[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PROPOSAL: Cluster 28 - DESC (2 candidates)



Most of the SF-MISC cluster has been merged with the NOVULN cluster,
and the two remaining SF-MISC candidates have been put into this DESC
cluster.  Thus SF-MISC need not be proposed.

We now look at DESC.  These 2 candidates touch on the problem of
deciding when we have enough information to place a vulnerability into
the CVE, and the problems with relying on the description alone to
distinguish between very similar vulnerabilities.


CAN-1999-0001 doesn't provide much information, but is confirmed by
CERT.  A look at some BSD code that patches the problem indicates it
has something to do with fragmentation and/or IP header processing,
but even that information isn't necessarily enough to write a
description that is sufficient to distinguish it from other similar
vulnerabilities.  We have this problem with Teardrop and its variants.
This description is also aesthetically challenged because it uses a
reference in the description itself.

CAN-1999-0001, and a number of other candidates, show the importance
of having references available to anyone who's looking up a
vulnerability's CVE name, especially if the details of the
vulnerability are so obscure (or unknown) that even a typical security
expert can't necessarily easily distinguish between them.  Consider
rdist, which has at least two separate vulnerabilities in
CAN-1999-0022 and CAN-1999-0023 (rather, CVE-1999-0022 and
CVE-1999-0023, since they've both been ACCEPTed).  The only
distinguishing factor in the description is the name of the function
where the buffer overflow occurs, which most security analysts never
knew, or would need to look up; but the CERT advisories help to easily
mark the distinction.

>Name: CVE-1999-0022
>Reference: CERT:CA-97.23.rdist
>Reference: XF:rdist-bo3
>Reference: XF:rdist-sept97
>
>Local user gains root privileges via buffer overflow in rdist, via
>expstr() function.
>
>
>Name: CVE-1999-0023
>Reference: CERT:CA-96.14.rdist_vul
>Reference: XF:rdist-bo
>Reference: XF:rdist-bo2
>
>Local user gains root privileges via buffer overflow in rdist, via
>lookup() function.
>

CAN-1999-0345 describes the vulnerability exploited by Jolt, which
I've seen in a number of places; but is this the same, or different
than the other Teardrops?




Summary of votes to use (in ascending order of "severity"):

ACCEPT - member accepts the candidate as proposed
NOOP - member has no opinion on the candidate
MODIFY - member wants to change some minor detail (e.g. reference/description)
REVIEWING - member is reviewing/researching the candidate
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

Please write your vote on the line that starts with "VOTE: ".  If you
want to add comments or details, add them to lines after the VOTE: line.


=================================
Candidate: CAN-1999-0001
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-98-13-tcp-denial-of-service

Denial of service in BSD-derived TCP/IP implementations, as described
in CERT CA-98-13.

VOTE:

=================================
Candidate: CAN-1999-0345
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990728
Assigned: 19990607
Category: SF

Jolt ICMP attack causes a denial of service in Windows 95 and Windows
NT systems.

VOTE:

Page Last Updated or Reviewed: May 22, 2007