[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
RE: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
-----Original Message-----
From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
Sent: Tuesday, July 20, 1999 11:33 PM
To: cve-editorial-board-list@lists.mitre.org
Subject: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
This cluster includes candidates with inherent design flaws, either
for protocols or applications. It touches on a number of important
and potentially controversial issues. There may be a lot more REJECT
votes than we've seen for previous candidates. While considering
these issues, recall that the definition of "CVE vulnerability" is
specifically intended to be very broad so that the CVE can accommodate
very diverse perspectives of what a "vulnerability" is.
Some candidates are related to weak encryption. The question becomes,
is this sort of design problem alone sufficient for inclusion in the
CVE? When we say "weak," what do we really mean by that? Any
encryption algorithm is theoretically weak to a brute force attack.
So how "weak" must something be to merit inclusion in the CVE? An
issue related to weak encryption is the storage or transmission of
passwords in the clear.
While I haven't defined one, perhaps there should be a content
decision that says "Any design choice which can be overcome by a brute
force method that is easily achievable within [X amount of time] using
commonly available technology, is a vulnerability."
Other candidates involve weak authentication, e.g. rexec or rexd. How
"weak" must the authentication be to merit inclusion in the CVE?
There are other candidates that have to do with design choices which
are helpful for information gathering. Information gathering
satisfies the detailed description of a CVE vulnerability, i.e. a
state that "(6) allows an entity to obtain information that increases
the likelihood for exploiting other vulnerabilities."
Finger (CAN-1999-0612) is a good example for discussion here. Its
very function is to tell someone who the active users on a system are.
Is that a design flaw? Not the way you'd normally think of "design
flaw." It works exactly as it's supposed to. However, its design is
in violation with the above "information gathering" portion of the CVE
vulnerability definition. A further question arises here... How much
information is sufficient for "information gathering" activities?
CAN-1999-0655 may appear to be too high level for most Board members.
However, not only is it High Cardinality, we also can't enumerate all
the possible instances. Thus the CVE content decisions dictate that
it remain at this level.
Finally, note the categories of these candidates. Many of them have
an SF (Software Flaw) or SA (Service/Application presence) category,
yet neither category really fits. This is an example of some of the
ambiguity and lack of mutual exhaustiveness of the category in the
CVE, which is a problem that the taxonomists always deal with. The
category cannot be completely removed, since it guides the CVE content
decisions, but we must make sure that it is appropriate for guiding
content decisions. But we shouldn't refine the CVE category too much
and encounter the problems related to full-blown taxonomies, including
the problem of community-wide acceptance. Considering this particular
cluster, and the different content decisions that may arise related to
design problems, should we define a new category to handle these types
of problems? Note that this is the only additional category that I
believe we could add.
- Steve
Summary of votes to use (in ascending order of "severity"):
ACCEPT - member accepts the candidate as proposed
NOOP - member has no opinion on the candidate
MODIFY - member wants to change some minor detail (e.g.
reference/description)
REVIEWING - member is reviewing/researching the candidate
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.
Please write your vote on the line that starts with "VOTE: ". If you
want to add comments or details, add them to lines after the VOTE: line.
=================================
Candidate: CAN-1999-0074
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:seqport
Listening TCP ports are sequentially allocated, allowing spoofing
attacks.
VOTE: Accept
=================================
Candidate: CAN-1999-0077
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
TCP sequence prediction
VOTE: RECAST
Predictable TCP sequence numbers allow spoofing - is how I would phrase this
=================================
Candidate: CAN-1999-0103
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.01.UDP_service_denial
Reference: XF:chargen-patch
Echo and chargen, or other combinations of UDP services, can be used
in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.
VOTE: ACCEPT
=================================
Candidate: CAN-1999-0111
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
RIP v1 is susceptible to spoofing
VOTE: ACCEPT
=================================
Candidate: CAN-1999-0116
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.21.tcp_syn.flooding
Reference: SGI:19961202-01-PX
Reference: SUN:00136
SYN flood denial of service attack
VOTE: ACCEPT
=================================
Candidate: CAN-1999-0168
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:nfs-portmap
The portmapper may act as a proxy and redirect service requests from
an attacker, making the request appear to come from the local host,
possibly bypassing authentication that would otherwise have taken
place. For example, NFS file systems could be mounted through the
portmapper despite export restrictions.
VOTE: ACCEPT
=================================
Candidate: CAN-1999-0181
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:walld
The wall daemon can be used for denial of service, social engineering
attacks, or to execute remote commands.
VOTE: ACCEPT
=================================
Candidate: CAN-1999-0184
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:dns-updates
When compiled with the -DALLOW_UPDATES option, bind allows dynamic
updates to the DNS server, allowing for malicious modification of DNS
records.
VOTE: ACCEPT
=================================
Candidate: CAN-1999-0214
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Denial of service by sending forged ICMP unreachable packets.
VOTE: ACCEPT
=================================
Candidate: CAN-1999-0351
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: INFOWAR:01
FTP PASV "Pizza Thief" denial of service and unauthorized data
access. Attackers can steal data by connecting to a port that was
intended for use by a client.
VOTE: ACCEPT
=================================
Candidate: CAN-1999-0352
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely
Possible/32) enterprise management software
Reference: XF:controlit-passwd-encrypt
ControlIT 4.5 and earlier (aka Remotely Possible) has weak password
encryption.
VOTE: NOOP
=================================
Candidate: CAN-1999-0356
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely
Possible/32) enterprise management software
Reference: XF:controlit-bookfile-access
ControlIT v4.5 and earlier uses weak encryption to store
usernames and passwords in an address book.
VOTE: NOOP
=================================
Candidate: CAN-1999-0377
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb22,1999
Process table attack in Unix systems allows a remote attacker to
perform a denial of service by filling a machine's process tables
through multiple connections to network services.
VOTE: ACCEPT
Have we done the one about max connections to inetd over a
finite time frame?
=================================
Candidate: CAN-1999-0414
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: NAI: Linux Blind TCP Spoofing
In Linux before version 2.0.36, remote attackers can spoof a TCP
connection and pass data to the application layer before fully
establishing the connection.
VOTE: ACCEPT
=================================
Candidate: CAN-1999-0470
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:netware-remotenlm-passwords
Reference: BUGTRAQ:Apr9,1999
A weak encryption algorithm is used for passwords in Novell
Remote.NLM, allowing them to be easily decrypted.
VOTE: ACCEPT
=================================
Candidate: CAN-1999-0476
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SF
Reference: XF:sco-termvision-password
A weak encryption algorithm is used for passwords in SCO TermVision,
allowing them to be easily decrypted by a local user.
VOTE: NOOP
=================================
Candidate: CAN-1999-0612
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA
The finger service is running.
VOTE: REJECT
=================================
Candidate: CAN-1999-0613
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA
The rpc.sprayd service is running.
VOTE: REJECT
=================================
Candidate: CAN-1999-0618
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA
The rexec service is running.
VOTE: REJECT
=================================
Candidate: CAN-1999-0624
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA
The rstat/rstatd service is running.
VOTE: REJECT
=================================
Candidate: CAN-1999-0625
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA
The rpc.rquotad service is running.
VOTE: REJECT
=================================
Candidate: CAN-1999-0626
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA
The rusers/rusersd service is running.
VOTE: REJECT
=================================
Candidate: CAN-1999-0627
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA
The rexd service is running.
VOTE: REJECT
=================================
Candidate: CAN-1999-0628
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA
The rwho/rwhod service is running.
VOTE: REJECT
=================================
Candidate: CAN-1999-0629
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA
The ident/identd service is running.
VOTE: REJECT
=================================
Candidate: CAN-1999-0647
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA
The bootparam (bootparamd) service is running.
VOTE: REJECT
=================================
Candidate: CAN-1999-0655
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: SA
A service may include useful information in its banner or help
function (such as the name and version), making it useful for
information gathering activities.
VOTE: ACCEPT