VOTE SUMMARY: active candidates in CERT and VEN-* clusters

To: cve-editorial-board-list@lists.mitre.org
Subject: VOTE SUMMARY: active candidates in CERT and VEN-* clusters
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Sun, 18 Jul 1999 17:40:04 -0400 (EDT)
Sender: owner-cve-editorial-board-list@lists.mitre.org
The following candidates have not yet reached the Final Decision
phase.  They are from the CERT and VEN-* clusters.  A short voting
summary is provided, along with voters' comments for each candidate.
Some of these candidates may be examined more closely during the CVE
Review meetings.

Many of these touch on content issues that we've discussed recently,
especially the Same Codebase.  Such candidates will remain in the
Proposal phase until we can cleanly address the issue of what
constitutes "same codebase" and what to do if we can't be certain.
Others would require a significant change to the description, or even
a RECAST.

- Steve


=================================
Candidate: CAN-1999-0004
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: XF:outlook-long-name
Reference: SUN:00175
Reference: MS:MS98-008

MIME buffer overflow in email clients, e.g. Solaris mailtool
and Outlook.

Modifications:
  ADDREF MS:MS98-008
  DESC include Outlook

VOTES:
   ACCEPT(2) Northcutt, Landfield
   MODIFY(1) Frech
   REVIEWING(1) Shostack

COMMENTS:
 Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject
 Frech> this suggestion, I will not be devastated.) :-)


=================================
Candidate: CAN-1999-0005
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.09.imapd
Reference: XF:imap-authenticate-bo
Reference: SUN:00177

Arbitrary command execution via IMAP buffer overflow, as in
CERT:CA-98.09.imapd.

VOTES:
   ACCEPT(4) Hill, Shostack, Frech, Wall
   MODIFY(1) Christey
   REVIEWING(1) Northcutt

COMMENTS:
 Northcutt> there are multiple similar exploits which may imply
 Northcutt> multiple vulnerabilties
 Christey> It's difficult to distinguish between this vulnerability and another
 Christey> IMAP vulnerability via just the textual description.  (The other
 Christey> vulnerability is CVE-00042, not yet proposed as a candidate for some
 Christey> odd reason).  I had to reference the different CERT advisories to
 Christey> distinguish between this candidate and CVE-00042.  The X-Force
 Christey> database says that "[the CVE-00042 vulnerability is in] the IMAP LOGIN
 Christey> command whereas [CAN-1999-0005] affects the IMAP AUTHENTICATE
 Christey> command."  I propose modifying the description to say something to
 Christey> this effect, though the typical analyst may still need to rely on the
 Christey> references.


=================================
Candidate: CAN-1999-0014
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.02.CDE
Reference: SUN:00185

Unauthorized privileged access or denial of service via dtappgather
program in CDE.

VOTES:
   ACCEPT(2) Hill, Wall
   MODIFY(1) Frech
   NOOP(1) Northcutt
   REJECT(1) Shostack

COMMENTS:
 Shostack> we have insufficient data if a new CDE dtappgather bug
 Shostack> comes out to determine if its new or a re-invention.
 Frech> Reference: XF:cde-dtappgather


=================================
Candidate: CAN-1999-0017
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.27.FTP_bounce
Reference: XF:ftp-bounce
Reference: XF:ftp-privileged-port

FTP bounce attack to connect to arbitrary ports on machines other than
the FTP client.

VOTES:
   ACCEPT(3) Hill, Frech, Wall
   MODIFY(1) Northcutt
   NOOP(1) Shostack
   REVIEWING(1) Christey

COMMENTS:
 Northcutt> the primary vulnerability is in some FTP server implementations
 Northcutt> that allow this as opposed to the actual connecting to the ports
 Christey> I think Steve Northcutt makes a good point.  The description needs to
 Christey> be modified.


=================================
Candidate: CAN-1999-0018
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.26.statd
Reference: XF:statd
Reference: AUSCERT:AA-97.29

Buffer overflow in statd allows root privileges.

Modifications:
  DESC remove CERT advisory from text

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield


=================================
Candidate: CAN-1999-0032
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.19.bsdlp
Reference: AUSCERT:AA-96.12
Reference: XF:bsd-lprbo2
Reference: CIAC:I-042
Reference: SGI:19980402-01-PX

Command execution in BSD-based lpr package (lp) due to buffer
overflow.

VOTES:
   ACCEPT(3) Northcutt, Hill, Wall
   MODIFY(2) Shostack, Frech

COMMENTS:
 Shostack> the mention of (lp) is misleading.  The problem was with
 Shostack> the BSD lpr family, not the SYSV lp family.
 Frech> References: XF:bsd-lprbo
 Frech> References: XF:lpr-bo


=================================
Candidate: CAN-1999-0033
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.18.at
Reference: SUN:00160
Reference: XF:sun-atbo

Command execution in Sun systems via buffer overflow in the at program

VOTES:
   ACCEPT(4) Northcutt, Hill, Shostack, Wall
   RECAST(1) Frech

COMMENTS:
 Frech> This vulnerability also manifests itself for the following =
 Frech> platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light,
 Frech> please add the = following:
 Frech> Reference: XF:at-bo


=================================
Candidate: CAN-1999-0035
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:ftp-ftpd
Reference: CERT:CA-97.16.ftpd
Reference: AUSCERT:AA-97.03

Race condition in signal handling routine in ftpd, allowing read/write
arbitrary files.

Modifications:
  ADDREF XF:ftp-ftpd

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield


=================================
Candidate: CAN-1999-0046
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.06.rlogin-term
Reference: XF:rlogin-termbo

Buffer overflow of rlogin program using TERM environmental variable

Modifications:
  DELREF XF:bsdi-rlogind
  ADDREF XF:rlogin-termbo

VOTES:
   ACCEPT(3) Shostack, Northcutt, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> Every sentence is followed by a period (unless you are a criminal,
 Frech> and then it follows with an appeal.)


=================================
Candidate: CAN-1999-0052
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-98:08

IP fragmentation denial of service in FreeBSD

VOTES:
   MODIFY(2) Northcutt, Shostack
   NOOP(1) Hill

COMMENTS:
 Northcutt> Do we want to treat each instantiation of common attacks
 Northcutt> separately for each OS?  Fragmentation and denial of service is
 Northcutt> not a freebsd specific issue, over the years we have seen:
 Northcutt>
 Northcutt> "Pathological" fragmentation where the second packet move the pointer
 Northcutt> negative and then we scribble on our stack, this is the teardrop
 Northcutt> approach if I remember the exploit name correctly and uses UDP.
 Northcutt>
 Northcutt> We also have the classic memory wasting frag attack where they
 Northcutt> send the first part and never finish, then send a new first
 Northcutt> part and so on.
 Northcutt>
 Northcutt> I think frag attack was in the cisco set, if not it should be
 Northcutt> there is a nice attack for IOS
 Northcutt>
 Northcutt> Then you have the how_do_you_handles such as Dug Song's
 Northcutt> frag router to evade IDS systems and whatever the heck
 Northcutt> this loki like thing that is all the rage for the last
 Northcutt> 90 days or so.
 Northcutt>
 Northcutt> Recommend: MODIFY 52 so that the text blurb at least hints
 Northcutt> why this is a unique case of mishandling frags OR create
 Northcutt> general frag vulnerabilities.
 Shostack> For denial of service attacks, we should distinguish between
 Shostack> host availability, service, and CPU absorbtion DOS attacks.


=================================
Candidate: CAN-1999-0053
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-98:07

TCP RST denial of sevice in FreeBSD

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(1) Shostack

COMMENTS:
 Shostack> For denial of service attacks, we should distinguish between
 Shostack> host availability, service, and CPU absorbtion DOS attacks.


=================================
Candidate: CAN-1999-0055
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00172
Reference: RSI:RSI.0005.05-14-98.SUN.LIBNSL
Reference: XF:sun-libnsl

Buffer overflows in Sun libnsl allow root access.

VOTES:
   ACCEPT(2) Northcutt, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> This vulnerability also affects other OSes, i.e. AIX 4.3 that have
 Prosser> ported versions of Sun's libnsl.a
 Prosser> ref: IBM AIX RS6000 APAR number IX80543


=================================
Candidate: CAN-1999-0057
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: SNI:SNI-19
Reference: XF:vacation
Reference: HP:HPSBUX9811-087

Vacation program allows command execution by remote users through
a sendmail command.

VOTES:
   ACCEPT(2) Frech, Hill
   MODIFY(1) Shostack
   NOOP(1) Northcutt

COMMENTS:
 Shostack> Problem 1: SNI-19 is SNI-19.BSD.lpd.vulnerabilities update according
 Shostack> to http://geek-girl.com/bugtraq/1997_4/0106.html
 Shostack>
 Shostack> Problem 2: Wording is unclear.  Is this a vacation problem, a
 Shostack> .vacation problem, or a sendmail problem?


=================================
Candidate: CAN-1999-0065
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00181
Reference: XF:hp-dtmail

Bug in how dtmail handles attachments allows remote attacker to
execute commands with the same privileges as the user who is
reading the message.

VOTES:
   ACCEPT(2) Northcutt, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> This is a multiple buffer overflow vulnerability in Sun's CDE in how
 Prosser> dtmail handles attachments.


=================================
Candidate: CAN-1999-0067
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.06.cgi_example_code
Reference: XF:http-cgi-phf

CGI phf program allows remote command execution

VOTES:
   ACCEPT(4) Hill, Shostack, Frech, Wall
   MODIFY(2) Northcutt, Christey

COMMENTS:
 Northcutt> this is not about phf it is about escape_shell_cmd(),
 Northcutt> you had the same thing with php and so forth.
 Christey> I agree with Adam that "shell metacharacters" is too high a level of
 Christey> abstraction.  I believe that phf and php and the others should be
 Christey> distinguished.  However, it might be better to change the description
 Christey> to say "CGI phf program allows remote command execution via shell
 Christey> metacharacters."


=================================
Candidate: CAN-1999-0078
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd

pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions,
or execute arbitrary commands through arguments in the RPC call.

Modifications:
  DELREF XF:nfs-pcnfsd

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield
   RECAST(1) Christey

COMMENTS:
 Christey> This candidate should be SPLIT, since there are two separate
 Christey> software flaws.  One is a symlink race and the other is a
 Christey> shell metacharacter problem.


=================================
Candidate: CAN-1999-0086
Published:
Final-Decision:
Interim-Decision: 19990630
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1998:001.1
Reference: XF:ibm-routed

AIX routed allows remote users to modify sensitive files.

Modifications:
  ADDREF XF:ibm-routed

VOTES:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> Reference: XF:ibm-routed
 Prosser> This vulnerability allows debug mode to be turned on which is
 Prosser> the problem.  Should this be more specific in the description? This
 Prosser> one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which
 Prosser> is in the SGI cluster, shouldn't these be cross-referenced as the same
 Prosser> vuln affects multiple OSes.


=================================
Candidate: CAN-1999-0088
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1998:004.1

IRIX and AIX automountd services (autofsd) allow remote users to
execute root commands.

VOTES:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> ERS (and other references, BTW) explicitly stipulate 'local and
 Frech> remote'.
 Frech> Reference: XF:irix-autofsd
 Prosser> Include the SGI Alert as well since it is mentioned in the
 Prosser> description.
 Prosser> SGI Security Advisory 19981005-01-PX


=================================
Candidate: CAN-1999-0089
Published:
Final-Decision:
Interim-Decision: 19990630
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-libDtSvc

Buffer overflow in AIX libDtSvc library can allow local users
to gain root access.

Modifications:
  ADDREF XF:ibm-libDtSvc

VOTES:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> Reference: XF:ibm-libDtSvc
 Prosser> The overflow is in the dtaction utility.  Also affects
 Prosser> dtaction in the CDE on versions of SunOS (SUN 164). Probably should be
 Prosser> specific.


=================================
Candidate: CAN-1999-0097
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:009.1

The AIX FTP client can be forced to execute commands from a malicious
server through shell metacharacters, i.e. in files whose name begins with a
pipe character.

VOTES:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Northcutt> Per 97, general issue of mishandling metachars is a lot
 Northcutt> like my comment about CGI-BINs (not just PHF) [Someone]
 Northcutt> recently did a content search for about
 Northcutt> CGI-BIN and /etc/passwd and found about 10 cig programs
 Northcutt> that someone attempted to exploit...  However we resolve the
 Northcutt> CGI-BIN bit, we ought to consider applying the same logic to
 Northcutt> candidates like 97.
 Frech> Reference: XF:ibm-ftp
 Prosser> Concur with Adam's modification


=================================
Candidate: CAN-1999-0099
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.13.syslog.vul
Reference: XF:smtp-syslog

A buffer overflow in the syslog utility allows remote execution
through Sendmail and possibly other mail servers.

Modifications:
  DESC could be through other mailers besides Sendmail

VOTES:
   ACCEPT(3) Frech, Northcutt, Landfield
   MODIFY(1) Shostack

COMMENTS:
 Shostack> Anything that passes bad data to syslog might be used to proxy this,
 Shostack> not just mail servers.


=================================
Candidate: CAN-1999-0121
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00164
Reference: ERS:ERS-SVA-E01-1997:005.1

Buffer overflow in dtaction command gives root access.

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> Reference: XF:dtaction-bo
 Frech> Reference: XF:sun-dtaction
 Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a
 Prosser> library in AIX 4.x, but reference for this Sun vulnerability should
 Prosser> only reflect the Sun Bulletin or the CIAC I-032 version of the Sun
 Prosser> Bulletin


=================================
Candidate: CAN-1999-0128
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:ping-death
Reference: CERT:CA-96.26.ping

Oversized ICMP ping packets can result in a denial of service,
aka Ping o' Death.

Modifications:
  ADDREF XF:ping-death
  COMMENT Andre's other suggested ref's were for a buffer overflow
  COMMENT in the ping program, which is a different vulnerability.
  DESC slight wording change to identify this as Ping o' Death *only*

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield


=================================
Candidate: CAN-1999-0129
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.25.sendmail_groups

Sendmail allows local users to write to a file and gain group
permissions via a .forward or :include: file.

VOTES:
   ACCEPT(4) Northcutt, Hill, Shostack, Wall
   REVIEWING(1) Frech

COMMENTS:
 Frech> PENDING. NEEDS RESEARCH.


=================================
Candidate: CAN-1999-0132
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:expreserve
Reference: CERT:CA-96.19.expreserve

Expreserve, used in vi and ex, allows local users to overwrite
arbitrary files and gain root access.

Modifications:
  ADDREF XF:expreserve

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield


=================================
Candidate: CAN-1999-0142
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.05.java_applet_security_mgr

Java Applet Security Manager allows an applet to connect to arbitrary
hosts.

VOTES:
   ACCEPT(3) Hill, Shostack, Wall
   MODIFY(1) Frech
   RECAST(1) Northcutt
   REVIEWING(1) Christey

COMMENTS:
 Northcutt> Please note I am not a Java expert, but I think jdk 2.0 and
 Northcutt> so forth do not have a sandbox notion and applets (perhaps trusted
 Northcutt> applets) can connect to arbitrary hosts as a matter of course.  You
 Northcutt> might want to contact Li Gong (li.gong@sun.com) or a similar
 Northcutt> expert before issuing this one.  NOTE: another reason to consider
 Northcutt> the original date!!!
 Christey> Noting Steve Northcutt's comments, perhaps we would need to modify the
 Christey> description somewhat to distinguish between current Java versions and
 Christey> the one that had this vulnerability.  However, the CERT reference
 Christey> associates a general place and time for where this vulnerability
 Christey> arose, so I don't think it's too big of a deal.
 Frech> Reference: XF:http-java-appletsecmgr


=================================
Candidate: CAN-1999-0185
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00156

In Solaris, a remote user could connect from an FTP server's
data port to an rlogin server on a host that trusts the FTP server,
allowing remote command execution.

VOTES:
   ACCEPT(2) Northcutt, Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> Also reported as vulnerable on SunOS, which is similar, but different.
 Frech> Reference: XF:sun-ftpd/logind


=================================
Candidate: CAN-1999-0190
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00167

Solaris rpcbind can be exploited to overwrite arbitrary files and gain
root access.

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> Reference: XF:sun-rpcbind
 Prosser> The way rpcbind handles indirect calls is vulnerable in this advisory.
 Prosser> As there are lots of rpcbind problems, maybe should be more specific?


=================================
Candidate: CAN-1999-0207
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:majordomo-exe
Reference: CERT:CA-94.11.majordomo.vulnerabilities

Remote attacker can execute commands through Majordomo using the
Reply-To field and a "lists" command.

VOTES:
   ACCEPT(4) Northcutt, Hill, Shostack, Wall
   REVIEWING(1) Frech

COMMENTS:
 Frech> PENDING. NEEDS RESEARCH.


=================================
Candidate: CAN-1999-0208
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:rpc-update
Reference: CERT:CA-95.17.rpc.ypupdated.vul

rpc.ypupdated (NIS) allowed remote users to execute arbitrary commands.

Modifications:
  ADDREF XF:rpc-update

VOTES:
   ACCEPT(3) Shostack, Northcutt, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> "allows remote users..." since this vuln's context pertains to
 Frech> when the service was vulnerable.


=================================
Candidate: CAN-1999-0212
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00168

rpc.mountd in Linux and Solaris would generate error messages that
allowed an attacker to determine what files were on the server.

VOTES:
   ACCEPT(1) Prosser
   MODIFY(2) Northcutt, Frech

COMMENTS:
 Northcutt> I am concerned that Linux is becoming too
 Northcutt> non descript a word, in the past two weeks I have run
 Northcutt> across 3 Linuxes I had never heard of before.  I think we need
 Northcutt> to start being specific when we mention Linux either by
 Northcutt> the kernal or vendor or something.
 Frech> Reference: XF:sun-mountd


=================================
Candidate: CAN-1999-0328
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: SGI:19971103-01-PX

SGI permissions program allows local users to gain root privileges.

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(2) Shostack, Frech

COMMENTS:
 Shostack> include a path to /usr/bin/permissions to clarify that it is a
 Shostack> program.
 Frech> Reference: XF:sgi-permtool


=================================
Candidate: CAN-1999-0358
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan29,1999
Reference: COMPAQ:SSRT0583U

Digital Unix 4.0 has a buffer overflow in the inc program of the mh
package.

VOTES:
   ACCEPT(3) Shostack, Northcutt, Hill
   MODIFY(2) Prosser, Frech

COMMENTS:
 Prosser> Ref'd SSRT has an 'at' vulnerable as well supposedly fixed by
 Prosser> the patch.  Shouldn't this be included as a seperate CVE in this
 Prosser> cluster. ref:BugTraq "Digital Unix Buffer Overflows: Exploits" from
 Prosser> Lamont Granquist for both as well.
 Frech> Reference: XF:du-inc


=================================
Candidate: CAN-1999-0370
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00184

In Sun Solaris and SunOS, man and catman contain vulnerabilities
that allow overwriting arbitrary files.

VOTES:
   ACCEPT(2) Northcutt, Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> Reference: XF:sun-man


=================================
Candidate: CAN-1999-0396
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: NETBSD:1999-001
Reference: OPENBSD:Feb17,1999

A race condition between the select() and accept() calls in NetBSD TCP
servers allows remote attackers to cause a denial of service.

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(1) Shostack

COMMENTS:
 Shostack> For denial of service attacks, we should distinguish between
 Shostack> host availability, service, and CPU absorbtion DOS attacks.


=================================
Candidate: CAN-1999-0485
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: SF
Reference: OPENBSD:Feb19,1999

Remote attackers can cause a denial of service through ipintr() in ipq
in OpenBSD.

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(1) Shostack

COMMENTS:
 Shostack> For denial of service attacks, we should distinguish between
 Shostack> host availability, service, and CPU absorbtion DOS attacks.


=================================
Candidate: CAN-1999-0513
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990607
Assigned: 19990607
Category: CF
Reference: CERT:CA-98.01.smurf
Reference: FreeBSD:FreeBSD-SA-98:06
Reference: XF:smurf

ICMP messages to broadcast addresses are allowed, allowing for a
Smurf attack that can cause a denial of service.

VOTES:
   ACCEPT(4) Hill, Shostack, Frech, Wall
   MODIFY(1) Northcutt
   REVIEWING(1) Christey

COMMENTS:
 Northcutt> If you put it this way then ping mapping becomes part of smurf.  I
 Northcutt> would consider calling the vulnerability ICMP to broadcast addresses
 Northcutt> and in the text state allowing for a Smurf denial or service or ICMP
 Northcutt> ping mapping to acquire intelligence data about a network.
 Christey> This one is an interesting case.  As Steve noted, this configuration
 Christey> problem could allow for ping mapping as well.  I think the distinction
 Christey> is that for Smurf, there's a forged source IP address, and that's
 Christey> generally not the case when you're doing ping mapping.  So do we have
 Christey> a single vulnerability (ICMP to broadcast) with 2 separate
 Christey> implications?  Or, do we have two separate vulnerabilities, where one
 Christey> accounts for the "design flaw" of spoofed IP addresses and another one
 Christey> is a vulnerability because it allows information gathering?


=================================
Candidate: CAN-1999-0551
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990617
Assigned: 19990607
Category: CF
Reference: HP:HPSBUX9804-078
Reference: XF:hp-openmail

HP OpenMail can be misconfigured to allow users to run arbitrary
commands using malicious print requests.

VOTES:
   ACCEPT(2) Frech, Hill
   NOOP(1) Northcutt
   REVIEWING(1) Shostack

COMMENTS:
 Shostack> Question: Is this run arbitrary commands as root...?
Prev by Date: FINAL DECISION: ACCEPT 9 candidates from VEN-BSD cluster
Next by Date: Re: Which "Codebases" do these candidates really split into?
Prev by thread: FINAL DECISION: ACCEPT 9 candidates from VEN-BSD cluster
Next by thread: PROPOSAL: Cluster 19 - NTCONFIG (13 candidates)
Index(es):
- Date
- Thread