[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[TECH] Active candidates

To: cve-editorial-board-list@lists.mitre.org
Subject: [TECH] Active candidates
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Fri, 5 Nov 1999 16:24:29 -0500 (EST)
Delivery-Date: Fri Nov 5 16:29:08 1999
Sender: owner-cve-editorial-board-list@lists.mitre.org
All:

Below are all the current candidates that are still active.  The list
includes voting summaries.  If you wish, you can use these to make
your mappings more complete and/or reduce duplication when you send me
your top 100 or six month lists.

I could also provide these candidates in HTML or comma-separated
format if you wish.

- Steve



=================================
Candidate: CAN-1999-0001
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-98-13-tcp-denial-of-service

Denial of service in BSD-derived TCP/IP implementations, as described
in CERT CA-98-13.

VOTES:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0004
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: XF:outlook-long-name
Reference: SUN:00175
Reference: MS:MS98-008

MIME buffer overflow in email clients, e.g. Solaris mailtool
and Outlook.

Modifications:
  ADDREF MS:MS98-008
  DESC include Outlook

VOTES:
   ACCEPT(3) Northcutt, Landfield, Wall
   MODIFY(1) Frech
   REVIEWING(1) Shostack

COMMENTS:
 Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject
 Frech> this suggestion, I will not be devastated.) :-)


=================================
Candidate: CAN-1999-0015
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.28.Teardrop_Land
Reference: XF:teardrop

Teardrop IP denial of service.

VOTES:
   ACCEPT(1) Wall
   MODIFY(1) Frech

COMMENTS:
 Frech> XF: teardrop-mod


=================================
Candidate: CAN-1999-0020
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Buffer overflow in Linux lpr command gives root access.

VOTES:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall

COMMENTS:
 Frech> XF:lpr-bo


=================================
Candidate: CAN-1999-0030
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul
Reference: XF:sgi-xlockbo
Reference: SGI:19970508-02-PX

root privileges via buffer overflow in xlock command on SGI IRIX
systems.

VOTES:
   ACCEPT(3) Prosser, Levy, Ozancin
   RECAST(1) Frech
   REJECT(1) Christey

COMMENTS:
 Frech> XF:xlock-bo (also add)
 Frech> As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and
 Frech> several Linii.
 Frech> Also, don't you mean to cite SGI:19970502-02-PX? The one you list is
 Frech> login/scheme.
 Levy> Notice that this xlock overflow is the same as in
 Levy> CA-97.13. CA-97.21 simply is a reminder.
 Christey> As pointed out by Elias, CA-97.13 (CVE-1999-0038) already mentions
 Christey> this.  However, CVE-1999-0038 may need to be modified to reflect
 Christey> the different OSes, though I suspect it's the same codebase,
 Christey> as well as to update its references.
 Christey> To keep the description as short and simple as possible, we
 Christey> should avoid this specific detail until there is a second AIX
 Christey> telnet DoS


=================================
Candidate: CAN-1999-0031
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.20.javascript

JavaScript allows remote attackers to monitor a user's web
activities.

VOTES:
   ACCEPT(1) Wall
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0033
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.18.at
Reference: SUN:00160
Reference: XF:sun-atbo

Command execution in Sun systems via buffer overflow in the at program

VOTES:
   ACCEPT(4) Northcutt, Hill, Shostack, Wall
   RECAST(1) Frech

COMMENTS:
 Frech> This vulnerability also manifests itself for the following =
 Frech> platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light,
 Frech> please add the = following:
 Frech> Reference: XF:at-bo


=================================
Candidate: CAN-1999-0061
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: NAI:NAI-20
Reference: XF:bsd-lpd

File creation and deletion, and remote execution, in the BSD
line printer daemon (lpd).

VOTES:
   ACCEPT(3) Hill, Frech, Northcutt


=================================
Candidate: CAN-1999-0076
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:ftp-args

Buffer overflow in wu-ftp from PASV command causes a core dump.

Modifications:
  DESC make more explicit to distinguish from CAN-1999-0075

VOTES:
   ACCEPT(1) Frech
   NOOP(1) Balinsky

COMMENTS:
 Balinsky> Don't know what this is.  Is this the LIST Core dump vulnerability?


=================================
Candidate: CAN-1999-0078
Published:
Final-Decision:
Interim-Decision:
Modified: 19990621-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd

pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions,
or execute arbitrary commands through arguments in the RPC call.

Modifications:
  DELREF XF:nfs-pcnfsd

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield
   RECAST(1) Christey

COMMENTS:
 Christey> This candidate should be SPLIT, since there are two separate
 Christey> software flaws.  One is a symlink race and the other is a
 Christey> shell metacharacter problem.


=================================
Candidate: CAN-1999-0086
Published:
Final-Decision:
Interim-Decision: 19990630
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1998:001.1
Reference: XF:ibm-routed

AIX routed allows remote users to modify sensitive files.

Modifications:
  ADDREF XF:ibm-routed

VOTES:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> Reference: XF:ibm-routed
 Prosser> This vulnerability allows debug mode to be turned on which is
 Prosser> the problem.  Should this be more specific in the description? This
 Prosser> one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which
 Prosser> is in the SGI cluster, shouldn't these be cross-referenced as the same
 Prosser> vuln affects multiple OSes.


=================================
Candidate: CAN-1999-0088
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1998:004.1

IRIX and AIX automountd services (autofsd) allow remote users to
execute root commands.

VOTES:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> ERS (and other references, BTW) explicitly stipulate 'local and
 Frech> remote'.
 Frech> Reference: XF:irix-autofsd
 Prosser> Include the SGI Alert as well since it is mentioned in the
 Prosser> description.
 Prosser> SGI Security Advisory 19981005-01-PX


=================================
Candidate: CAN-1999-0089
Published:
Final-Decision:
Interim-Decision: 19990630
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-libDtSvc

Buffer overflow in AIX libDtSvc library can allow local users
to gain root access.

Modifications:
  ADDREF XF:ibm-libDtSvc

VOTES:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser
   NOOP(1) Christey

COMMENTS:
 Frech> Reference: XF:ibm-libDtSvc
 Prosser> The overflow is in the dtaction utility.  Also affects
 Prosser> dtaction in the CDE on versions of SunOS (SUN 164). Probably should be
 Prosser> specific.
 Christey> DUPE CAN-1999-0121 (SF-CODEBASE)


=================================
Candidate: CAN-1999-0092
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:006.1

Various vulnerabilities in the AIX portmir command allows
local users to obtain root access.

VOTES:
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ibm-portmir


=================================
Candidate: CAN-1999-0098
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: XF:smtp-helo-bo

Buffer overflow in SMTP HELO command in Sendmail allows a remote
attacker to hide activities.

VOTES:
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey

COMMENTS:
 Frech> (Accept XF reference.)
 Frech> Our references do not mention hiding activities. This issue can crash the
 Frech> SMTP server or execute arbitrary byte-code. Is there another reference
 Frech> available?
 Christey> Should this be merged with CAN-1999-0284, which is Sendmail
 Christey> with SMTP HELO?


=================================
Candidate: CAN-1999-0101
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:001.1
Reference: SUN:00137
Reference: NAI:NAI-1

Buffer overflow in AIX and Solaris "gethostbyname" library call allows
root access through corrupt DNS host names.

VOTES:
   ACCEPT(1) Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ghbn-bo
 Frech> in addition to ERS:1997:001.1, also include 1996:007.1
 Frech> Sun's bulletin is 137a, not 137.
 Prosser> concur wtih Andre, sun bul is 137a


=================================
Candidate: CAN-1999-0104
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.28.Teardrop_Land
Reference: XF:teardrop-mod

A later variation on the Teardrop IP denial of service attack,
a.k.a. Teardrop-2

VOTES:
   ACCEPT(2) Wall, Frech

COMMENTS:
 Wall> Another reference is Microsoft Knowledge Base Q179129.


=================================
Candidate: CAN-1999-0105
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

finger allows recursive searches by using a long string of @ symbols.

VOTES:
   MODIFY(2) Shostack, Frech
   REJECT(1) Northcutt

COMMENTS:
 Shostack> fingerD
 Frech> XF:finger-bomb


=================================
Candidate: CAN-1999-0106
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

Finger redirection allows finger bombs.

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(2) Shostack, Frech

COMMENTS:
 Shostack> fingerd allows redirection
 Shostack> This is a larger modification, since there are two applications of the
 Shostack> vulnerability, one that I can finger anonymously, and the other that I
 Shostack> can finger bomb anonymously.
 Frech> XF:finger-bomb


=================================
Candidate: CAN-1999-0107
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Buffer overflow in HTTP Apache 1.2 or earlier, up to 1.2.5.

VOTES:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall

COMMENTS:
 Wall> - Although this is probably the phf hack.
 Frech> XF:apache-dos


=================================
Candidate: CAN-1999-0110
Published:
Final-Decision:
Interim-Decision: 19990810
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

** REJECT ** Duplicate of CAN-1999-0315 (this has a typo)
Buffer overflow in fbformat command in Solaris.

VOTES:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall

COMMENTS:
 Frech> XF:fdformat-bo


=================================
Candidate: CAN-1999-0114
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Local users can execute commands as other users, and read other users'
files, through the filter command in the Elm elm-2.4 mail package
using a symlink attack.

VOTES:
   ACCEPT(1) Shostack
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall

COMMENTS:
 Frech> XF:elm-filter2


=================================
Candidate: CAN-1999-0115
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

AIX bugfiler program allows local users to gain root access.

VOTES:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall

COMMENTS:
 Frech> XF:ibm-bugfiler


=================================
Candidate: CAN-1999-0118
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

AIX infod allows local users to gain root access through an X display.

VOTES:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall

COMMENTS:
 Frech> XF:aix-infod


=================================
Candidate: CAN-1999-0119
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Windows NT 4.0 beta allows users to read and delete shares.

VOTES:
   NOOP(1) Northcutt
   REJECT(1) Wall

COMMENTS:
 Wall> Reject based on beta copy.


=================================
Candidate: CAN-1999-0121
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00164
Reference: ERS:ERS-SVA-E01-1997:005.1

Buffer overflow in dtaction command gives root access.

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(2) Frech, Prosser
   NOOP(1) Christey

COMMENTS:
 Frech> Reference: XF:dtaction-bo
 Frech> Reference: XF:sun-dtaction
 Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a
 Prosser> library in AIX 4.x, but reference for this Sun vulnerability should
 Prosser> only reflect the Sun Bulletin or the CIAC I-032 version of the Sun
 Prosser> Bulletin
 Christey> This is the Same Codebase as CAN-1999-0089, so the two entries
 Christey> should be merged.


=================================
Candidate: CAN-1999-0123
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: XF:linux-mailx

Race condition in Linux mailx command allows local users to
read user files.

VOTES:
   ACCEPT(2) Ozancin, Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0124
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability
Reference: XF:gopher-vuln

Vulnerabilities in UMN gopher and gopher+ allow an intruder to read
any files that can be accessed by the gopher daemon.

VOTES:
   ACCEPT(1) Frech


=================================
Candidate: CAN-1999-0127
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.27.hp_sw_install
Reference: AUSCERT:AA-96.04
Reference: XF:hpux-swinstall

swinstall and swmodify commands in SD-UX package in HP-UX systems
allow local users to create or overwrite arbitrary files to gain root
access.

VOTES:
   ACCEPT(1) Prosser
   MODIFY(1) Frech
   NOOP(1) Christey

COMMENTS:
 Frech> (keep current XF: reference, and add)
 Frech> XF:hpux-sqwmodify
 Christey> Perhaps this should be split, per SF-LOC.


=================================
Candidate: CAN-1999-0140
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

Denial of service in RAS/PPTP on NT systems.

VOTES:
   ACCEPT(1) Hill
   MODIFY(2) Meunier, Frech
   NOOP(1) Christey

COMMENTS:
 Meunier> Add "pptp invalid packet length in header" to distinguish from other
 Meunier> vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be
 Meunier> discovered in the future.
 Frech> XF:nt-ras-bo
 Frech> ONLY IF reference is to MS:MS99-016
 Christey> According to my mappings, this is not the MS:MS99-016 problem
 Christey> referred to by Andre.  However, I have yet to dig up a
 Christey> source.


=================================
Candidate: CAN-1999-0142
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.05.java_applet_security_mgr

Java Applet Security Manager allows an applet to connect to arbitrary
hosts.

VOTES:
   ACCEPT(3) Hill, Shostack, Wall
   MODIFY(1) Frech
   RECAST(1) Northcutt
   REVIEWING(1) Christey

COMMENTS:
 Northcutt> Please note I am not a Java expert, but I think jdk 2.0 and
 Northcutt> so forth do not have a sandbox notion and applets (perhaps trusted
 Northcutt> applets) can connect to arbitrary hosts as a matter of course.  You
 Northcutt> might want to contact Li Gong (li.gong@sun.com) or a similar
 Northcutt> expert before issuing this one.  NOTE: another reason to consider
 Northcutt> the original date!!!
 Christey> Noting Steve Northcutt's comments, perhaps we would need to modify the
 Christey> description somewhat to distinguish between current Java versions and
 Christey> the one that had this vulnerability.  However, the CERT reference
 Christey> associates a general place and time for where this vulnerability
 Christey> arose, so I don't think it's too big of a deal.
 Frech> Reference: XF:http-java-appletsecmgr


=================================
Candidate: CAN-1999-0144
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:qmail-rcpt

Denial of service in Qmail by specifying a large number of
recipients with the RCPT command.

VOTES:
   ACCEPT(3) Hill, Meunier, Frech


=================================
Candidate: CAN-1999-0145
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

Sendmail WIZ command enabled, allowing root access.

VOTES:
   ACCEPT(4) Hill, Blake, Proctor, Balinsky
   MODIFY(2) Frech, Prosser
   NOOP(1) Christey
   REJECT(1) Northcutt

COMMENTS:
 Frech> XF:smtp-wiz
 Northcutt> I have voted against this before as well.  This raises the case of a
 Northcutt> historic but no longer existant vulnerability.  Or is there any data
 Northcutt> that wiz still exists on any operational systems?
 Prosser> additional sources
 Prosser> Bugtraq
 Prosser> "sendmail wizard thing"
 Prosser> http://securityfocus/
 Prosser> CERT Advisory CA-93.14
 Prosser> http://www.cert.org
 Christey> While this may not be active anywhere (we hope), it is still
 Christey> of historic interest and potentially useful for academic
 Christey> study.  Therefore it should be included.


=================================
Candidate: CAN-1999-0151
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.07a.REVISED.satan.vul
Reference: CERT:CA-95.06.satan.vul

The SATAN session key may be disclosed if the user points the web
browser to other sites, possibly allowing root access.

VOTES:
   ACCEPT(2) Hill, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:satan-scan


=================================
Candidate: CAN-1999-0156
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ftp-pwless

wu-ftpd FTP daemon allows any user and password combination.

VOTES:
   ACCEPT(2) Northcutt, Shostack
   NOOP(1) Baker
   RECAST(1) Frech
   REVIEWING(1) Prosser

COMMENTS:
 Prosser> but so far can find no reference to this one
 Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie,
 Frech> also affects IIS FTP server).


=================================
Candidate: CAN-1999-0163
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:smtp-pipe

In older versions of Sendmail, an attacker could use a pipe character
to execute root commands.

VOTES:
   ACCEPT(2) Northcutt, Frech
   MODIFY(1) Prosser
   NOOP(2) Baker, Christey
   RECAST(1) Shostack

COMMENTS:
 Shostack> there was a 'To: |' and a 'From: |' attack, which I
 Shostack> think are seperate.
 Prosser> older vulnerability, but one additional reference is-
 Prosser> The Ultimate Sendmail Hole List by Markus H�bner @
 Prosser> bau2.uibk.ac.at/matic/buglist.htm
 Prosser> '|PROGRAM '
 Christey> Description needs to be more specific to distinguish between
 Christey> this and CAN-1999-0203, as alluded to by Adam Shostack


=================================
Candidate: CAN-1999-0165
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nfs-cache

NFS cache poisoning

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Shostack
   NOOP(1) Prosser

COMMENTS:
 Shostack> need more data


=================================
Candidate: CAN-1999-0169
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nfs-uid

NFS allows attackers to read and write any file on the system by
specifying a false UID.

VOTES:
   ACCEPT(2) Northcutt, Frech
   REJECT(1) Shostack

COMMENTS:
 Shostack> this is not a vulnerability but a design feature.


=================================
Candidate: CAN-1999-0171
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:syslog-flood

Denial of service in syslog by sending it a large number of
superfluous messages.

VOTES:
   ACCEPT(2) Northcutt, Frech
   REJECT(1) Shostack

COMMENTS:
 Shostack> design issue, not a vulnerability.  Alternately, add:
 Shostack> DOS on server by opening a large number of telnet sessions..


=================================
Candidate: CAN-1999-0186
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: SUN:00178
Reference: XF:snmp-backdoor-access

In Solaris, an SNMP subagent has a default community string that allows remote
attackers to execute arbitrary commands as root, or modify system
parameters.

VOTES:
   MODIFY(1) Frech
   NOOP(1) Wall

COMMENTS:
 Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr
 Frech> Add ISS:Hidden Community String in SNMP Implementation


=================================
Candidate: CAN-1999-0187
Published:
Final-Decision:
Interim-Decision:
Modified: 19990805
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: SUN:00179

** REJECT **  Duplicate of CAN-1999-0022 (SUN:00179 is referenced in
CERT:CA-97.23.rdist)
The rdist program in Solaris has some buffer overflows that allow
attackers to gain root access.

VOTES:
   ACCEPT(2) Northcutt, Hill
   RECAST(2) Prosser, Frech
   REVIEWING(1) Christey

COMMENTS:
 Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in
 Prosser> rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr()
 Prosser> (ref CERT 97-23) and various vendor bulletins.  However both of these rdist
 Prosser> BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX,
 Prosser> FreeBSD, SCO, SGI, etc.  Believe this falls into the SF-codebase content
 Prosser> decision
 Frech> XF:rdist-bo (error msg formation)
 Frech> XF:rdist-bo2 (execute code)
 Frech> XF:rdist-bo3 (execute user-created code)
 Frech> XF:rdist-sept97 (root from local)
 Christey> Duplicate of CAN-1999-0022 (SUN:00179 is referenced in
 Christey> CERT:CA-97.23.rdist), but as Mike and Andre noted, there
 Christey> are multiple flaws here, so a RECAST may be necessary.


=================================
Candidate: CAN-1999-0193
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Denial of service in Ascend and 3com routers, which can be rebooted by
sending a zero length TCP option.

VOTES:
   ACCEPT(2) Northcutt, Shostack
   REVIEWING(1) Frech

COMMENTS:
 Frech> possibly XF:ascend-kill
 Frech> I can't find a reference that lists both routers in the same reference.


=================================
Candidate: CAN-1999-0195
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Denial of service in RPC portmapper allows attackers to register or
unregister RPC services, or spoof RPC services.

VOTES:
   ACCEPT(1) Shostack
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall

COMMENTS:
 Frech> XF:rpcbind-spoof


=================================
Candidate: CAN-1999-0197
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

finger 0@host on some systems may print information on some user accounts.

VOTES:
   MODIFY(1) Shostack
   REJECT(1) Northcutt
   REVIEWING(1) Frech

COMMENTS:
 Shostack> fingerd may respond to 'finger 0@host' with account info
 Frech> Need more reference to establish this 'exposure'.


=================================
Candidate: CAN-1999-0198
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

finger .@host on some systems may print information on some user accounts.

VOTES:
   MODIFY(1) Shostack
   REJECT(1) Northcutt
   REVIEWING(1) Frech

COMMENTS:
 Shostack> as above
 Frech> Need more reference to establish this 'exposure'.


=================================
Candidate: CAN-1999-0200
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

WFTP would allow an attacker to log into the FTP server using any
username and password.

VOTES:
   MODIFY(2) Shostack, Frech
   NOOP(2) Northcutt, Wall

COMMENTS:
 Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another?
 Frech> Other have mentioned this before, but it may be WU-FTP.
 Frech> POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root
 Frech> access without anon FTP or a regular account?
 Frech> POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a
 Frech> non-anon FTP account and gain root privs.


=================================
Candidate: CAN-1999-0203
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

In Sendmail, attackers can gain root privileges via SMTP by specifying
an improper "mail from" address and an invalid "rcpt to" address that would
cause the mail to bounce to a program.

VOTES:
   ACCEPT(5) Hill, Blake, Balinsky, Ozancin, Northcutt
   NOOP(1) Christey
   REVIEWING(1) Frech

COMMENTS:
 Christey> Description needs to be more specific to distinguish between
 Christey> this and CAN-1999-0163, as alluded to by Adam Shostack


=================================
Candidate: CAN-1999-0205
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: ADDREF BUGTRAQ:19990708 SM 8.6.12

Denial of service in Sendmail 8.6.11 and 8.6.12.

VOTES:
   ACCEPT(2) Hill, Northcutt
   MODIFY(2) Frech, Prosser
   REVIEWING(2) Ozancin, Christey

COMMENTS:
 Frech> XF:sendmail-alias-dos
 Prosser> additional source
 Prosser> Bugtraq
 Prosser> "Re:  SM 8.6.12"
 Prosser> http://www.securityfocus.com
 Christey> The Bugtraq thread does not provide any proof, including a
 Christey> comment by Eric Allman that he hadn't been provided any
 Christey> details either.
 Christey>
 Christey> See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu
 Christey> for the thread.


=================================
Candidate: CAN-1999-0210
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Automount daemon in Solaris allows local or remote users privileged access,
and access to remote users in conjunction with rpc.statd.

VOTES:
   MODIFY(2) Shostack, Frech
   NOOP(2) Northcutt, Wall

COMMENTS:
 Shostack> I think there was an SNI advisory on this
 Frech> Not enough information; POSSIBLY XF:sun-automountd (changing mount options)


=================================
Candidate: CAN-1999-0212
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00168

rpc.mountd in Linux and Solaris would generate error messages that
allowed an attacker to determine what files were on the server.

VOTES:
   ACCEPT(1) Prosser
   MODIFY(2) Northcutt, Frech

COMMENTS:
 Northcutt> I am concerned that Linux is becoming too
 Northcutt> non descript a word, in the past two weeks I have run
 Northcutt> across 3 Linuxes I had never heard of before.  I think we need
 Northcutt> to start being specific when we mention Linux either by
 Northcutt> the kernal or vendor or something.
 Frech> Reference: XF:sun-mountd


=================================
Candidate: CAN-1999-0213
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

libnsl in Solaris allowed an attacker to perform a denial of service
of rpcbind.

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(1) Meunier

COMMENTS:
 Frech> XF:sun-libnsl


=================================
Candidate: CAN-1999-0216
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

Denial of service of inetd on Linux through SYN and RST packets.

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   RECAST(1) Meunier

COMMENTS:
 Meunier> The location of the vulnerability, whether in the Linux kernel or the
 Meunier> application, is debatable.  Any program making the same (reasonnable)
 Meunier> assumption is vulnerable, i.e., implements the same vulnerability:
 Meunier> "Assumption that TCP-three-way handshake is complete after calling Linux
 Meunier> kernel function accept(), which returns socket after getting SYN.   Result
 Meunier> is process death by SIGPIPE"
 Meunier> Moreover, whether it results in DOS (to third parties) depends on the
 Meunier> process that made the assumption.
 Meunier> I think that the present entry should be split, one entry for every
 Meunier> application that implements the vulnerability (really describing threat
 Meunier> instances, which is what other people think about when we talk about
 Meunier> vulnerabilities), and one entry for the Linux kernel that allows the
 Meunier> vulnerability to happen.
 Frech> XF:hp-inetd
 Frech> XF:linux-inetd-dos


=================================
Candidate: CAN-1999-0220
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Attackers can do a denial of service of IRC by crashing the server.

VOTES:
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0222
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Denial of service in Cisco IOS web server allows attackers to reboot
the router using a long URL.

VOTES:
   MODIFY(2) Shostack, Frech
   NOOP(2) Northcutt, Wall

COMMENTS:
 Shostack> I follow cisco announcements and problems pretty closely, and haven't
 Shostack> seen this.  Source?
 Frech> XF:cisco-web-crash


=================================
Candidate: CAN-1999-0223
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Solaris syslogd crashes when receiving a message from a host that
doesn't have an inverse DNS entry.

VOTES:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall

COMMENTS:
 Frech> XF:sol-syslogd-crash


=================================
Candidate: CAN-1999-0225
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: SNI:SNI-25

Denial of service in Windows NT using SMB file commands before logging
in and accessing shares.

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(1) Wall

COMMENTS:
 Frech> XF:nt-logondos


=================================
Candidate: CAN-1999-0226
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Windows NT TCP/IP processes fragmented IP packets improperly, causing
a denial of service.

VOTES:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0229
Published:
Final-Decision:
Interim-Decision:
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: MSKB:Q115052
Reference: XF:http-dotdot

Denial of service in Windows NT IIS server using ..\..

Modifications:
  ADDREF MSKB:Q115052
  ADDREF XF:http-dotdot

VOTES:
   ACCEPT(1) Shostack
   MODIFY(2) Wall, Frech
   NOOP(1) Northcutt

COMMENTS:
 Wall> Denial of service in Windows NT IIS Server 1.0 using ..\...
 Wall> Source: Microsoft Knowledge Base Article Q115052 - IIS Server.
 Frech> XF:http-dotdot (not necessarily IIS?)


=================================
Candidate: CAN-1999-0231
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF

Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6
packages using a long VRFY command, causing a denial of service and
possibly remote access.

VOTES:
   ACCEPT(1) Levy
   NOOP(2) Northcutt, Landfield
   RECAST(1) Frech
   REVIEWING(1) Ozancin

COMMENTS:
 Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below)
 Frech> XF:smtp-vrfy-bo (many mail packages)
 Northcutt> (There is no way I will have access to these systems)


=================================
Candidate: CAN-1999-0232
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF

Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(1) Frech
   NOOP(1) Prosser

COMMENTS:
 Frech> Unable to provide a match due to vague/insufficient description/references.
 Frech> Possible matches are:
 Frech> XF:ftp-ncsa (probably not, considering you've mentioned the webserver.)
 Frech> XF:http-ncsa-longurl (highest probability)


=================================
Candidate: CAN-1999-0233
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-iis-cmd

IIS and WebSite allow users to execute arbitrary commands using
..bat or .cmd files.

VOTES:
   ACCEPT(2) Northcutt, Prosser
   REVIEWING(1) Frech

COMMENTS:
 Frech> XF reference is correct, but cannot find supporting reference for WebSite
 Frech> vulnerability.
 Frech> No further action to be taken unless more information forthcoming.


=================================
Candidate: CAN-1999-0235
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF

Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.

VOTES:
   ACCEPT(3) Northcutt, Hill, Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:http-ncsa-longurl


=================================
Candidate: CAN-1999-0238
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-phpfileread

php.cgi allows attackers to read any file on the system.

VOTES:
   ACCEPT(3) Northcutt, Prosser, Frech

COMMENTS:
 Prosser> additional source
 Prosser> AUSCERT External Security Bulletin ESB-97.047
 Prosser> http://www.auscert.org.au
 Prosser> Published:
 Prosser> Final-Decision:
 Prosser> Interim-Decision:
 Prosser> Modified:
 Prosser> Announced: 19990623
 Prosser> Assigned: 19990607
 Prosser> Category: SF
 Prosser> Reference: XF:http-iis-2e
 Prosser> IIS 3.0 allows remote intruders to read source code for ASP programs
 Prosser> by using a "2e" instead of a "." in the URL.


=================================
Candidate: CAN-1999-0240
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Some filters or firewalls allow fragmented SYN packets with IP
reserved bits in violation of their implemented policy.

VOTES:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0241
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:http-xguess-cookie

Guessable magic cookies in X Windows allows remote attackers to
execute commands, e.g. through xterm.

VOTES:
   ACCEPT(3) Hill, Northcutt, Proctor
   MODIFY(2) Frech, Prosser
   REVIEWING(1) Christey

COMMENTS:
 Frech> Also add to references:
 Frech> XF:sol-mkcookie
 Prosser> additional source
 Prosser> Bugtraq
 Prosser> "X11 cookie hijacker"
 Prosser> http://www.securityfocus.com
 Christey> The cookie hijacker thread has to do with stealing cookies
 Christey> through a file with bad permissions.  I'm not sure the
 Christey> X-Force reference identifies this problem either.


=================================
Candidate: CAN-1999-0242
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Remote attackers can access mail files via POP3 in some Linux systems
that are using shadow passwords.

VOTES:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall

COMMENTS:
 Frech> Ambiguous description: need more detail. Possibly:
 Frech> XF:linux-pop3d (mktemp() leads to reading e-mail)


=================================
Candidate: CAN-1999-0243
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Linux cfingerd could be exploited to gain root access.

VOTES:
   ACCEPT(1) Shostack
   NOOP(2) Northcutt, Wall
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0246
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:hp-remote

HP Remote Watch allows a remote user to gain root access.

VOTES:
   ACCEPT(4) Hill, Frech, Northcutt, Prosser
   NOOP(1) Christey

COMMENTS:
 Frech> Comment: Determine if it's RemoteWatch or Remote Watch.
 Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in
 Christey> Remote Watch (the advisory uses two words, not one, for the
 Christey> "Remote Watch" name)
 Prosser> agree that the advisory mentions two vulnerabilities in Remote
 Prosser> Watch, one being a socket connection and other with the showdisk utility
 Prosser> which seems to be a suid vulnerability.  Never get much details on this
 Prosser> anywhere since the recommendation is to remove the program since it is
 Prosser> obsolete and superceded by later tools. Believe the biggest concern here is
 Prosser> to just not run the tool at all.


=================================
Candidate: CAN-1999-0247
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Buffer overflow in nnrpd program in INN allows remote users to execute
arbitrary commands.

VOTES:
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0248
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

sshd 1.2.17 can be compromised through the SSH protocol.

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(1) Shostack
   NOOP(1) Frech

COMMENTS:
 Shostack> http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html
 Shostack> looks to me to be about the correct message that came from Tatu.
 Shostack> There are comments in changelog: * Improved the security of
 Shostack> auth_input_request_forwarding().
 Shostack>
 Shostack> I'm not in favor of moving this forward without additional detail, but
 Shostack> thought I'd add a confirming URL and comment.  We have insufficient
 Shostack> detail to accept it as a CVE.
 Frech> Try http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1; to wit
 Frech> (see asterisked section):
 Frech> ...
 Frech> *****
 Frech> Versions of ssh prior to 1.2.17 had problems with authentication agent
 Frech> handling on some machines. There is a chance (a race condition) that a
 Frech> malicious user could steal another user's credentials. This should be fixed
 Frech> in 1.2.17.
 Frech> *****


=================================
Candidate: CAN-1999-0249
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Windows NT RSHSVC program allows remote users to execute arbitrary
commands.

VOTES:
   MODIFY(2) Wall, Frech
   NOOP(2) Northcutt, Shostack

COMMENTS:
 Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows
 Wall> remote
 Wall> users to execute arbitrary commands.
 Wall> Source: rshsvc.txt from the Windows NT Resource Kit.
 Frech> XF:rsh-svc


=================================
Candidate: CAN-1999-0250
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:qmail-leng

Denial of service in Qmail through long SMTP commands.

VOTES:
   ACCEPT(2) Hill, Meunier
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:qmail-rcpt


=================================
Candidate: CAN-1999-0253
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-iis-2e

IIS 3.0 allows remote intruders to read source code for ASP programs
by using a "2e" instead of a "." in the URL.

VOTES:
   ACCEPT(2) Northcutt, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0254
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: ISS:Hidden SNMP community in HP OpenView
Reference: XF:hpov-hidden-snmp-comm

A hidden SNMP community string in HP OpenView allows remote attackers
to modify MIB tables and obtain sensitive information.

VOTES:
   ACCEPT(1) Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0255
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF

Buffer overflow in ircd allows arbitrary command execution.

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(1) Frech
   NOOP(1) Prosser

COMMENTS:
 Frech> XF:irc-bo


=================================
Candidate: CAN-1999-0257
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

Nestea variation of teardrop IP fragmentation denial of service.

VOTES:
   ACCEPT(1) Wall
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nestea-linux-dos


=================================
Candidate: CAN-1999-0258
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

Bonk variation of teardrop IP fragmentation denial of service.

VOTES:
   MODIFY(2) Wall, Frech

COMMENTS:
 Wall> Reference Q179129
 Frech> XF:teardrop-mod


=================================
Candidate: CAN-1999-0259
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

cfingerd lists all users on a system via search.**@target.

VOTES:
   ACCEPT(1) Shostack
   MODIFY(1) Frech
   NOOP(1) Northcutt

COMMENTS:
 Frech> XF:cfinger-user-enumeration


=================================
Candidate: CAN-1999-0261
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF

Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.

VOTES:
   MODIFY(2) Frech, Landfield
   NOOP(1) Northcutt

COMMENTS:
 Frech> XF:chamelion-smtp-dos
 Landfield> - Specify what "a crash" means.


=================================
Candidate: CAN-1999-0268
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF

MetaInfo MetaWeb web server allows users to upload and execute scripts.

VOTES:
   ACCEPT(1) Northcutt
   NOOP(1) Prosser
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0270
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF

pfdispaly CGI program for SGI's Performer API Search Tool allows read
access to files.

VOTES:
   ACCEPT(2) Northcutt, Prosser
   MODIFY(1) Frech
   REVIEWING(1) Christey

COMMENTS:
 Prosser> additional source
 Prosser> CIAC Security Bulletin I-041
 Prosser> http://www.ciac.org
 Frech> XF:sgi-pfdispaly
 Frech> XF:sgi-dispaly-patch-vuln
 Christey> There are two bugs here, as described in Bugtraq.  The first one
 Christey> allowed read access to files outside of a document root (a dot dot
 Christey> problem).  The second one was a shell metacharacter problem.
 Christey> CAN-1999-0270 refers to the first problem only.


=================================
Candidate: CAN-1999-0271
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19980115 pnserver exploit..
Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?

Progressive Networks Real Video server (pnserver) can be crashed remotely.

Modifications:
  ADDREF BUGTRAQ:19980115 pnserver exploit..
  ADDREF BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?

VOTES:
   ACCEPT(2) Northcutt, Blake
   NOOP(2) Prosser, Christey
   REVIEWING(1) Frech

COMMENTS:
 Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq
 Christey> posting), but may be multiple codebases since several
 Christey> Real Audio servers are affected.


=================================
Candidate: CAN-1999-0275
Published:
Final-Decision:
Interim-Decision:
Modified: 19990905-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: XF:nt-dnscrash
Reference: MS:Q169461

Denial of service in Windows NT DNS servers by flooding port 53 with
too many characters.

Modifications:
  CHANGEREF XF:nt-dns-crash XF:nt-dnscrash
  DESC slight change to mention port 53 specifically.

VOTES:
   ACCEPT(1) Ozancin
   MODIFY(2) Wall, Frech
   REVIEWING(1) Christey

COMMENTS:
 Wall> Denial of service in Windows NT DNS servers by malicious telnet attack.
 Frech> Change XF:nt-dns-crash to XF:nt-dnscrash
 Frech> ADDREF XF:nt-dnsver
 Christey> The XF entry, and the corresponding Microsoft KB articles,
 Christey> indicate that there is more than one vulnerability related to
 Christey> the DNS server.  Other CVE entries need to be created for the
 Christey> other cases, including the telnet case that Mike mentions.


=================================
Candidate: CAN-1999-0280
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: NTBUGTRAQ:19970317 Internet Explorer Bug #4
Reference: CIAC:H-38
Reference: XF:http-ie-lnkurl

Remote command execution in Microsoft Internet Explorer using .lnk and
..url files.

Modifications:
  ADDREF CIAC:H-38
  ADDREF XF:http-ie-lnkurl
  ADDREF NTBUGTRAQ:19970317 Internet Explorer Bug #4

VOTES:
   ACCEPT(5) Hill, Wall, Northcutt, Proctor, Balinsky
   MODIFY(2) Frech, Prosser
   NOOP(1) Christey

COMMENTS:
 Frech> XF:http-ie-lnkurl
 Prosser> additional source
 Prosser> CIAC Bulletin H-38
 Prosser> http://www.ciac.org
 Prosser> Microsoft Internet Explorer Security Updates
 Prosser> "Internet Explorer 3.02 Includes All Security"
 Prosser> http://www.microsoft.com/windows/ie/security
 Christey> Mike's Microsoft reference is no longer listed there.
 Christey> This topic appears to have generated a long NTBugtraq thread.


=================================
Candidate: CAN-1999-0282
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.12.sun.loadmodule.vul

Vulnerabilities in loadmodule and modload programs in SunOS and OpenWindows

VOTES:
   MODIFY(1) Frech
   RECAST(1) Prosser

COMMENTS:
 Frech> XF:sun-loadmodule
 Frech> XF:sun-modload (CERT CA-93.18 very old!)
 Prosser> Believe the reference given, 95-12,  is referencing a later
 Prosser> loadmodule(8) setuid problem in the X11/NeWS windowing system.  There is an
 Prosser> earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories
 Prosser> for the SunOS 4.1.x/Solbourne and OpenWindow 3.0.  In fact, there may be the
 Prosser> same as the HP patches are 100448-02 for the 93 loadmodule/modload
 Prosser> vulnerability and 100448-03 for the 95 loadmodule vulnerability which
 Prosser> normally indicated a patch update.  Looks like the original patch either
 Prosser> didn't completely fix the problem or it resurfaced in X11 NeWS.  Can't tell
 Prosser> much beyond that and this is my opinion only as have no way to check it.
 Prosser> Which one is this CVE referencing?  I accept both.


=================================
Candidate: CAN-1999-0283
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF

The Java Web Server would allow remote users to obtain the source
code for CGI programs.

VOTES:
   ACCEPT(2) Northcutt, Blake
   NOOP(1) Prosser
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0284
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:smtp-helo-bo

Denial of service to NT mail servers including Ipswitch, Mdaemon, and
Exchange through a buffer overflow in the SMTP HELO command.

VOTES:
   ACCEPT(2) Blake, Northcutt
   MODIFY(3) Frech, Levy, Ozancin
   REVIEWING(1) Christey

COMMENTS:
 Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification)
 Frech> XF:mdaemon-helo-bo
 Frech> XF:lotus-notes-helo-crash
 Frech> XF:slmail-helo-overflow
 Frech> XF:smtp-helo-bo (mentions several products)
 Frech> XF:smtp-exchangedos
 Levy> - Need one per software. Each one should be its own
 Levy> vulnerability.
 Ozancin> => Windows NT is correct
 Christey> These are probably multiple codebases, so we'll need to use
 Christey> dot notation.  Also need to see if this should be merged
 Christey> with CAN-1999-0098 (Sendmail SMTP HELO).


=================================
Candidate: CAN-1999-0285
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

Denial of service in telnet from the Windows NT Resource Kit, by
opening then immediately closing a connection.

VOTES:
   ACCEPT(1) Hill
   NOOP(1) Wall
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0286
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

In some NT web servers, appending a space at the end of a URL may
allow attackers to read source code for active pages.

VOTES:
   ACCEPT(1) Shostack
   MODIFY(1) Wall
   NOOP(2) Northcutt, Christey
   REVIEWING(1) Frech

COMMENTS:
 Wall> In some NT web servers, appending a dot at the end of a URL may
 Wall> allows attackers to read source code for active pages.
 Wall> Source:  MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears
 Wall> in Browser"
 Frech> In the meantime, reword description as 'Windows NT' (trademark issue)
 Christey> Spaces, dots, there are many like this.  Description is too
 Christey> vague.


=================================
Candidate: CAN-1999-0287
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Vulnerability in the Wguest CGI program.

VOTES:
   ACCEPT(1) Blake
   MODIFY(2) Shostack, Frech
   NOOP(2) Northcutt, Wall
   REVIEWING(1) Christey

COMMENTS:
 Shostack> allows file reading
 Frech> XF:http-cgi-webcom-guestbook
 Christey> Appears to be a duplicate of CAN-1999-0467


=================================
Candidate: CAN-1999-0290
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

Denial of service in the Telnet proxy in WinGate.

VOTES:
   ACCEPT(3) Hill, Blake, Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> XF:wingate-dos
 Prosser> additional source
 Prosser> Hrvoje Crvelin
 Prosser> Security Bugware
 Prosser> http://161.53.42.3/~crv/security/bugs/NT/wingate2.html


=================================
Candidate: CAN-1999-0291
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF

Remote users can redirect their connections through a WinGate proxy.

VOTES:
   ACCEPT(4) Hill, Blake, Northcutt, Ozancin
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> Description needs more info or references on how this redirection takes
 Frech> place. Is it by password access" If so, consider these two references:
 Frech> XF:wingate-unpassworded
 Frech> XF:wingate-registry-passwords
 Prosser> believe this is the "WinGate Bounce" described in
 Prosser> Hrvoje Crvelin's
 Prosser> Security Bugware
 Prosser> http://161.53.42.3/~crv/security/bugs/NT/wingate.htm


=================================
Candidate: CAN-1999-0297
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NAI:NAI-3

Buffer overflow in Vixie Cron 2.1 allows local users to obtain root
access.

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(1) Frech
   RECAST(1) Prosser

COMMENTS:
 Prosser> This appears to be the same as the Cron BO reported in CIAC
 Prosser> H-17 which affects versions of the vixie cron package up to and including
 Prosser> 3.0
 Frech> XF:vixie-cron


=================================
Candidate: CAN-1999-0298
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: NAI:NAI-6

ypbind with -ypset and -ypsetme options activated
in Linux Slackware and SunOS allows local and remote attackers to
overwrite files.

VOTES:
   ACCEPT(1) Northcutt
   NOOP(1) Shostack
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0304
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:bsd-mmap
Reference: FreeBSD:FreeBSD-SA-98:02

mmap function in BSD allows local attackers in the kmem group to
modify memory through devices.

VOTES:
   ACCEPT(3) Hill, Frech, Northcutt


=================================
Candidate: CAN-1999-0306
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hp-xlock

buffer overflow in HP xlock program.

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> This is another of those with multiple affected OSs.
 Prosser> Refs:  CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt,
 Prosser> HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150


=================================
Candidate: CAN-1999-0307
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hpux-cstm-bo

Buffer overflow in HP-UX cstm program allows local users to gain
root privileges.

VOTES:
   ACCEPT(2) Northcutt, Frech
   NOOP(3) Shostack, Prosser, Baker

COMMENTS:
 Prosser> only ref I can find is an old SOD exploit on
 Prosser> www.outpost9.com


=================================
Candidate: CAN-1999-0317
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:su-bo

Buffer overflow in Linux su command gives root access to local
users.

VOTES:
   ACCEPT(3) Northcutt, Hill, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0318
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:xmcd-envbo

Buffer overflow in xmcd 2.0p12 allows local users to gain access
through an environmental variable.

VOTES:
   ACCEPT(3) Northcutt, Hill, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0319
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:xmcd-tiflestr

Buffer overflow in xmcd 2.1 allows local users to gain access
through a user resource setting.

VOTES:
   ACCEPT(3) Northcutt, Hill, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0322
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-97:05
Reference: XF:freebsd-open

The open() function in FreeBSD allows local attackers to write
to arbitrary files.

VOTES:
   ACCEPT(3) Hill, Frech, Northcutt


=================================
Candidate: CAN-1999-0323
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-98:04

FreeBSD mmap function allows users to modify append-only or immutable
files.

VOTES:
   ACCEPT(2) Hill, Northcutt
   REVIEWING(1) Frech

COMMENTS:
 Frech> probably XF:bsd-mmap


=================================
Candidate: CAN-1999-0330
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF

Linux bdash game has a buffer overflow that allows local users to
gain root access.

VOTES:
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall

COMMENTS:
 Frech> XF:bdash-bo


=================================
Candidate: CAN-1999-0331
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:msie-bo

Buffer overflow in Internet Explorer 4.0(1)

VOTES:
   ACCEPT(2) Northcutt, Baker
   MODIFY(2) Shostack, Frech
   RECAST(1) Prosser

COMMENTS:
 Shostack> this is a high cardinality item
 Prosser> needs to be more specific.
 Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague
 Frech> duplicate)
 Frech> Description (from xfdb): Some versions of Internet Explorer for Windows
 Frech> contain a vulnerability that may crash the broswer when a malicious web site
 Frech> contains a certain kind of URL (that begins with "mk://") with more
 Frech> characters than the browser supports.


=================================
Candidate: CAN-1999-0333
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK
Reference: HP:HPSBUX9810-085
Reference: XF:omniback-remote

HP OpenView Omniback allows remote execution of commands as root via
spoofing, and local users can gain root access via a symlink attack.

Modifications:
  ADDREF HP:HPSBUX9810-085

VOTES:
   ACCEPT(1) Frech
   MODIFY(1) Prosser
   RECAST(1) Christey

COMMENTS:
 Prosser> additional source
 Prosser> HP Security Bulletin 85
 Prosser> http://us-support.external.hp.com
 Prosser> http://europe-support.external.hp.com
 Christey> Two separate bugs, so SF-LOC says this candidate should be
 Christey> split


=================================
Candidate: CAN-1999-0336
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hpux-mstm-bo

Buffer overflow in mstm in HP-UX allows local users to gain root
access.

VOTES:
   ACCEPT(2) Northcutt, Frech
   NOOP(3) Shostack, Prosser, Baker

COMMENTS:
 Prosser> same as CAN-1999-0307, only ref I can find is an old SOD
 Prosser> exploit on www.outpost9.com


=================================
Candidate: CAN-1999-0343
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:palace-execute

A malicious Palace server can force a client to execute arbitrary
programs.

VOTES:
   ACCEPT(2) Northcutt, Baker
   MODIFY(1) Frech
   NOOP(2) Shostack, Prosser

COMMENTS:
 Shostack> The description worries me.  Can force any client?  Can force an
 Shostack> overly trusting client?
 Frech> XF reference above is obsolete; replace with
 Frech> XF:palace-malicious-servers-vuln


=================================
Candidate: CAN-1999-0345
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Jolt ICMP attack causes a denial of service in Windows 95 and Windows
NT systems.

VOTES:
   MODIFY(1) Wall
   NOOP(1) Northcutt

COMMENTS:
 Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and
 Wall> Windows NT systems.
 Wall> Reference: Q154174.
 Wall> Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death.
 Wall> It is a modified teardrop 2 attack.


=================================
Candidate: CAN-1999-0347
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan26,1999
Reference: NTBUGTRAQ:Jan28,1999

Javascript bug in Internet Explorer 4.01 by adding %01URL allows
reading local files and spoofing of web pages from other sites.

VOTES:
   ACCEPT(2) Northcutt, Levy
   MODIFY(1) Prosser
   REVIEWING(1) Frech

COMMENTS:
 Prosser> this is a modified Cross-Frame vulnerability that circumvents
 Prosser> the original Cross-Frame Patch.  Addressed in MS Bulletin MS99.012
 Prosser> http://www.microsoft.com/security/bulletins/ms99-012.asp


=================================
Candidate: CAN-1999-0352
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-passwd-encrypt

ControlIT 4.5 and earlier (aka Remotely Possible) has weak password
encryption.

VOTES:
   ACCEPT(2) Baker, Frech
   NOOP(2) Wall, Northcutt
   RECAST(1) Ozancin

COMMENTS:
 Ozancin> Can we combine this with CAN-1999-0356 - ControlIT(tm) 4.5 and earlier uses
 Ozancin> weak encryption.


=================================
Candidate: CAN-1999-0354
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NTBUGTRAQ:Jan27,1999
Reference: MS:MS99-002

Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution
of Visual Basic programs to the IE client through the Word 97
template, which doesn't warn the user that the template contains
executable content.  Also applies to Outlook when the client views a
malicious email message.

VOTES:
   ACCEPT(1) Wall
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0356
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-bookfile-access

ControlIT v4.5 and earlier uses weak encryption to store
usernames and passwords in an address book.

VOTES:
   ACCEPT(2) Baker, Frech
   NOOP(2) Wall, Northcutt
   RECAST(1) Ozancin


=================================
Candidate: CAN-1999-0358
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan29,1999
Reference: COMPAQ:SSRT0583U

Digital Unix 4.0 has a buffer overflow in the inc program of the mh
package.

VOTES:
   ACCEPT(3) Shostack, Northcutt, Hill
   MODIFY(2) Prosser, Frech

COMMENTS:
 Prosser> Ref'd SSRT has an 'at' vulnerable as well supposedly fixed by
 Prosser> the patch.  Shouldn't this be included as a seperate CVE in this
 Prosser> cluster. ref:BugTraq "Digital Unix Buffer Overflows: Exploits" from
 Prosser> Lamont Granquist for both as well.
 Frech> Reference: XF:du-inc


=================================
Candidate: CAN-1999-0360
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan29,1999
Reference: NTBUGTRAQ:Jan29,1999

MS Site Server 2.0 with IIS 4 can allow users to upload content,
including ASP, to the target web site, thus allowing them to
execute commands remotely.

VOTES:
   ACCEPT(2) Northcutt, Wall
   NOOP(1) Prosser
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0361
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan29,1999

NetWare version of LaserFiche stores usernames and passwords
unencrypted, and allows administrative changes without logging.

VOTES:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0364
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb04,1999

Microsoft Access 97 stores a database password as plaintext in a
foreign mdb, allowing access to data.

VOTES:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0370
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00184

In Sun Solaris and SunOS, man and catman contain vulnerabilities
that allow overwriting arbitrary files.

VOTES:
   ACCEPT(2) Northcutt, Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> Reference: XF:sun-man


=================================
Candidate: CAN-1999-0378
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb22,1999

InterScan VirusWall for Solaris doesn't scan files for viruses when
a single HTTP request includes two GET commands.

VOTES:


=================================
Candidate: CAN-1999-0380
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb25,1999
Reference: SF:497

SLMail 3.2 or 3.1 allows local users to access any file in the
NTFS file system when the Remote Administration Service (RAS) is
enabled.

VOTES:
   ACCEPT(2) Wall, Ozancin
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0381
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb26,1999
Reference: Sekure:SUPER's log function buffer overflow
Reference: XF:linux-super-logging-bo
Reference: SF:342

super 3.11.6 and other versions have a buffer overflow in the syslog
utility which allows a local user to gain root access.

VOTES:
   ACCEPT(2) Ozancin, Frech
   NOOP(2) Wall, Christey

COMMENTS:
 Christey> Is this the same as CVE-1999-0373?  They both have the same
 Christey> X-Force reference


=================================
Candidate: CAN-1999-0387
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

A legacy credential caching mechanism used in Windows 95 and Windows
98 systems allowed attackers to read plaintext network passwords.

VOTES:


=================================
Candidate: CAN-1999-0393
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Dec12,1999

Remote attackers can cause a denial of service in Sendmail 8.8.x and
8.9.2 by sending messages with a large number of headers.

VOTES:


=================================
Candidate: CAN-1999-0394
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan15,1999

DPEC Online Courseware allows an attacker to change another user's
password without knowing the original password.

VOTES:


=================================
Candidate: CAN-1999-0395
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:Vulnerability in the BackWeb Polite Agent Protocol

A race condition in the BackWeb Polite Agent Protocol allows an
attacker to spoof a BackWeb server.

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Frech
   NOOP(2) Northcutt, Landfield

COMMENTS:
 Frech> XF:backweb-polite-agent-protocol


=================================
Candidate: CAN-1999-0397
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: L0PHT:Jan21,1999
Reference: BUGTRAQ:Jan21,1999

The demo version of the Quakenbush NT Password Appraiser sends
passwords across the network in plaintext.

VOTES:
   ACCEPT(1) Northcutt
   REJECT(1) Wall


=================================
Candidate: CAN-1999-0398
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan23,1999

In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will
allow users with expired accounts to login.

VOTES:


=================================
Candidate: CAN-1999-0399
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan24,1999

The DCC server command in the Mirc 5.5 client doesn't filter
characters from file names properly, allowing remote attackers to
place a malicious file in a different location, possibly allowing the
attacker to execute commands.

VOTES:


=================================
Candidate: CAN-1999-0400
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Denial of service in Linux 2.2.0 running the ldd command on a core
file.

VOTES:


=================================
Candidate: CAN-1999-0401
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb2,1999

A race condition in Linux 2.2.1 allows local users to read arbitrary
memory from /proc files.

VOTES:


=================================
Candidate: CAN-1999-0403
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb4,1999
Reference: XF:cyrix-hang

A bug in Cyrix CPU's on Linux allows local users to perform a denial
of service.

VOTES:
   ACCEPT(1) Northcutt
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0406
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb19,1999
Reference: XF:digital-networker-bo

Digital Unix Networker program nsralist has a buffer overflow which
allows local users to obtain root privilege.

VOTES:


=================================
Candidate: CAN-1999-0407
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb19,1999

By default, IIS 4.0 has a virtual directory /IISADMPWD which contains
files that can be used as proxies for brute force password attacks, or
to identify valid users on the system.

VOTES:


=================================
Candidate: CAN-1999-0408
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb19,1999
Reference: XF:cobalt-raq-history-exposure
Reference: SF:337

Files created from interactive shell sessions in Cobalt RaQ
microservers (e.g. .bash_history) are world readable, and thus are
accessible from the web server.

VOTES:
   ACCEPT(2) Ozancin, Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0409
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Mar4,1999
Reference: XF:gnuplot-home-overflow
Reference: SF:319

Buffer overflow in gnuplot in Linux version 3.5 allows local users to
obtain root access.

VOTES:
   ACCEPT(2) Ozancin, Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0411
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb19,1999
Reference: XF:sco-startup-scripts

Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p,
including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a
symlink attack, allowing a local user to gain root access.

VOTES:
   MODIFY(1) Frech
   NOOP(1) Wall

COMMENTS:
 Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not
 Frech> 19 February) does not mention gaining root access... it says a local user
 Frech> could
 Frech> "delete or overwrite arbitrary files on the system."


=================================
Candidate: CAN-1999-0415
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers

The Clickstart web server in Cisco 700 series routers allows remote
attackers to execute commands on the router, or perform information
gathering, without authentication.

VOTES:
   MODIFY(1) Frech

COMMENTS:
 Frech> Reference: ISS:March11,1999 (consistent with cluster 1, CAN-1999-0008)
 Frech> XF:cisco-router-commands
 Frech> XF:cisco-web-config


=================================
Candidate: CAN-1999-0416
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers

The Clickstart web server in Cisco 700 series routers allows remote
attackers to perform a denial of service.

VOTES:
   MODIFY(1) Frech

COMMENTS:
 Frech> Reference: ISS:March11,1999
 Frech> XF:cisco-web-crash


=================================
Candidate: CAN-1999-0419
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Mar17,1999

When the Microsoft SMTP service attempts to send a message to a server
and receives a 4xx error code, it quickly and repeatedly attempts to
redeliver the message, causing a denial of service.

VOTES:


=================================
Candidate: CAN-1999-0421
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations

During a reboot after an installation of Linux Slackware 3.6, a remote
attacker can obtain root access by logging in to the root account
without a password.

VOTES:
   ACCEPT(2) Hill, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:linux-slackware-install


=================================
Candidate: CAN-1999-0426
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Mar19,1999

The default permissions of /dev/kmem in Linux versions before 2.0.36
allows IP spoofing.

VOTES:


=================================
Candidate: CAN-1999-0427
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Mar20,1999
Reference: XF:eudora-long-attachments

Eudora 4.1 allows remote attackers to perform a denial of service by
sending attachments with long file names.

VOTES:


=================================
Candidate: CAN-1999-0428
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Mar22,1999
Reference: XF:ssl-session-reuse

OpenSSL and SSLeay allows remote attackers to reuse SSL sessions.

VOTES:
   ACCEPT(2) Wall, Frech


=================================
Candidate: CAN-1999-0429
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Mar23,1999
Reference: XF:lotus-client-encryption

The Lotus Notes 4.5 client may send a copy of encrypted mail in the
clear across the network if the user does not set the "Encrypt Saved
Mail" preference.

VOTES:
   ACCEPT(2) Ozancin, Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0431
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Mar24,1999

Linux 2.2.3 and earlier allow a remote attacker to perform an IP
fragmentation attack, causing a denial of service.

VOTES:


=================================
Candidate: CAN-1999-0434
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Mar31,1999
Reference: SF:359

XFree86 xfs command is vulnerable to a symlink attack, allowing
local users to create files in restricted directories, possibly
allowing them to gain privileges or cause a denial of service.

VOTES:


=================================
Candidate: CAN-1999-0435
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9903-096

MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain
privileges through SAM.

VOTES:
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:hp-servicegaurd


=================================
Candidate: CAN-1999-0439
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr4,1999
Reference: XF:procmail-overflow

Buffer overflow in procmail before version 3.12 allows remote
execution, or local attackers to gain privileges.

VOTES:
   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall

COMMENTS:
 Frech> Poorly summarized.  See procmail-overflow.


=================================
Candidate: CAN-1999-0440
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr4,1999
Reference: XF:java-unverified-code

The byte code verifier component of the Java Virtual Machine (JVM)
allows remote execution through malicious web pages.

VOTES:
   ACCEPT(2) Ozancin, Frech
   REVIEWING(1) Wall


=================================
Candidate: CAN-1999-0443
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr9,1999
Reference: XF:bmc-patrol-replay

Patrol management software allows a remote attacker to conduct a
replay attack to steal the administrator password.

VOTES:


=================================
Candidate: CAN-1999-0444
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr12,1999

Remote attackers can perform a denial of service in Windows machines
using malicious ARP packets, forcing a message box display for each
packet or filling up log files.

VOTES:


=================================
Candidate: CAN-1999-0450
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan22,1999
Reference: SF:194

In IIS, an attacker could determine a real path using a request for a
non-existent URLs that would be interpreted by Perl (perl.exe) .

VOTES:
   ACCEPT(2) Wall, Ozancin
   REVIEWING(1) Frech

COMMENTS:
 Frech> Can't find in database.


=================================
Candidate: CAN-1999-0451
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan19,1999
Reference: SF:343

Denial of service in Linux 2.0.36 allows local users to prevent
any server from listening on any non-privileged port.

VOTES:
   ACCEPT(1) Ozancin
   NOOP(1) Wall
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0452
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF

A service or application has a backdoor password that was placed there
by the developer.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Frech

COMMENTS:
 Frech> Much too broad. Also may be HIGHCARD (or will be in the future).


=================================
Candidate: CAN-1999-0453
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

An attacker can identify a CISCO device by sending a SYN packet to
port 1999, which is for the Cisco Dicsovery Protocol (CDP).

VOTES:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0454
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

A remote attacker can sometimes identify the operating system of a
host based on how it reacts to some IP or ICMP packets, using a tool
such as nmap or queso.

VOTES:
   NOOP(1) Wall
   REJECT(1) Northcutt

COMMENTS:
 Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced
 Northcutt> ways to accomplish this.  To pursue making the world signature free
 Northcutt> is as much a vulnerability as having signatures, nay more.


=================================
Candidate: CAN-1999-0455
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: ALLAIRE:ASB-001
Reference: XF:coldfusion-expression-evaluator
Reference: SF:115

The Expression Evaluator sample application in ColdFusion allows
remote attackers to read or delete files on the server.

VOTES:
   ACCEPT(2) Ozancin, Frech
   MODIFY(1) Wall

COMMENTS:
 Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues)
 Wall> make application plural since there are three sample applications
 Wall> (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm).


=================================
Candidate: CAN-1999-0459
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: XF:linux-milo-halt

Local users can perform a denial of service in Alpha Linux, using MILO
to force a reboot.

VOTES:
   NOOP(1) Northcutt
   REJECT(1) Wall


=================================
Candidate: CAN-1999-0460
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb18,1999
Reference: SF:312

Buffer overflow in Linux autofs module through long directory names
allows local users to perform a denial of service.

VOTES:
   ACCEPT(1) Ozancin
   NOOP(1) Wall
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0461
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind
allow a remote attacker to insert and delete entries by spoofing a
source address.

VOTES:


=================================
Candidate: CAN-1999-0462
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan14,1999
Reference: SF:339

suidperl in Linux Perl does not check the nosuid mount option on file
systems, allowing local users to gain root access by placing a setuid
script in a mountable file system, e.g. a CD-ROM or floppy disk.

VOTES:


=================================
Candidate: CAN-1999-0464
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

Local users can perform a denial of service in Tripwire 1.2 and
earlier using long filenames.

VOTES:


=================================
Candidate: CAN-1999-0465
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: XF:http-img-overflow

Remote attackers can crash Lynx and Internet Explorer using an IMG tag
with a large width parameter.

VOTES:
   ACCEPT(1) Northcutt
   REJECT(1) Wall


=================================
Candidate: CAN-1999-0467
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-webcom-guestbook

The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a
remote attacker to read arbitrary files using the template key.

VOTES:
   ACCEPT(2) Frech, Landfield
   NOOP(1) Northcutt
   REVIEWING(1) Christey

COMMENTS:
 Christey> Appears to be a duplicate of CAN-1999-0287


=================================
Candidate: CAN-1999-0469
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: XF:ie-window-spoof
Reference: BUGTRAQ:Apr9,1999

Internet Explorer 5.0 allows window spoofing, allowing a remote
attacker to spoof a legitimate web site and capture information from
the client.

VOTES:
   ACCEPT(1) Wall
   NOOP(1) Northcutt

COMMENTS:
 Wall> Reference: Microsoft Security Bulletin MS99-012


=================================
Candidate: CAN-1999-0470
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: XF:netware-remotenlm-passwords
Reference: BUGTRAQ:Apr9,1999

A weak encryption algorithm is used for passwords in Novell
Remote.NLM, allowing them to be easily decrypted.

VOTES:
   ACCEPT(5) Wall, Northcutt, Baker, Ozancin, Frech


=================================
Candidate: CAN-1999-0476
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: XF:sco-termvision-password

A weak encryption algorithm is used for passwords in SCO TermVision,
allowing them to be easily decrypted by a local user.

VOTES:
   ACCEPT(3) Baker, Ozancin, Frech
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0477
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: L0PHT:Cold Fusion App Server
Reference: XF:coldfusion-expression-evaluator
Reference: SF:115

The Expression Evaluator in the ColdFusion Application Server allows a
remote attacker to execute commands by uploading a file.

VOTES:
   ACCEPT(3) Ozancin, Christey, Frech
   REJECT(1) Wall

COMMENTS:
 Wall> Duplicate of 0455
 Christey> CAN-1999-0477 and CAN-1999-0455 were discovered at different
 Christey> times.  Also, the attack was different.  So "Same Attack" and
 Christey> "Same Time of Discovery" dictate that these should remain
 Christey> separate.


=================================
Candidate: CAN-1999-0480
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr15,1999

Local attackers can conduct a denial of service in Midnight Commander
4.x with a symlink attack.

VOTES:


=================================
Candidate: CAN-1999-0486
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr20,1999

Denial of service in AOL Instant Messenger when a remote attacker
sends a malicious hyperlink to the receiving client, potentially
causing a system crash.

VOTES:


=================================
Candidate: CAN-1999-0488
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MS:MS99-012

MSHTML.DLL in Internet Explorer allows a remote attacker to execute
security scripts in a different security context, using malicious
URLs.

VOTES:
   ACCEPT(1) Landfield
   MODIFY(2) Frech, Wall

COMMENTS:
 Frech> XF:ie-mshtml-crossframe
 Wall> (source: MSKB:Q168485)


=================================
Candidate: CAN-1999-0489
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MS:MS99-012

MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to read
the contents of a user's clipboard, aka untrusted scripted paste.

VOTES:
   ACCEPT(1) Levy
   MODIFY(1) Wall
   RECAST(1) Prosser
   REVIEWING(1) Frech

COMMENTS:
 Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a
 Frech> clipboard in either.
 Frech> I cannot proceed on this one without further clarification.
 Wall> (source: MS:MS99-012)
 Prosser> agree with Andre here.  The Untrusted Scripted paste
 Prosser> vulnerability was originally addressed in MS98-015 and it is in the file
 Prosser> upload intrinsic control in which an attacker can paste the name of a file
 Prosser> on the target's drive in the control and a form submission would then send
 Prosser> that file from the attacked machine to the remote web site.  This one has
 Prosser> nothing to do with the clipboard.  What the advisory mentioned here,
 Prosser> MS99-012, does is replace the MSHTML parsing engine which is supposed to fix
 Prosser> the original Untrusted Scripted Paste issue and a variant, as well as the
 Prosser> two Cross-Frame variants and a privacy issue in IMG SRC.
 Prosser> The vulnerability that allowed reading of a user's clipboard is the Forms
 Prosser> 2.0 Active X control vulnerability discussed in MS99-01


=================================
Candidate: CAN-1999-0490
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MS:MS99-012

MSHTML.DLL in Internet Explorer allows a remote attacker to learn
information about a local user's files.

VOTES:
   ACCEPT(2) Wall, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ie-scriplet-fileread


=================================
Candidate: CAN-1999-0491
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr20,1999
Reference: SF:119

The prompt parsing in bash allows a local user to execute commands as
another user by creating a directory with the name of the command
to execute.

VOTES:


=================================
Candidate: CAN-1999-0492
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Apr23,1999

The ffingerd 1.19 allows remote attackers to identify users on the
target system based on its responses.

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(1) Shostack
   REVIEWING(1) Frech

COMMENTS:
 Shostack> isn't that what finger is supposed to do?


=================================
Candidate: CAN-1999-0493
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

A remote attacker can bounce RPC calls through rpc.statd.

VOTES:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0495
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF

A remote attacker can gain access to a file system using ..  (dot dot)
when accessing SMB shares.

VOTES:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0497
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

Anonymous FTP is enabled

VOTES:
   ACCEPT(1) Shostack
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0498
Published:
Final-Decision:
Interim-Decision:
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: CF
Reference: CERT:CA-91.18.Active.Internet.tftp.Attacks

TFTP is not running in a restricted directory, allowing a remote
attacker to access sensitive information such as password files.

Modifications:
  ADDREF CERT:CA-91.18.Active.Internet.tftp.Attacks

VOTES:
   ACCEPT(3) Hill, Blake, Northcutt
   MODIFY(1) Frech
   NOOP(1) Christey

COMMENTS:
 Frech> XF:linux-tftp
 Christey> XF:linux-tftp refers to CAN-1999-0183


=================================
Candidate: CAN-1999-0499
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

NETBIOS share information may be published through SNMP registry keys
in NT.

VOTES:
   ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin
   MODIFY(1) Frech

COMMENTS:
 Frech> Change wording to 'Windows NT.'
 Frech> XF:snmp-netbios


=================================
Candidate: CAN-1999-0501
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Unix account has a guessable password.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0502
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Unix account has a default, null, blank, or missing password.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0503
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Windows NT local user or administrator account has a guessable
password.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0504
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Windows NT local user or administrator account has a default, null,
blank, or missing password.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0505
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Windows NT domain user or administrator account has a guessable
password.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0506
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A Windows NT domain user or administrator account has a default, null,
blank, or missing password.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0507
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

An account on a router, firewall, or other network device has a guessable
password.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0508
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

An account on a router, firewall, or other network device has a
default, null, blank, or missing password.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0509
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

Perl, sh, csh, or other shell interpreters are accessible on a WWW
site.

VOTES:
   ACCEPT(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0510
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A router or firewall allows source routed packets from arbitrary
hosts.

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:source-routing


=================================
Candidate: CAN-1999-0511
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

IP forwarding is enabled on a machine which is not a router or
firewall.

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ip-forwarding


=================================
Candidate: CAN-1999-0512
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

Mail relay is enabled, allowing abuse by spammers.

VOTES:
   ACCEPT(2) Northcutt, Shostack


=================================
Candidate: CAN-1999-0515
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

An unrestricted remote trust relationship for Unix systems has been
set up, e.g. by using a + sign in /etc/hosts.equiv.

VOTES:
   ACCEPT(1) Northcutt
   REJECT(1) Shostack

COMMENTS:
 Shostack> Overly broad


=================================
Candidate: CAN-1999-0516
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

An SNMP community name is guessable.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0517
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

An SNMP community name is the default (e.g. public), null, or
missing.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0518
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A NETBIOS/SMB share password is guessable.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0519
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A NETBIOS/SMB share password is the default, null, or missing.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0520
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A system-critical NETBIOS/SMB share has inappropriate access control.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> I think we need to enumerate the shares and or the access control


=================================
Candidate: CAN-1999-0521
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

An NIS domain name is easily guessable.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0522
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
Reference: CERT:CA-96.10

The permissions for a system-critical NIS+ table (e.g. passwd) are
inappropriate.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> Why not say world readable, this is what you do further down in the
 Northcutt> file (world exportable in CAN-1999-0554)


=================================
Candidate: CAN-1999-0523
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

ICMP echo (ping) is allowed from arbitrary hosts.

VOTES:
   REJECT(1) Northcutt
   REVIEWING(1) Frech

COMMENTS:
 Northcutt> (Though I sympathize with this one :)


=================================
Candidate: CAN-1999-0524
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

ICMP information such as netmask and timestamp is allowed from
arbitrary hosts.

VOTES:
   MODIFY(1) Frech
   REJECT(1) Northcutt

COMMENTS:
 Frech> XF:icmp-timestamp
 Frech> XF:icmp-netmask


=================================
Candidate: CAN-1999-0525
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

IP traceroute is allowed from arbitrary hosts.

VOTES:
   MODIFY(1) Frech
   REJECT(1) Northcutt

COMMENTS:
 Frech> XF:traceroute


=================================
Candidate: CAN-1999-0527
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

The permissions for system-critical data in an anonymous FTP account
are inappropriate.  For example, the root directory is writeable by
world, a real password file is obtainable, or executable commands such
as "ls" can be overwritten.

VOTES:
   ACCEPT(2) Wall, Northcutt

COMMENTS:
 Northcutt> That that starts to get specific :)


=================================
Candidate: CAN-1999-0528
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A router or firewall forwards external packets that claim to come from
inside the network that the router/firewall is in front of.

VOTES:
   ACCEPT(1) Northcutt
   REVIEWING(1) Frech

COMMENTS:
 Frech> possibly XF:nisd-dns-fwd-check


=================================
Candidate: CAN-1999-0529
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A router or firewall forwards packets that claim to come from IANA
reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x,
etc.

VOTES:
   REJECT(1) Northcutt
   REVIEWING(1) Frech

COMMENTS:
 Northcutt> I have seen ISPs "assign" private addresses within their domain


=================================
Candidate: CAN-1999-0530
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A system is operating in "promiscuous" mode which allows it to perform
packet sniffing.

VOTES:
   ACCEPT(1) Northcutt
   REJECT(1) Shostack


=================================
Candidate: CAN-1999-0531
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO.

VOTES:
   RECAST(1) Shostack
   REJECT(1) Northcutt

COMMENTS:
 Shostack> I think expn != vrfy, help, esmtp.


=================================
Candidate: CAN-1999-0532
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A DNS server allows zone transfers.

VOTES:
   MODIFY(1) Frech
   REJECT(1) Northcutt

COMMENTS:
 Northcutt> (With split DNS implementations this is quite appropriate)
 Frech> XF:dns-zonexfer


=================================
Candidate: CAN-1999-0533
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A DNS server allows inverse queries.

VOTES:
   MODIFY(1) Frech
   REJECT(1) Northcutt

COMMENTS:
 Northcutt> (rule of thumb)
 Frech> XF:dns-iquery


=================================
Candidate: CAN-1999-0534
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT user has inappropriate rights or privileges, e.g. Act as
System, Add Workstation, Backup, Change System Time, Create Pagefile,
Create Permanent Object, Create Token Name, Debug, Generate Security
Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory,
Profile Single Process, Remote Shutdown, Replace Process Token,
Restore, System Environment, Take Ownership, or Unsolicited Input.

VOTES:
   ACCEPT(5) Wall, Baker, Shostack, Ozancin, Christey
   MODIFY(2) Northcutt, Frech

COMMENTS:
 Northcutt> If we are going to write a laundry list put access to the scheduler in it.
 Christey> The list of privileges is very useful for lookup.
 Frech> XF:nt-create-token
 Frech> XF:nt-replace-token
 Frech> XF:nt-lock-memory
 Frech> XF:nt-increase-quota
 Frech> XF:nt-unsol-input
 Frech> XF:nt-act-system
 Frech> XF:nt-create-object
 Frech> XF:nt-sec-audit
 Frech> XF:nt-add-workstation
 Frech> XF:nt-manage-log
 Frech> XF:nt-take-owner
 Frech> XF:nt-load-driver
 Frech> XF:nt-profile-system
 Frech> XF:nt-system-time
 Frech> XF:nt-single-process
 Frech> XF:nt-increase-priority
 Frech> XF:nt-create-pagefile
 Frech> XF:nt-backup
 Frech> XF:nt-restore
 Frech> XF:nt-debug
 Frech> XF:nt-system-env
 Frech> XF:nt-remote-shutdown


=================================
Candidate: CAN-1999-0535
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT account policy for passwords has inappropriate,
security-critical settings, e.g. for password length, password age, or
uniqueness.

VOTES:
   ACCEPT(2) Wall, Shostack
   MODIFY(2) Baker, Frech
   RECAST(2) Northcutt, Ozancin

COMMENTS:
 Northcutt> inappropriate implies there is appropriate.  As a guy who has been
 Northcutt> monitoring
 Northcutt> networks for years I have deep reservations about justiying the existance
 Northcutt> of any fixed cleartext password. For appropriate to exist, some "we" would
 Northcutt> have to establish some criteria for appropriate passwords.
 Baker> Perhaps this could be re-worded a bit.  The CVE CAN-1999-00582
 Baker> specifies "...settings for lockouts".  To remain consistent with the
 Baker> other, maybe it should specify "...settings for passwords" I think
 Baker> most people would agree that passwords should be at least 8
 Baker> characters; contain letters (upper and lowercase), numbers and at
 Baker> least one non-alphanumeric; should only be good a limited time 30-90
 Baker> days; and should not contain character combinations from user's prior
 Baker> 2 or 3 passwords.
 Baker> Suggested rewrite -
 Baker> A Windows NT account policy does not enforce reasonable minimum
 Baker> security-critical settings for passwords, e.g. passwords of sufficient
 Baker> length, periodic required password changes, or new password uniqueness
 Ozancin> What is appropriate?
 Frech> XF:nt-autologonpwd
 Frech> XF:nt-pwlen
 Frech> XF:nt-maxage
 Frech> XF:nt-minage
 Frech> XF:nt-pw-history
 Frech> XF:nt-user-pwnoexpire
 Frech> XF:nt-unknown-pwdfilter
 Frech> XF:nt-pwd-never-expire
 Frech> XF:nt-pwd-nochange
 Frech> XF:nt-pwdcache-enable
 Frech> XF:nt-guest-change-passwords


=================================
Candidate: CAN-1999-0537
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A configuration in a web browser such as Internet Explorer or Netscape
Navigator allows execution of active content such as ActiveX, Java,
Javascript, etc.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Frech

COMMENTS:
 Frech> Good candidate for dot notation.
 Frech> XF:nav-java-enabled
 Frech> XF:nav-javascript-enabled
 Frech> XF:ie-active-content
 Frech> XF:ie-active-download
 Frech> XF:ie-active-scripting
 Frech> XF:ie-activex-execution
 Frech> XF:ie-java-enabled
 Frech> XF:netscape-javascript
 Frech> XF:netscape-java
 Frech> XF:zone-active-scripting
 Frech> XF:zone-activex-execution
 Frech> XF:zone-desktop-install
 Frech> XF:zone-low-channel
 Frech> XF:zone-file-download
 Frech> XF:zone-file-launch
 Frech> XF:zone-java-scripting
 Frech> XF:zone-low-java
 Frech> XF:zone-safe-scripting
 Frech> XF:zone-unsafe-scripting


=================================
Candidate: CAN-1999-0539
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A trust relationship exists between two Unix hosts.

VOTES:
   REJECT(2) Northcutt, Shostack

COMMENTS:
 Northcutt> Too non specific


=================================
Candidate: CAN-1999-0541
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: CF

A password for accessing a WWW URL is guessable.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Meunier, Baker


=================================
Candidate: CAN-1999-0546
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

The Windows NT guest account is enabled.

VOTES:
   ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-guest-account


=================================
Candidate: CAN-1999-0547
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

An SSH server allows authentication through the .rhosts file.

VOTES:
   ACCEPT(1) Shostack
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0548
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A superfluous NFS server is running, but it is not importing or exporting
any file systems.

VOTES:
   ACCEPT(1) Shostack
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0549
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: CF

Windows NT automatically logs in an administrator upon rebooting.

VOTES:
   ACCEPT(1) Hill
   MODIFY(1) Blake
   NOOP(1) Wall
   REVIEWING(1) Frech

COMMENTS:
 Wall> Don't know what this is.  Don't think it is a vulnerability and would
 Wall> initially reject.  This is different than just renaming the
 Wall> administrator account.
 Frech> Would appreciate more information on this one, as in a reference.
 Blake> Reference: XF:nt-autologin


=================================
Candidate: CAN-1999-0550
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A router's routing tables can be obtained from arbitrary hosts.

VOTES:
   MODIFY(1) Frech
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> Don't you mean obtained by arbitrary hosts
 Frech> XF:routed
 Frech> XF:decod-rip-entry
 Frech> XF:rip


=================================
Candidate: CAN-1999-0554
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

NFS exports system-critical data to the world, e.g. / or a password
file.

VOTES:
   ACCEPT(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0555
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Unix account with a name other than "root" has UID 0, i.e. root
privileges.

VOTES:
   REJECT(2) Northcutt, Shostack

COMMENTS:
 Northcutt> This is very bogus


=================================
Candidate: CAN-1999-0556
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

Two or more Unix accounts have the same UID.

VOTES:
   REJECT(2) Northcutt, Shostack


=================================
Candidate: CAN-1999-0559
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A system-critical Unix file or directory has inappropriate
permissions.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> Writable other than by root/bin/wheelgroup?


=================================
Candidate: CAN-1999-0560
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A system-critical Windows NT file or directory has inappropriate
permissions.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> I think we should specify these


=================================
Candidate: CAN-1999-0561
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

IIS has the #exec function enabled for Server Side Include (SSI) files.

VOTES:
   NOOP(1) Northcutt
   RECAST(1) Shostack


=================================
Candidate: CAN-1999-0562
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

The registry in Windows NT can be accessed remotely by users who are
not administrators.

VOTES:
   ACCEPT(4) Wall, Baker, Shostack, Ozancin
   MODIFY(1) Frech
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> This isn't all or nothing, users may be allowed to access part of the
 Northcutt> registry.
 Frech> XF:nt-winreg-all
 Frech> XF:nt-winreg-net


=================================
Candidate: CAN-1999-0564
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

An attacker can force a printer to print arbitrary documents (e.g. if
the printer doesn't require a password) or to become disabled.

VOTES:
   ACCEPT(1) Shostack
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0565
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Sendmail alias allows input to be piped to a program.

VOTES:
   ACCEPT(1) Northcutt
   RECAST(1) Shostack

COMMENTS:
 Shostack> Is this a default alias?  Is my .procmailrc an instance of this?


=================================
Candidate: CAN-1999-0568
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

rpc.admind in Solaris is not running in a secure mode.

VOTES:
   ACCEPT(1) Northcutt
   RECAST(1) Shostack

COMMENTS:
 Shostack> are there secure modes?


=================================
Candidate: CAN-1999-0569
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A URL for a WWW directory allows auto-indexing, which provides a list
of all files in that directory.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt

COMMENTS:
 Northcutt> I do this intentionally somethings in high content directories


=================================
Candidate: CAN-1999-0570
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

VOTES:
   ACCEPT(1) Northcutt
   REJECT(1) Wall

COMMENTS:
 Northcutt> Here we are crossing into the best practices arena again.  However since
 Northcutt> passfilt does establish a measurable standard and since we aren't the
 Northcutt> ones defining the stanard, simply saying it should be employed I will
 Northcutt> vote for this.


=================================
Candidate: CAN-1999-0571
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Feb5,1999

A router allows arbitrary hosts to connect to its configuration
service, or related services such as telnet.

VOTES:
   NOOP(1) Northcutt
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0572
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

..reg files are associated with the Windows NT registry editor, making
the registry susceptible to Trojan Horse attacks.

VOTES:
   ACCEPT(4) Wall, Baker, Shostack, Ozancin
   MODIFY(1) Frech
   NOOP(1) Northcutt

COMMENTS:
 Northcutt> I don't quite get what this means, sorry
 Frech> XF:nt-regfile


=================================
Candidate: CAN-1999-0575
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's user audit policy does not log an event success
or failure, e.g. for Logon and Logoff, File and Object Access, Use of
User Rights, User and Group Management, Security Policy Changes,
Restart, Shutdown, and System, and Process Tracking.

VOTES:
   ACCEPT(4) Wall, Shostack, Ozancin, Christey
   MODIFY(1) Frech
   RECAST(1) Northcutt
   REVIEWING(1) Baker

COMMENTS:
 Northcutt> It isn't a great truth that you should enable all or the above, if you
 Northcutt> do you potentially introduce a vulnerbility of filling up the file
 Northcutt> system with stuff you will never look at.
 Ozancin> It is far less interesting what a user does successfully that what they
 Ozancin> attempt and fail at.
 Christey> The list of event types is very useful for lookup.
 Frech> XF:nt-system-audit
 Frech> XF:nt-logon-audit
 Frech> XF:nt-object-audit
 Frech> XF:nt-privil-audit
 Frech> XF:nt-process-audit
 Frech> XF:nt-policy-audit
 Frech> XF:nt-account-audit


=================================
Candidate: CAN-1999-0576
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's file audit policy does not log an event success
or failure for security-critical files or directories.

VOTES:
   ACCEPT(3) Wall, Baker, Shostack
   MODIFY(2) Ozancin, Frech
   REJECT(1) Northcutt

COMMENTS:
 Northcutt> 1.) Too general are we ready to state what the security-critical files
 Northcutt> and directories are
 Northcutt> 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability
 Ozancin> Some files and directories are clearly understood to be critical. Others are
 Ozancin> unclear. We need to clarify that critical is.
 Frech> XF:nt-object-audit


=================================
Candidate: CAN-1999-0577
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's file audit policy does not log an event success
or failure for non-critical files or directories.

VOTES:
   ACCEPT(2) Wall, Shostack
   MODIFY(2) Ozancin, Frech
   REJECT(1) Northcutt
   REVIEWING(1) Baker

COMMENTS:
 Ozancin> It is far less interesting what a user does successfully that what they
 Ozancin> attempt and fail at.
 Ozancin> Perhaps only failure should be logged.
 Frech> XF:nt-object-audit


=================================
Candidate: CAN-1999-0578
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's registry audit policy does not log an event
success or failure for security-critical registry keys.

VOTES:
   ACCEPT(4) Wall, Baker, Shostack, Ozancin
   REJECT(1) Northcutt
   REVIEWING(1) Frech

COMMENTS:
 Ozancin> with reservation
 Ozancin> Again what is defined as critical


=================================
Candidate: CAN-1999-0579
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's registry audit policy does not log an event
success or failure for non-critical registry keys.

VOTES:
   ACCEPT(3) Wall, Baker, Shostack
   MODIFY(1) Ozancin
   REJECT(1) Northcutt
   REVIEWING(1) Frech

COMMENTS:
 Ozancin> Again only failure may be of interest. It would be impractical to wad
 Ozancin> through the incredibly large amount of logging that this would generate. It
 Ozancin> could overwhelm log entries that you might find interesting.


=================================
Candidate: CAN-1999-0580
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate,
system-critical permissions.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.


=================================
Candidate: CAN-1999-0581
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate,
system-critical permissions.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.


=================================
Candidate: CAN-1999-0582
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT account policy has inappropriate, security-critical
settings for lockout, e.g. lockout duration, lockout after bad logon
attempts, etc.

VOTES:
   ACCEPT(3) Wall, Shostack, Ozancin
   MODIFY(2) Baker, Frech
   REJECT(1) Northcutt

COMMENTS:
 Northcutt> The definition is?
 Baker> Maybe a rewording of this one too.  I think most people would agree on
 Baker> some "minimum" policies like 3-5 bad attempts lockout for an hour or
 Baker> until the administrator unlocks the account.
 Baker> Suggested rewrite -
 Baker> A Windows NT account policy does not enforce reasonable minimum
 Baker> security-critical settings for lockouts, e.g. lockout duration,
 Baker> lockout after bad logon attempts, etc.
 Ozancin> with reservations
 Ozancin> What is appropriate?
 Frech> XF:nt-thres-lockout
 Frech> XF:nt-lock-duration
 Frech> XF:nt-lock-window
 Frech> XF:nt-perm-lockout
 Frech> XF:lockout-disabled


=================================
Candidate: CAN-1999-0583
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

There is a one-way or two-way trust relationship between Windows NT
domains.

VOTES:
   REJECT(2) Northcutt, Shostack


=================================
Candidate: CAN-1999-0584
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Windows NT file system is not NTFS.

VOTES:
   ACCEPT(2) Wall, Northcutt

COMMENTS:
 Wall> NTFS partition provides the security.  This could be re-worded
 Wall> to "A Windows NT file system is FAT" since it is either NTFS or FAT
 Wall> and FAT is less secure.


=================================
Candidate: CAN-1999-0585
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF

A Windows NT administrator account has the default name of
Administrator.

VOTES:
   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   REJECT(3) Northcutt, Baker, Shostack
   REVIEWING(1) Wall

COMMENTS:
 Wall> Some sources say this is not a vulnerability, but a warning.  It just
 Wall> slows down the search for the admin account (SID = 500) which can
 Wall> always be found.
 Northcutt> I change this on all NT systems I am responsible for, but is
 Northcutt> root a vulnerability?
 Baker> There are ways to identify the administrator account anyway, so this
 Baker> is only a minor delay to someone that is knowledgeable.  This, in and
 Baker> of itself, doesn't really strike me as a vulnerability, anymore than
 Baker> the root account on a Unix box.
 Shostack> (there is no way to hide the account name today)
 Frech> XF:nt-adminexists


=================================
Candidate: CAN-1999-0586
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A network service is running on a nonstandard port.

VOTES:
   RECAST(1) Shostack
   REJECT(1) Northcutt

COMMENTS:
 Shostack> Might be acceptable if clearer; is that a standard service on a
 Shostack> non-standard port, or any service on an unassigned port?


=================================
Candidate: CAN-1999-0587
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A WWW server is not running in a restricted file system, e.g. through
a chroot, thus allowing access to system-critical data.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> While I would accept this for Unix, I am not sure this applies to NT,
 Northcutt> VMS, palm pilots, or commodore 64


=================================
Candidate: CAN-1999-0588
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A filter in a router or firewall allows unusual fragmented packets.

VOTES:
   MODIFY(1) Frech
   REJECT(1) Northcutt

COMMENTS:
 Northcutt> I want to vote to accept this one, but unusual is a shade broad.
 Frech> XF:nt-rras
 Frech> XF:cisco-fragmented-attacks
 Frech> XF:ip-frag


=================================
Candidate: CAN-1999-0589
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A system-critical Windows NT registry key has inappropriate
permissions.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.


=================================
Candidate: CAN-1999-0590
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A system does not present an appropriate legal message or warning to a
user who is accessing it.

VOTES:
   ACCEPT(1) Northcutt
   RECAST(1) Shostack


=================================
Candidate: CAN-1999-0591
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

An event log in Windows NT has inappropriate access permissions.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> splain Lucy, splain


=================================
Candidate: CAN-1999-0592
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

The Logon box of a Windows NT system displays the name of the last
user who logged in.

VOTES:
   REJECT(2) Wall, Northcutt

COMMENTS:
 Wall> Information gathering, not vulnerability
 Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing
 Northcutt> not just vulnerability


=================================
Candidate: CAN-1999-0593
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A user is allowed to shut down a Windows NT system without logging in.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt

COMMENTS:
 Wall> Still a denial of service.
 Northcutt> May well be appropriate


=================================
Candidate: CAN-1999-0594
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Windows NT system does not restrict access to removable media drives
such as a floppy disk drive or CDROM drive.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt

COMMENTS:
 Wall> Perhaps it can be re-worded to "removable media drives
 Wall> such as a floppy disk drive or CDROM drive can be accessed (shared) in a
 Wall> Windows NT system."
 Northcutt> - what good is my NT w/o its floppy


=================================
Candidate: CAN-1999-0595
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Windows NT system does not clear the system page file during
shutdown.

VOTES:
   ACCEPT(1) Wall
   NOOP(1) Northcutt


=================================
Candidate: CAN-1999-0596
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Windows NT log file has an inappropriate maximum size or retention
period.

VOTES:
   REJECT(2) Wall, Northcutt

COMMENTS:
 Northcutt> define appropriate


=================================
Candidate: CAN-1999-0597
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

A Windows NT account policy does not forcibly disconnect remote users
from the server when their logon hours expire.

VOTES:
   ACCEPT(1) Northcutt
   REJECT(1) Wall


=================================
Candidate: CAN-1999-0598
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A network intrusion detection system (IDS) does not properly handle
packets that are sent out of order, allowing an attacker to escape
detection.

VOTES:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0599
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A network intrusion detection system (IDS) does not properly handle
packets with improper sequence numbers.

VOTES:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0600
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A network intrusion detection system (IDS) does not verify the
checksum on a packet.

VOTES:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0601
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A network intrusion detection system (IDS) does not properly handle
data within TCP handshake packets.

VOTES:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0602
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF

A network intrusion detection system (IDS) does not properly
reassemble fragmented packets.

VOTES:
   ACCEPT(1) Northcutt


=================================
Candidate: CAN-1999-0603
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF

In Windows NT, an inappropriate user is a member of a group,
e.g. Administrator, Backup Operators, Domain Admins, Domain Guests,
Power Users, Print Operators, Replicators, System Operators, etc.

VOTES:
   REJECT(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0604
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the WebStore 1.0 shopping cart
CGI program "web_store.cgi" could disclose private information.

VOTES:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0605
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the Order Form 1.0 shopping cart
CGI program could disclose private information.

VOTES:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0606
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the EZMall 2000 shopping cart
CGI program "mall2000.cgi" could disclose private information.

VOTES:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0607
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the QuikStore shopping cart
CGI program "quikstore.cgi" could disclose private information.

VOTES:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0608
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the PDG Shopping Cart CGI program
"shopper.cgi" could disclose private information.

VOTES:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0609
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the SoftCart CGI program
"SoftCart.exe" could disclose private information.

VOTES:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0610
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr23,1999

An incorrect configuration of the Webcart CGI program
could disclose private information.

VOTES:
   NOOP(2) Wall, Northcutt


=================================
Candidate: CAN-1999-0611
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF

A system-critical Windows NT registry key has an inappropriate value.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.


=================================
Candidate: CAN-1999-0613
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SA

The rpc.sprayd service is running.

VOTES:
   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Northcutt

COMMENTS:
 Frech> XF:sprayd


=================================
Candidate: CAN-1999-0614
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The FTP service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0615
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The SNMP service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0616
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The TFTP service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0617
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The SMTP service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0618
Published:
Final-Decision:
Interim-Decision:
Modified: 19990921-01
Proposed: 19990721
Assigned: 19990607
Category: SA
Reference: XF:rexec

The rexec service is running.

Modifications:
  ADDREF XF:rexec

VOTES:
   ACCEPT(4) Wall, Northcutt, Baker, Ozancin
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:decod-rexec
 Frech> XF:rexec


=================================
Candidate: CAN-1999-0619
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The Telnet service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0620
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A component service related to NIS is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0621
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A component service related to NETBIOS is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0622
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A component service related to DNS service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0623
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The X Windows service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0624
Published:
Final-Decision:
Interim-Decision: 19990925
Modified: 19990924-01
Proposed: 19990721
Assigned: 19990607
Category: SA
Reference: XF:rstat-out
Reference: XF:rstatd

The rstat/rstatd service is running.

Modifications:
  ADDREF XF:rstat-out
  ADDREF XF:rstatd

VOTES:
   ACCEPT(3) Northcutt, Baker, Ozancin
   MODIFY(1) Frech
   NOOP(2) Wall, Meunier

COMMENTS:
 Frech> XF:rstat-out
 Frech> XF:rstatd


=================================
Candidate: CAN-1999-0625
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SA

The rpc.rquotad service is running.

VOTES:
   ACCEPT(3) Northcutt, Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall

COMMENTS:
 Frech> XF:rquotad


=================================
Candidate: CAN-1999-0629
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SA

The ident/identd service is running.

VOTES:
   ACCEPT(2) Baker, Ozancin
   NOOP(1) Wall
   REJECT(1) Northcutt
   REVIEWING(1) Frech

COMMENTS:
 Frech> possibly XF:identd?


=================================
Candidate: CAN-1999-0630
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The NT Alerter and Messenger services are running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0631
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The NFS service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0632
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The RPC portmapper service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0633
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The HTTP/WWW service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0634
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The SSH service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0635
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The echo service is running.

VOTES:
   ACCEPT(2) Wall, Northcutt

COMMENTS:
 Northcutt> The method to my madness is echo is the common denom in the dos attack


=================================
Candidate: CAN-1999-0636
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The discard service is running.

VOTES:
   NOOP(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0637
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The systat service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0638
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The daytime service is running.

VOTES:
   NOOP(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0639
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The chargen service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0640
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The Gopher service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0641
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The UUCP service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0642
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A POP service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0643
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The IMAP service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0644
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The NNTP news service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0645
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The IRC service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0646
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The LDAP service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0647
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SA

The bootparam (bootparamd) service is running.

VOTES:
   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Northcutt

COMMENTS:
 Frech> XF:bootp


=================================
Candidate: CAN-1999-0648
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The X25 service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0649
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The FSP service is running.

VOTES:
   NOOP(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0650
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The netstat service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0651
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The rsh/rlogin service is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0652
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A database service is running, e.g. a SQL server, Oracle, or mySQL.

VOTES:
   NOOP(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0653
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A component service related to NIS+ is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0654
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SA

The OS/2 or POSIX subsystem in NT is enabled.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt

COMMENTS:
 Wall> These subsystems could still allow a process to persist across logins.


=================================
Candidate: CAN-1999-0655
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SA

A service may include useful information in its banner or help
function (such as the name and version), making it useful for
information gathering activities.

VOTES:
   ACCEPT(4) Wall, Northcutt, Baker, Ozancin
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0656
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

The ugidd service is running.

VOTES:
   NOOP(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0657
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

WinGate is being used.

VOTES:
   NOOP(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0658
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

DCOM is running.

VOTES:
   ACCEPT(1) Wall
   REJECT(1) Northcutt


=================================
Candidate: CAN-1999-0659
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA

A Windows NT Primary Domain Controller (PDC) or Backup Domain
Controller (BDC) is present.

VOTES:
   REJECT(2) Wall, Northcutt

COMMENTS:
 Wall> Don't consider this a service or a problem.


=================================
Candidate: CAN-1999-0660
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: MP

A hacker utility or Trojan Horse is installed on a system,
e.g. NetBus, Back Orifice, Rootkit, etc.

VOTES:
   ACCEPT(3) Wall, Northcutt, Hill


=================================
Candidate: CAN-1999-0661
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: MP

A system is running a version of software that was replaced with a
Trojan Horse at its distribution point, e.g. TCP Wrappers, wuftpd,
etc.

VOTES:
   ACCEPT(3) Wall, Northcutt, Hill


=================================
Candidate: CAN-1999-0662
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: AN

A system-critical program or library does not have the appropriate
patch, hotfix, or service pack installed, or is outdated or obsolete.

VOTES:
   ACCEPT(3) Wall, Northcutt, Hill


=================================
Candidate: CAN-1999-0663
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: AN

A system-critical program, library, or file has a checksum or other
integrity measurement that indicates that it has been modified.

VOTES:
   ACCEPT(2) Wall, Hill
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> This needs to be worded carefully.
 Northcutt> 1. Rootkits evade checksum detection.
 Northcutt> 2. The modification could be positive (a patch)


=================================
Candidate: CAN-1999-0664
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990803
Category: CF

An application-critical Windows NT registry key has inappropriate
permissions.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.


=================================
Candidate: CAN-1999-0665
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990803
Category: CF

An application-critical Windows NT registry key has an inappropriate
value.

VOTES:
   ACCEPT(1) Wall
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
 Northcutt> and see if you can't see a way to phrase specific keys in a way that
 Northcutt> defines inappropriate.
Prev by Date: [BOARD] Ken Armstrong has joined the Editorial Board
Next by Date: [CVEPRI] Editorial Board Review Meeting Summary - 11/4/1999
Prev by thread: [BOARD] Ken Armstrong has joined the Editorial Board
Next by thread: [CVEPRI] Editorial Board Review Meeting Summary - 11/4/1999
Index(es):
- Date
- Thread