RE: PROPOSAL: Cluster 14 - RESTLOW (39 candidates)

To: "'Steven M. Christey'" <coley@linus.mitre.org>, cve-review@linus.mitre.org
Subject: RE: PROPOSAL: Cluster 14 - RESTLOW (39 candidates)
From: "Northcutt, Stephen, CIV, BMDO/DSC" <Stephen.Northcutt@bmdo.osd.mil>
Date: Wed, 30 Jun 1999 08:12:35 -0400
accept all.

Comment: CAN-1999-0145, do vulnerabilities ever get retired, moved to the
inactive reserve, get a historical interest only tag?

-----Original Message-----
From: Steven M. Christey [mailto:coley@linus.mitre.org]
Sent: Tuesday, June 29, 1999 10:36 PM
To: cve-review@linus.mitre.org
Subject: PROPOSAL: Cluster 14 - RESTLOW (39 candidates)



The following cluster contains the remaining low-controversy
candidates.

Phase schedule:
  scheduled-modification 7/7
  scheduled-interim 7/12
  scheduled-final 7/16

Assuming a 50% ACCEPT rate for all low-vulnerability clusters and no
significant slippage in Interim Decision dates, the Editorial Board
will have validated approximately 140 vulnerabilities by July 16th.

Note that I have cleansed today's proposed clusters to remove
vulnerabilities that could be affected by content decision debates
(why don't I just go and start calling them "content meta-decisions"
;-)

- Steve



Summary of votes to use (in ascending order of "severity"):

ACCEPT - member accepts the candidate as proposed
NOOP - member has no opinion on the candidate
MODIFY - member wants to change some minor detail (e.g.
reference/description)
REVIEWING - member is reviewing/researching the candidate
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

Please write your vote on the line that starts with "VOTE: ".  If you
want to add comments or details, add them to lines after the VOTE: line.


=================================
Candidate: CAN-1999-0037
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.14.metamail

Arbitrary command execution via metamail package using message
headers, when user processes attacker's message using metamail.

VOTE: 

=================================
Candidate: CAN-1999-0059
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: NAI:NAI-16
Reference: XF:irix-fam

IRIX fam service allows an attacker to obtain a list of all files
on the server.

VOTE: 

=================================
Candidate: CAN-1999-0061
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: NAI:NAI-20
Reference: XF:bsd-lpd

File creation and deletion, and remote execution, in the BSD
line printer daemon (lpd).

VOTE: 

=================================
Candidate: CAN-1999-0084
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:nfs-mknod

NFS mknod bug

VOTE: 

=================================
Candidate: CAN-1999-0095
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:smtp-debug

Sendmail debug command allows attackers to execute root commands

VOTE: 

=================================
Candidate: CAN-1999-0096
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:smtp-dcod

Sendmail decode alias can be used to overwrite sensitive files

VOTE: 

=================================
Candidate: CAN-1999-0145
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF

Sendmail WIZ command enabled, allowing root access.

VOTE: 

=================================
Candidate: CAN-1999-0150
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF

The Perl fingerd program allows arbitrary command execution from
remote users.

VOTE: 

=================================
Candidate: CAN-1999-0151
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.07a.REVISED.satan.vul
Reference: CERT:CA-95.06.satan.vul

The SATAN session key may be disclosed if the user points the web
browser to other sites, possibly allowing root access.

VOTE: 

=================================
Candidate: CAN-1999-0152
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:dgux-fingerd

The DG/UX finger daemon allows remote command execution.

VOTE: 

=================================
Candidate: CAN-1999-0167
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:nfs-guess

In SunOS, NFS file handles could be guessed, giving unauthorized
access to the exported file system.

VOTE: 

=================================
Candidate: CAN-1999-0175
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:http-nov-convert

The convert.bas program in the Novell web server allows a remote
attackers to read any file on the system that is internally accessible
by the web server.

VOTE: 

=================================
Candidate: CAN-1999-0183
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:linux-tftp

Linux implementations of TFTP would allow access to files outside the
restricted directory.

VOTE: 

=================================
Candidate: CAN-1999-0202
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:ftp-exectar

The GNU tar command, when used in FTP sessions, may allow an attacker
to execute arbitrary commands.

VOTE: 

=================================
Candidate: CAN-1999-0203
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF

In Sendmail, attackers can gain root privileges via SMTP by specifying
an improper "mail from" address and an invalid "rcpt to" address that would
cause the mail to bounce to a program.

VOTE: 

=================================
Candidate: CAN-1999-0204
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF

Sendmail 8.6.9 allows remote attackers to execute root commands, using
ident.

VOTE: 

=================================
Candidate: CAN-1999-0205
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF

Denial of service in Sendmail 8.6.11 and 8.6.12.

VOTE: 

=================================
Candidate: CAN-1999-0241
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:http-xguess-cookie

Guessable magic cookies in X Windows allows remote attackers to
execute commands, e.g. through xterm.

VOTE: 

=================================
Candidate: CAN-1999-0245
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:linux-plus

Some configurations of NIS+ in Linux allowed attackers
to log in as the user "+"

VOTE: 

=================================
Candidate: CAN-1999-0246
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:hp-remote

HP Remote Watch allows a remote user to gain root access.

VOTE: 

=================================
Candidate: CAN-1999-0260
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF

The jj CGI program allows command execution via shell metacharacters.

VOTE: 

=================================
Candidate: CAN-1999-0280
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF

Remote command execution in Microsoft Internet Explorer using .lnk and
.url files.

VOTE: 

=================================
Candidate: CAN-1999-0281
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF

Denial of service in IIS using long URLs.

VOTE: 

=================================
Candidate: CAN-1999-0289
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF

The Apache web server for Win32 may provide access to restricted
files when a . (dot) is appended to a requested URL.

VOTE: 

=================================
Candidate: CAN-1999-0290
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF

Denial of service in the Telnet proxy in WinGate.

VOTE: 

=================================
Candidate: CAN-1999-0291
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF

Remote users can redirect their connections through a WinGate proxy.

VOTE: 

=================================
Candidate: CAN-1999-0304
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:bsd-mmap
Reference: FreeBSD:FreeBSD-SA-98:02

mmap function in BSD allows local attackers in the kmem group to
modify memory through devices.

VOTE: 

=================================
Candidate: CAN-1999-0322
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-97:05
Reference: XF:freebsd-open

The open() function in FreeBSD allows local attackers to write
to arbitrary files.

VOTE: 

=================================
Candidate: CAN-1999-0323
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-98:04

FreeBSD mmap function allows users to modify append-only or immutable
files.

VOTE: 

=================================
Candidate: CAN-1999-0350
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: L0PHT:Jan8,1999

Race condition in the db_loader program in ClearCase gives local
users root access by setting SUID bits.

VOTE: 

=================================
Candidate: CAN-1999-0388
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:datalynx-suguard-relative-paths
Reference: L0PHT:Jan3,1999

DataLynx suGuard trusts the PATH environment variable to execute the
ps command, allowing local users to execute commands as root.

VOTE: 

=================================
Candidate: CAN-1999-0391
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: L0PHT:Jan. 5, 1999

The cryptographic challenge of SMB authentication in Windows 95 and
Windows 98 is reused, allowing an attacker to replay the response and
inpersonate a user.

VOTE: 

=================================
Candidate: CAN-1999-0395
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:Vulnerability in the BackWeb Polite Agent Protocol

A race condition in the BackWeb Polite Agent Protocol allows an
attacker to spoof a BackWeb server.

VOTE: 

=================================
Candidate: CAN-1999-0421
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:Short-Term High-Risk Vulnerability During Slackware 3.6
Network Installations

During a reboot after an installation of Linux Slackware 3.6, a remote
attacker can obtain root access by logging in to the root account
without a password.

VOTE: 

=================================
Candidate: CAN-1999-0458
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan6,1999

L0phtcrack 2.5 used temporary files in the system TEMP directory which
could contain password information.

VOTE: 

=================================
Candidate: CAN-1999-0494
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: SF
Reference: XF:wingate-pop3-user-bo

Denial of service in WinGate proxy through a buffer overflow in
POP3.

VOTE: 

=================================
Candidate: CAN-1999-0498
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: CF

TFTP is not running in a restricted directory, allowing a remote
attacker to access sensitive information such as password files.

VOTE: 

=================================
Candidate: CAN-1999-0514
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: CF

UDP messages to broadcast addresses are allowed, allowing for a
Fraggle attack.

VOTE: 

=================================
Candidate: CAN-1999-0526
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 
Announced: 19990630
Assigned: 19990607
Category: CF

An X server has no access control and allows anyone to connect to the
display, e.g. through an "xhost +" command.

VOTE:
Prev by Date: PROPOSAL: Cluster 14 - RESTLOW (39 candidates)
Next by Date: RE: Question about CVE to vendor mappings
Prev by thread: PROPOSAL: Cluster 14 - RESTLOW (39 candidates)
Next by thread: CONTENT DECISION: Same Time of Discovery
Index(es):
- Date
- Thread