) ChristeyVoter Comments: Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and Windows NT systems. Reference: Q154174. Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. It is a modified teardrop 2 attack. Frech> XF:nt-ssping ADDREF XF:ping-death ADDREF XF:teardrop-mod ADDREF XF:mpeix-echo-request-dos Christey> I can't tell whether the Jolt exploit at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net is exploiting any different flaw than teardrop does. CHANGE> [Christey changed vote from NOOP to REVIEWING] Baker> Jolt (original) is basically just a fragmented oversized ICMP that kills Win boxes ala Ping of Death. Teardrop is altering the offset in fragmented tcp packets so that the end of subsequent fragments is inside first packet... Teardrop 2 is UDP packets, if I remember right. Seems like Jolt (original, not jolt 2) is just exploit code that creates a ping of death (CVE 1999-0128) Levy> I tend to agree with Baker. CHANGE> [Armstrong changed vote from REVIEWING to REJECT] Armstrong> This code does not use fragment overlap. It is simply a large ICMP echo request. Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same thing as ping of death - POD was an oversized ICMP packet, Jolt froze Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes. Teardrop and teardrop2 were related attacks (usually ICMP frag attacks), but each of these is a distinct vulnerability, affected a discrete group of systems, and should have distinct CVE numbers. CVE entries should be precise as to what the problem is. Meunier> I agree with Leblanc in that Jolt is multi-faceted. Jolt has characteristics of Ping of Death AND teardrop, but it doesn't do either exactly. Moreover, it sends a truncated IP fragment. I disagree with Armstrong; jolt uses overlapping fragments. It's not a simple ping of death either. It may be that the author's intent was to construct a "super attack" somehow combining elements of other vulnerabilities to try to make it more potent. In any case it succeeded in confusing the CVE board :-). I notice that Jolt uses echo replies (type 0) instead of echo requests (to get past firewalls?). Jolt is peculiar in that it also sends numerous overlapping fragments. The "Pascal Simulator" :-) says it sends: - 172 fragments of length 400 with offset starting at 5120 and increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)), which eventually results in sending fragments inside an already covered area once ((n* 380) >> 3) is greater than 5120, which occurs when n is reaches 108. This would look a bit like TearDrop if fragments were reassembled on-the-fly. - 1 fragment such that the total length of all the fragments is greater than 65535 (my calculation is 172*380 + 418 = 65778; the comment about 65538 must be wrong). The last packet is size 418 according to the IP header but the buffer is of size 400. The sendto takes as argument the size of the buffer so a truncated packet is sent. So, I am not sure if the problem is because the last packet doesn't extend to the payload it says it has or because the total size of all fragments is greater than 65535. The author says it may take more than one sending, so perhaps this has to do with an incorrect error handling and recovery. One would need to experiment and isolate each of those characteristics and test them independently. Inasmuch as each of those things is likely a different vulnerability, then I agree with Leblanc that this entry should be split. I'll try that if I ever get bored. Jolt 2 should also have a different entry (see below). Jolt 2 runs in an infinite loop, sending the same fragmented IP packet, which can pretend to be "ICMP" or "UDP" data; however this is meaningless, as it's just a late fragment of an IP packet. The attack works only as long as packets are sent. According to http://www.securityfocus.com/archive/1/62170 the packets are truncated, and would overflow over the 65535 byte limit, which is similar to Jolt. Note that Jolt does send that much data whereas jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it has weaker consequences, I believe that it's a different vulnerability. "Jolt 2 vulnerability causes a temporary denial-of-service in Windows-type OSes" would be a title for it. Name: CVE-1999-0347
Description:
Status: Candidate Votes: ACCEPT(4) Levy, LeBlanc, Northcutt, Baker MODIFY(2) Frech, Prosser REVIEWING(1) ChristeyVoter Comments: Prosser> this is a modified Cross-Frame vulnerability that circumvents the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012 http://www.microsoft.com/security/bulletins/ms99-012.asp Christey> Duplicate of CVE-1999-0490? LeBlanc> If Prosser is correct that this is MS99-012, accept Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2 BID:197 URL:http://www.securityfocus.com/bid/197 CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ie-window-spoof(2069) Name: CVE-1999-0352
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Baker NOOP(2) Northcutt, Wall RECAST(1) OzancinVoter Comments: Ozancin> Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses weak encryption. Name: CVE-1999-0354
Description:
Status: Candidate Votes: ACCEPT(3) Ozancin, Wall, Baker MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:word97-template-macro Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2 BID:196 http://www.securityfocus.com/bid/196 Christey> MSKB:Q214652 http://support.microsoft.com/support/kb/articles/q214/6/52.asp Name: CVE-1999-0356
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Baker NOOP(2) Northcutt, Wall RECAST(1) Ozancin Name: CVE-1999-0359
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech MODIFY(1) BakerVoter Comments: Frech> XF:ptylogin-dos Baker> Should say "... lock out a modem, ..." rather than "... locking out modems..." Name: CVE-1999-0360
Description:
Status: Candidate Votes: ACCEPT(6) Landfield, Cole, Collins, Blake, Northcutt, Wall MODIFY(3) Frech, LeBlanc, Baker NOOP(4) Armstrong, Ozancin, Christey, ProsserVoter Comments: Christey> I can't find the original Bugtraq posting (it appears that mnemonix discovered the problem). LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a BUGTRAQ posting we can't find could be anything. Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type THis is the URL for the Bugtraq posting. It was cross posted to NT Bugtraq as well, but identical text. It was Mnemonix... Christey> BID:1811 URL:http://www.securityfocus.com/bid/1811 Christey> CHANGEREF BUGTRAQ add "Server 2." to the subject. Also standardize NTBUGTRAQ reference title. Christey> Add "uploadn.asp" to the description. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:siteserver-user-dir-permissions(5384) Name: CVE-1999-0361
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Northcutt, WallVoter Comments: Frech> XF:compulink-pw-laserfiche(1679) Normalize BUGTRAQ reference to: BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords Name: CVE-1999-0364
Description:
Status: Candidate Votes: ACCEPT(2) LeBlanc, Baker MODIFY(1) Frech NOOP(2) Northcutt, WallVoter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:access-weak-passwords(1774) An older published reference (from our own Adam) would be better: ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0" http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192 07028.1462108427&hitnum=1 Name: CVE-1999-0370
Description:
Status: Candidate Votes: ACCEPT(4) Dik, Prosser, Northcutt, Baker MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> Reference: XF:sun-man Christey> ADDREF CIAC:J-028 Is the Linux man symlink problem the same as the one for Sun? See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1 Also see BID:305 Dik> sun bug 4154565 Name: CVE-1999-0381
Description:
Status: Candidate Votes: ACCEPT(7) Landfield, Cole, Frech, Ozancin, Levy, Blake, Baker MODIFY(1) Bishop NOOP(2) Armstrong, Wall REVIEWING(1) ChristeyVoter Comments: Christey> Is this the same as CVE-1999-0373? They both have the same X-Force reference. BID:342 suggests that there are two. http://www.debian.org/security/1999/19990215a suggests that there are two. However, CVE-1999-0373 is written up in a fashion that is too general; and both XF:linux-super-bo and XF:linux-super-logging-bo refer to CVE-1999-0373. CVE-1999-0373 may need to be split. Frech> From what I can surmise, ISS released the original advisory (attached to linux-super-bo), and Sekure SDI expanded on it by releasing another related overflow in syslog (which is linux-super-logging-bo). When I was originally assigning these issues, I placed both XF references and the ISS advisory on the -0373 candidate, since there was nothing else available. Based on the information above, I'd request that XF:linux-super-logging-bo be removed from CVE-1999-0373. Christey> Given Andre's feedback, these are different issues. CVE-1999-0373 does not need to be split because the ISS reference is sufficient to distinguish that CVE from this candidate; however, the CVE-1999-0373 description should probably be modified slightly. Bishop> (as indicated by Christey) CHANGE> [Cole changed vote from NOOP to ACCEPT] CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> There are 2 bugs, as confirmed by the super author at: BUGTRAQ:19990226 Buffer Overflow in Super (new) http://www.securityfocus.com/archive/1/12713 BID:397 also seems to cover this one, and it may cover CVE-1999-0373 as well. Name: CVE-1999-0389
Description:
Status: Candidate Votes: ACCEPT(3) Ozancin, Stracener, Baker MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 has January 1999 dates associated with it, while CVE-1999-0798 was reported in late December. Also, is this the same line of code as CVE-1999-0914? Both are in the netstd package, it could look like a library problem. However, deep in the changelog in the netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes the following entry: +netstd (3.07-7slink.1) frozen; urgency=high + + * bootpd: Applied patch from Redhat as well as a fix for the overflow in + report() (fixes #30675). + * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow + bugs. + + -- Herbert Xu <herbert@debian.org> Sat, 19 Dec 1998 14:36:48 +1100 This tells me that two separate bugs are involved. Note that Red Hat posted *some* fix for *some* bootp problem in June 1998. See: http://www.redhat.com/support/errata/rh42-errata-general.html#bootp Frech> XF:debian-netstd-bo Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799 CHANGE> [Christey changed vote from REJECT to REVIEWING] Christey> The fix information for BID:324 suggests that there are two overflows, one of which is in handle_request (bootpd.c) and is likely related to a file name; but there is another issue in report (report.c) which also looks like a straightforward overflow, which would suggest that this is not a duplicate of CVE-1999-0798 or CVE-1999-0799. Note: see comments for CVE-1999-0798 which explain how that candidate is not related to CVE-1999-0799. Name: CVE-1999-0394
Description:
Status: Candidate Votes: ACCEPT(1) Baker NOOP(1) Christey REJECT(1) FrechVoter Comments: Frech> If I understand the issue, this HIGHCARD involves insecure web programming. If I don't understand, mark this as my first NOOP. Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com ADDREF BID:565 URL:http://www.securityfocus.com/vdb/bottom.html?vid=565 Name: CVE-1999-0397
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) WallVoter Comments: Wall> Reject based on beta copy. Frech> XF:quakenbush-pw-appraiser(1652) Name: CVE-1999-0398
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet released. v1.2.26 should be substituted in the description for '27. XF:ssh-exp-account-access Name: CVE-1999-0399
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> XF:mirc-dcc-metachar-filename Name: CVE-1999-0400
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> BUGTRAQ:Jan27,1999 (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22& msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com) XF:linux-kernel-ldd-dos Name: CVE-1999-0401
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> XF:linux-race-condition-proc Name: CVE-1999-0406
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> In description, change 'which' to 'that'. Name: CVE-1999-0411
Description:
Status: Candidate Votes: MODIFY(2) Baker, Frech NOOP(2) Christey, WallVoter Comments: Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not 19 February) does not mention gaining root access... it says a local user could "delete or overwrite arbitrary files on the system." Baker> By overwriting arbitrary files, one could then gain root access. I agree with a minor description change to reflect this. Christey> Normalize Bugtraq reference to: BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p). http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2 Also, SCO:SB-99.17 ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c Name: CVE-1999-0418
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Baker, Foat, Wall REVIEWING(1) ChristeyVoter Comments: Christey> DUPE CVE-1999-0144 and CVE-1999-0250? Frech> XF:smtp-rctpto-dos(7499) Name: CVE-1999-0419
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, LeBlanc REVIEWING(1) ChristeyVoter Comments: Frech> XF:smtp-4xx-error-dos LeBlanc> - if we can find a KB or something that shows that this wasn't just user error, I'd vote ACCEPT. Christey> David Lemson, Microsoft SMTP Service Program Manager, posted a followup that said "We have confirmed this as a problem..." http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2 Name: CVE-1999-0426
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) ChristeyVoter Comments: Frech> XF:linux-dev-kmem-spoof Christey> DUPE CVE-1999-0414 XF:linux-dev-kmem-spoof does not exist. Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists... Name: CVE-1999-0427
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq reference states: "Both the Win 95 and Win NT versions, along with the 4.2 beta of Eudora are affected." Christey> This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Is this a duplicate/subsumed by CVE-1999-0004? Name: CVE-1999-0431
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:linux-zerolength-fragment Christey> Consider adding BID:2247 Name: CVE-1999-0434
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:xfree86-xfs-symlink-dos Christey> Is this the same problem as CVE-1999-0433? CVE-1999-0433 deals with a symlink attack on one file (/tmp/.X11-unix), while xfs (this candidate) deals with /tmp/.font-unix XF:xfree86-xfs-symlink-dos doesn't exist. Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable Note: Debian's advisory says that this is not a problem for Debian. Name: CVE-1999-0435</ | ||||