[
Date Prev][Date Next][
Thread Prev][Thread Next][
Date Index][
Thread Index]
[INTERIM] ACCEPT 17 candidates from various clusters (Final 1/3/2000)
I have made an Interim Decision to ACCEPT the following 17 candidates
from various clusters. I will make a Final Decision on January 3,
2000.
The candidates come from the following older clusters:
1 VEN-SUN
2 BUF
7 RESTLOW
1 ONEREF
1 DESIGN
4 MORELOW
1 CDEC
These candidates are being ACCEPTed now, instead of several months
ago, because either: (a) my new automatic vote counter spotted
candidates that had previously slipped through the cracks, (b) I was
able to dig up references in which a software vendor acknowledged the
problem (thus counting as a 3rd vote), or (c) both a and b. The (b)
cases are identified with an "inferred vote" of ACCEPT_ACK, as listed
below.
Voters:
Wall ACCEPT(3) MODIFY(1) NOOP(3)
Shostack NOOP(1)
Ozancin ACCEPT(6)
Baker ACCEPT(2)
Frech ACCEPT(7) MODIFY(10)
Hill ACCEPT(9)
Proctor ACCEPT(1)
Northcutt ACCEPT(11) MODIFY(1)
Christey NOOP(3)
Balinsky ACCEPT(1)
Prosser ACCEPT(1) MODIFY(4) NOOP(2)
Blake ACCEPT(2)
=================================
Candidate: CAN-1999-0151
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.07a.REVISED.satan.vul
Reference: CERT:CA-95.06.satan.vul
The SATAN session key may be disclosed if the user points the web
browser to other sites, possibly allowing root access.
INFERRED VOTE: CAN-1999-0151 ACCEPT_ACK (2 accept, 1 ack, 0 review)
VOTES:
ACCEPT(2) Hill, Northcutt
MODIFY(1) Frech
COMMENTS:
Frech> XF:satan-scan
=================================
Candidate: CAN-1999-0212
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00168
Reference: CIAC:I-048
Reference: XF:sun-mountd
Solaris rpc.mountd generates error messages that allow a remote
attacker to determine what files are on the server.
Modifications:
DESC remove Linux
ADDREF XF:sun-mountd
ADDREF CIAC:I-048
INFERRED VOTE: CAN-1999-0212 ACCEPT (3 accept, 0 review)
VOTES:
ACCEPT(1) Prosser
MODIFY(2) Northcutt, Frech
NOOP(1) Christey
COMMENTS:
Northcutt> I am concerned that Linux is becoming too
Northcutt> non descript a word, in the past two weeks I have run
Northcutt> across 3 Linuxes I had never heard of before. I think we need
Northcutt> to start being specific when we mention Linux either by
Northcutt> the kernal or vendor or something.
Frech> Reference: XF:sun-mountd
Christey> Does this affect more than Solaris mountd?
=================================
Candidate: CAN-1999-0275
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: XF:nt-dnscrash
Reference: XF:nt-dnsver
Reference: MS:Q169461
Denial of service in Windows NT DNS servers by flooding port 53 with
too many characters.
Modifications:
CHANGEREF XF:nt-dns-crash XF:nt-dnscrash
DESC slight change to mention port 53 specifically.
ADDREF XF:nt-dnsver
INFERRED VOTE: CAN-1999-0275 ACCEPT (3 accept, 0 review)
VOTES:
ACCEPT(1) Ozancin
MODIFY(2) Wall, Frech
NOOP(1) Christey
COMMENTS:
Wall> Denial of service in Windows NT DNS servers by malicious telnet attack.
Frech> Change XF:nt-dns-crash to XF:nt-dnscrash
Frech> ADDREF XF:nt-dnsver
Christey> The XF entry, and the corresponding Microsoft KB articles,
Christey> indicate that there is more than one vulnerability related to
Christey> the DNS server. Other candidates need to be created for the
Christey> other cases, including the telnet case that Mike mentions.
=================================
Candidate: CAN-1999-0280
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: NTBUGTRAQ:19970317 Internet Explorer Bug #4
Reference: CIAC:H-38
Reference: XF:http-ie-lnkurl
Remote command execution in Microsoft Internet Explorer using .lnk and
..url files.
Modifications:
ADDREF CIAC:H-38
ADDREF XF:http-ie-lnkurl
ADDREF NTBUGTRAQ:19970317 Internet Explorer Bug #4
INFERRED VOTE: CAN-1999-0280 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Hill, Wall, Northcutt, Proctor, Balinsky
MODIFY(2) Frech, Prosser
NOOP(1) Christey
COMMENTS:
Frech> XF:http-ie-lnkurl
Prosser> additional source
Prosser> CIAC Bulletin H-38
Prosser> http://www.ciac.org
Prosser> Microsoft Internet Explorer Security Updates
Prosser> "Internet Explorer 3.02 Includes All Security"
Prosser> http://www.microsoft.com/windows/ie/security
Christey> Mike's Microsoft reference is no longer listed there.
Christey> This topic appears to have generated a long NTBugtraq thread.
=================================
Candidate: CAN-1999-0290
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19980221 WinGate DoS
Reference: BUGTRAQ:19980326 WinGate Intermediary Fix/Update
Reference: XF:wingate-dos
The WinGate telnet proxy allows remote attackers to cause a denial of
service via a large number of connections to localhost.
Modifications:
ADDREF BUGTRAQ:19980221 WinGate DoS
ADDREF BUGTRAQ:19980326 WinGate Intermediary Fix/Update
ADDREF XF:wingate-dos
DESC Add localhost info
INFERRED VOTE: CAN-1999-0290 ACCEPT (4 accept, 0 review)
VOTES:
ACCEPT(3) Hill, Blake, Northcutt
MODIFY(2) Frech, Prosser
COMMENTS:
Frech> XF:wingate-dos
Prosser> additional source
Prosser> Hrvoje Crvelin
Prosser> Security Bugware
Prosser> http://161.53.42.3/~crv/security/bugs/NT/wingate2.html
=================================
Candidate: CAN-1999-0291
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990630
Assigned: 19990607
Category: unknown
Reference: XF:wingate-unpassworded
The WinGate proxy is installed without a password, which allows
remote attackers to redirect connections without authentication.
Modifications:
ADDREF XF:wingate-unpassworded
INFERRED VOTE: CAN-1999-0291 ACCEPT (5 accept, 0 review)
VOTES:
ACCEPT(4) Hill, Blake, Northcutt, Ozancin
MODIFY(2) Frech, Prosser
COMMENTS:
Frech> Description needs more info or references on how this redirection takes
Frech> place. Is it by password access" If so, consider these two references:
Frech> XF:wingate-unpassworded
Frech> XF:wingate-registry-passwords
Prosser> believe this is the "WinGate Bounce" described in
Prosser> Hrvoje Crvelin's
Prosser> Security Bugware
Prosser> http://161.53.42.3/~crv/security/bugs/NT/wingate.htm
=================================
Candidate: CAN-1999-0297
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991216-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NAI:NAI-3
Reference: AUSCERT:AA-96.21
Reference: CIAC:H-17
Reference: XF:vixie-cron
Buffer overflow in Vixie Cron library up to version 3.0 allows local
users to obtain root access via a long environmental variable.
Modifications:
ADDREF AUSCERT:AA-96.21
ADDREF CIAC:H-17
ADDREF XF:vixie-cron
DESC identify the environmental variable, modify version
INFERRED VOTE: CAN-1999-0297 ACCEPT (3 accept, 0 review)
VOTES:
ACCEPT(2) Northcutt, Hill
MODIFY(2) Prosser, Frech
COMMENTS:
Prosser> This appears to be the same as the Cron BO reported in CIAC
Prosser> H-17 which affects versions of the vixie cron package up to and including
Prosser> 3.0
Frech> XF:vixie-cron
=================================
Candidate: CAN-1999-0304
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:bsd-mmap
Reference: FreeBSD:FreeBSD-SA-98:02
mmap function in BSD allows local attackers in the kmem group to
modify memory through devices.
INFERRED VOTE: CAN-1999-0304 ACCEPT_ACK (2 accept, 1 ack, 0 review)
VOTES:
ACCEPT(3) Hill, Frech, Northcutt
=================================
Candidate: CAN-1999-0318
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991216-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961125 Security Problems in XMCD
Reference: BUGTRAQ:19961125 XMCD v2.1 released (was: Security Problems in XMCD)
Reference: XF:xmcd-envbo
Buffer overflow in xmcd 2.0p12 allows local users to gain access
through an environmental variable.
Modifications:
ADDREF BUGTRAQ:19961125 Security Problems in XMCD
ADDREF BUGTRAQ:19961125 XMCD v2.1 released (was: Security Problems in XMCD)
INFERRED VOTE: CAN-1999-0318 ACCEPT_ACK (2 accept, 1 ack, 0 review)
VOTES:
ACCEPT(3) Northcutt, Hill, Frech
NOOP(1) Prosser
=================================
Candidate: CAN-1999-0322
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-97:05
Reference: XF:freebsd-open
The open() function in FreeBSD allows local attackers to write
to arbitrary files.
INFERRED VOTE: CAN-1999-0322 ACCEPT_ACK (2 accept, 1 ack, 0 review)
VOTES:
ACCEPT(3) Hill, Frech, Northcutt
=================================
Candidate: CAN-1999-0343
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19981002 Announcements from The Palace (fwd)
Reference: XF:palace-malicious-servers-vuln
A malicious Palace server can force a client to execute arbitrary
programs.
Modifications:
ADDREF BUGTRAQ:19981002 Announcements from The Palace (fwd)
CHANGEREF XF:palace-execute XF:palace-malicious-servers-vuln
INFERRED VOTE: CAN-1999-0343 ACCEPT_ACK (2 accept, 1 ack, 0 review)
VOTES:
ACCEPT(2) Northcutt, Baker
MODIFY(1) Frech
NOOP(2) Shostack, Prosser
COMMENTS:
Shostack> The description worries me. Can force any client? Can force an
Shostack> overly trusting client?
Frech> XF reference above is obsolete; replace with
Frech> XF:palace-malicious-servers-vuln
=================================
Candidate: CAN-1999-0408
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990225 Cobalt root exploit
Reference: XF:cobalt-raq-history-exposure
Reference: BID:337
Files created from interactive shell sessions in Cobalt RaQ
microservers (e.g. .bash_history) are world readable, and thus are
accessible from the web server.
Modifications:
CHANGEREF BUGTRAQ add title
INFERRED VOTE: CAN-1999-0408 ACCEPT_ACK (2 accept, 1 ack, 0 review)
VOTES:
ACCEPT(2) Ozancin, Frech
NOOP(1) Wall
=================================
Candidate: CAN-1999-0409
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990304 Linux /usr/bin/gnuplot overflow
Reference: XF:gnuplot-home-overflow
Reference: BID:319
Buffer overflow in gnuplot in Linux version 3.5 allows local users to
obtain root access.
INFERRED VOTE: CAN-1999-0409 ACCEPT_ACK (2 accept, 1 ack, 0 review)
VOTES:
ACCEPT(2) Ozancin, Frech
NOOP(1) Wall
=================================
Candidate: CAN-1999-0421
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations
Reference: XF:linux-slackware-install
Reference: BID:338
During a reboot after an installation of Linux Slackware 3.6, a remote
attacker can obtain root access by logging in to the root account
without a password.
Modifications:
ADDREF BID:338
ADDREF XF:linux-slackware-install
INFERRED VOTE: CAN-1999-0421 ACCEPT_ACK (2 accept, 1 ack, 0 review)
VOTES:
ACCEPT(2) Hill, Northcutt
MODIFY(1) Frech
COMMENTS:
Frech> XF:linux-slackware-install
=================================
Candidate: CAN-1999-0428
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990322 OpenSSL/SSLeay Security Alert
Reference: XF:ssl-session-reuse
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and
bypass access controls.
Modifications:
CHANGEREF BUGTRAQ [add title]
DESC add "bypass access controls"
INFERRED VOTE: CAN-1999-0428 ACCEPT_ACK (2 accept, 1 ack, 0 review)
VOTES:
ACCEPT(2) Wall, Frech
=================================
Candidate: CAN-1999-0439
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991207-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990405 Re: [SECURITY] new version of procmail with security fixes
Reference: DEBIAN:19990422
Reference: CALDERA:CSSA-1999:007
Reference: XF:procmail-overflow
Buffer overflow in procmail before version 3.12 allows remote or local
attackers to execute commands via expansions in the procmailrc
configuration file.
Modifications:
DESC reword
INFERRED VOTE: CAN-1999-0439 ACCEPT_ACK (2 accept, 2 ack, 0 review)
VOTES:
ACCEPT(1) Ozancin
MODIFY(1) Frech
NOOP(1) Wall
COMMENTS:
Frech> Poorly summarized. See procmail-overflow.
=================================
Candidate: CAN-1999-0470
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: XF:netware-remotenlm-passwords
Reference: BUGTRAQ:19990409 New Novell Remote.NLM Password Decryption Algorithm with Exploit
A weak encryption algorithm is used for passwords in Novell
Remote.NLM, allowing them to be easily decrypted.
Modifications:
CHANGEREF BUGTRAQ [add title]
INFERRED VOTE: CAN-1999-0470 ACCEPT (4 accept, 0 review)
VOTES:
ACCEPT(5) Wall, Northcutt, Baker, Ozancin, Frech