RE: PROPOSAL: Cluster 15 - ONEREF (43 candidates)

To: cve-editorial-board-list@lists.mitre.org
Subject: RE: PROPOSAL: Cluster 15 - ONEREF (43 candidates)
From: "Prosser, Mike" <mike.prosser@L-3SECURITY.COM>
Date: Wed, 4 Aug 1999 14:26:05 -0500
Sender: owner-cve-editorial-board-list@lists.mitre.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- -----Original Message-----
From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
Sent: Wednesday, July 14, 1999 1:24 AM
To: cve-editorial-board-list@lists.mitre.org
Subject: PROPOSAL: Cluster 15 - ONEREF (43 candidates)


The following ONEREF cluster contains 43 candidates, each of which has
one reference to a source, and the reference is not from the vendor.
Most of these only include references to the X-Force database.  This
is a modification of a REFS cluster that I had originally created (the
NOREFS cluster appears next).

I had treated the REFS cluster as Medium controversy because of the
belief that a single reference wasn't a guarantee that the
vulnerability was verified and described properly.  (No slight to
X-Force).  Since we are being flexible about references, in hindsight
these candidates should have been included in earlier low controversy
clusters.


Proposed: 7/13
Scheduled Proposed: 7/6
Scheduled Interim Decision: 7/19
Scheduled Final Decision: 7/23

- - Steve



Summary of votes to use (in ascending order of "severity"):

ACCEPT - member accepts the candidate as proposed
NOOP - member has no opinion on the candidate
MODIFY - member wants to change some minor detail (e.g.
reference/description)
REVIEWING - member is reviewing/researching the candidate
RECAST - candidate must be significantly modified, e.g. split or
merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

Please write your vote on the line that starts with "VOTE: ".  If you
want to add comments or details, add them to lines after the VOTE:
line.


=================================
Candidate: CAN-1999-0062
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:openbsd-chpass

The chpass command in OpenBSD gives root access when a temporary
file it uses is writeable by an attacker, due to an open file
descriptor.

VOTE:
Modify:  I believe this is a file leakage problem where the temp
password file can be modified and used to overwrite the original
password file.  The reference source for this is a NAI Security
Advisory #28, no longer available from the now defunct old NAI site
but is on Bugtraq
http://netspace.org/cgi-bin/wa?A2=ind9808B&L=bugtraq&P=R455
=================================
Candidate: CAN-1999-0081
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ftp-rnfr

wu-ftp allows files to be overwritten via the rnfr command.

VOTE: NOOP

=================================
Candidate: CAN-1999-0082
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ftp-cwd

CWD ~root command in ftp allows root login

VOTE:
Modify:  Dan Farmer and Wietse Venema covered this vulnerability as
well in their guide "Improving the Security of Your Site by Breaking
Into it"
=================================
Candidate: CAN-1999-0083
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:cwdleak

getcwd() file descriptor leak in FTP

VOTE:noop

=================================
Candidate: CAN-1999-0120
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: CERT:CA-94.06.utmp.vulnerability
Reference: XF:utmp-write

Sun/Solaris utmp file allows local users to gain root access if it
is writable by users other than root.

VOTE:agree

=================================
Candidate: CAN-1999-0156
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ftp-pwless

wu-ftpd FTP daemon allows any user and password combination.

VOTE:reviewing, but so far can find no reference to this one

=================================
Candidate: CAN-1999-0163
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:smtp-pipe

In older versions of Sendmail, an attacker could use a pipe character
to execute root commands.

VOTE:modify, older vulnerability, but one additional reference is-
The Ultimate Sendmail Hole List by Markus H�bner @
bau2.uibk.ac.at/matic/buglist.htm
'|PROGRAM '
=================================
Candidate: CAN-1999-0165
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nfs-cache

NFS cache poisoning

VOTE:noop

=================================
Candidate: CAN-1999-0228
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nt-rpc-ver

Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.

VOTE:modify, this is a 100% CPU utilization through the rpc port 135
on an NT box. Source is Microsoft Knowledge Base article Q162567

=================================
Candidate: CAN-1999-0252
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:smtp-listserv

Buffer overflow in listserv allows arbitrary command execution.

VOTE:noop

=================================
Candidate: CAN-1999-0294
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nt-wins-snmp2

All records in a WINS database can be deleted through SNMP for
a denial of service.

VOTE:noop

=================================
Candidate: CAN-1999-0295
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:sun-sysdef

Solaris sysdef command allows local users to read kernel memory,
potentially leading to root privileges.

VOTE:agree, reference though should be Sun Security Bulletin 00157

=================================
Candidate: CAN-1999-0303
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:bnu-uucpd-bo

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

VOTE:modify, source should be REPSEC Security Advisory
RSI.0002.05-18-98.BNU.UUCPD

=================================
Candidate: CAN-1999-0305
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:bsd-sourceroute

BSD sysctl control does not properly restrict source routing.

VOTE:modify reference:  OpenBSD Security Advisory February 15, 1998 IP
Source Routing Problem
=================================
Candidate: CAN-1999-0306
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hp-xlock

buffer overflow in HP xlock program.

VOTE:modify, This is another of those with multiple affected OSs.
Refs:  CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt,
HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150

=================================
Candidate: CAN-1999-0307
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hpux-cstm-bo

Buffer overflow in HP-UX cstm program allows local users to gain
root privileges.

VOTE: noop, only ref I can find is an old SOD exploit on
www.outpost9.com
=================================
Candidate: CAN-1999-0308
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hpux-gwind-overwrite
Reference: CIAC:H-03: HP-UX suid Vulnerabilities

HP-UX gwind program allows users to modify arbitrary files.

VOTE:modify,add source HP Security Bulletin HPSBUX9410-018

=================================
Candidate: CAN-1999-0310
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ssh-1225

SSH 1.2.25 on HP-UX allows access to new user accounts.

VOTE:agree

=================================
Candidate: CAN-1999-0311
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hpux-fpkg2swpk

fpkg2swpk in HP-UX allows local users to gain root access.

VOTE:modify, add source:  HP Security Advisory HPSBUX9612-042

=================================
Candidate: CAN-1999-0312
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nis-ypbind

HP ypbind allows attackers with root privileges to modify NIS data.

VOTE: modify:  Source is an older CERT Bulletin CA-93.1, Revised
Hewlett-Packard NIS ypbind Vulnerability

=================================
Candidate: CAN-1999-0313
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:sgi-disk-bandwidth

IRIX disk_bandwidth program allows local users to gain root access
using relative pathnames.

VOTE:modify:  Source is SGI Security Advisory 19980701-01-P

=================================
Candidate: CAN-1999-0314
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:sgi-ioconfig

IRIX ioconfig program allows local users to gain root access
using relative pathnames.

VOTE:modify:  Source is SGI Security Advisory 19980701-01-P

=================================
Candidate: CAN-1999-0316
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:linux-splitvt

Buffer overflow in Linux splitvt command gives root access to local
users.

VOTE:modify:  Source is CIAC Bulletin G-08

=================================
Candidate: CAN-1999-0321
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:sun-kcms-configure-bo

Buffer overflow in Solaris kcms_configure command allows local users
to gain root access.

VOTE:modify:  source is CERT Advisory CERT CA-96.15, AusCERT Alert AL
96-02

=================================
Candidate: CAN-1999-0324
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hp-ppllog

ppl program in HP-UX allows local users to create root files through
symlinks.

VOTE:modify:  reference CIAC Bulletin H-31, HP Security Bulletin
HPSBUX9702-053

=================================
Candidate: CAN-1999-0325
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hp-vhe

vhe_u_mnt program in HP-UX allows local users to create root files
through
symlinks.

VOTE:modify reference:  HPSBUX9406-013

=================================
Candidate: CAN-1999-0331
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:msie-bo

Buffer overflow in Internet Explorer 4.0(1)

VOTE:recast, needs to be more specific.

=================================
Candidate: CAN-1999-0332
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nt-netmeeting

Buffer overflow in NetMeeting allows denial of service and remote
command execution.

VOTE:modify:  reference:
www.microsoft.com/windows/ie/security/netmbuff.asp, Knowledgebase
Q184346

=================================
Candidate: CAN-1999-0335
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:lpr-bsd-lprbo

Buffer overflow in BSD and linux lpr command allows local users to
execute commands as root through the classification option.

VOTE:modify, reference:  AUSCERT Advisory AA-96.12

=================================
Candidate: CAN-1999-0336
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hpux-mstm-bo

Buffer overflow in mstm in HP-UX allows local users to gain root
access.

VOTE:noop, same as CAN-1999-0307, only ref I can find is an old SOD
exploit on www.outpost9.com

=================================
Candidate: CAN-1999-0340
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:linux-crond

Buffer overflow in Linux Slackware crond program allows local users
to gain root access.

VOTE:noop, advisory comes from KSRT, KSR[T] Advisory #005
                                            Date:   Dec  6, 1997

=================================
Candidate: CAN-1999-0341
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:linux-deliver

Buffer overflow in the Linux mail program "deliver" allows local users
to gain root access.

VOTE:noop, advisory comes from KSRT, Advisory #006
                        Date:   Jan 14, 1998

=================================
Candidate: CAN-1999-0342
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:linux-pam-passwd-tmprace

Linux PAM modules allow local users to gain root access using
temporary files.

VOTE:modify, one source from Bugtraq, another from
http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam

=================================
Candidate: CAN-1999-0343
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:palace-execute

A malicious Palace server can force a client to execute arbitrary
programs.

VOTE:noop

=================================
Candidate: CAN-1999-0344
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nt-priv-fix

NT users can gain debug-level access on a system process using the
Sechole exploit.

VOTE:modify, Source: MS Bulletin ms98-009 and Microssoft Knowledge
Base article Q190288

=================================
Candidate: CAN-1999-0357
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan25,1999

Denial of service in Windows systems using malformed oshare packets.

VOTE:noop

=================================
Candidate: CAN-1999-0374
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb16,1999

Debian Linux cfengine package is susceptible to a symlink attack.

VOTE: noop

=================================
Candidate: CAN-1999-0468
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ie-scriplet-fileread
Reference: BUGTRAQ:Apr9,1999

Internet Explorer 5.0 allows a remote server to read arbitrary files
on the client's file system using the Microsoft Scriptlet Component.

VOTE:modify, Source:  MS bulletin ms99-012

=================================
Candidate: CAN-1999-0471
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:winroute-config
Reference: BUGTRAQ:Apr9,1999

The remote proxy server in Winroute allows a remote attacker to
reconfigure the proxy without authentication through the "cancel"
button.

VOTE:noop

=================================
Candidate: CAN-1999-0472
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:netcache-snmp
Reference: BUGTRAQ:Apr7,1999

The SNMP default community name "public" is not properly removed in
NetApps C630 Netcache, even if the administrator tries to disable it.

VOTE:noop

=================================
Candidate: CAN-1999-0473
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:rsync-permissions
Reference: BUGTRAQ:Apr7,1999

The rsync command before rsync 2.3.1 may inadvertently change the
permissions of the client's working directory to the permissions of
the directory being transferred.

VOTE:modify, Source:  Caldera Security Advisory CSSA-1999:010.0

=================================
Candidate: CAN-1999-0474
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:icq-webserver-read
Reference: BUGTRAQ:Apr5,1999

The ICQ Webserver allows remote attackers to use .. to access
arbitrary files outside of the user's personal directory.

VOTE:noop

=================================
Candidate: CAN-1999-0475
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990714
Assigned: 19990607
Category: SF
Reference: XF:procmail-race
Reference: BUGTRAQ:Apr5,1999

A race condition in how procmail handles .procmailrc files allows
a local user to read arbitrary files available to the user who is
running procmail.

VOTE:noop

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBN6iVEBIUaHPadf5hEQK8HACg0YZQYyf4AvO6MER+O0TU443zktUAoJX7
TdvtFMImSJmOFwul7dKBvsLg
=qztC
-----END PGP SIGNATURE-----
Prev by Date: Re: CONTENT DECISION: Presence of Services or Applications (SA)
Next by Date: RE: CONTENT DECISION: Presence of Services or Applications (SA)
Prev by thread: PROPOSAL: Cluster 38 - MPAN (4 candidates)
Next by thread: Universal vs. Environmental Policy, and the "vulnerability" term
Index(es):
- Date
- Thread