[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[FINAL] ACCEPT 23 candidates from CERT2 cluster
I have made a Final Decision to ACCEPT the following candidates.
These candidates are now assigned CVE names as noted below. The
resulting CVE entries will be published in the near future in a new
version of CVE. Voting details and comments are provided at the end
of this report.
- Steve
Candidate CVE Name
--------- ----------
CAN-1999-0687 CVE-1999-0687
CAN-1999-0689 CVE-1999-0689
CAN-1999-0691 CVE-1999-0691
CAN-1999-0692 CVE-1999-0692
CAN-1999-0693 CVE-1999-0693
CAN-1999-0704 CVE-1999-0704
CAN-1999-0722 CVE-1999-0722
CAN-1999-0833 CVE-1999-0833
CAN-1999-0835 CVE-1999-0835
CAN-1999-0837 CVE-1999-0837
CAN-1999-0848 CVE-1999-0848
CAN-1999-0849 CVE-1999-0849
CAN-1999-0851 CVE-1999-0851
CAN-1999-0868 CVE-1999-0868
CAN-1999-0878 CVE-1999-0878
CAN-1999-0879 CVE-1999-0879
CAN-1999-0880 CVE-1999-0880
CAN-1999-0938 CVE-1999-0938
CAN-1999-0956 CVE-1999-0956
CAN-1999-0960 CVE-1999-0960
CAN-1999-0962 CVE-1999-0962
CAN-1999-0963 CVE-1999-0963
CAN-1999-0965 CVE-1999-0965
=================================
Candidate: CAN-1999-0687
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990913 Vulnerability in ttsession
Reference: SUN:00185
Reference: HP:HPSBUX9909-103
Reference: COMPAQ:SSRT0617U_TTSESSION
Reference: CIAC:K-001
Reference: CERT:CA-99-11
Reference: BID:637
Reference: XF:cde-ttsession-rpc-auth
The ToolTalk ttsession daemon uses weak RPC authentication, which
allows a remote attacker to execute commands.
Modifications:
CHANGEREF CIAC:J-051 CIAC:K-001
ADDREF XF:cde-ttsession-rpc-auth
DESC correct capitalization in ToolTalk, add execute commands
INFERRED VOTE: CAN-1999-0687 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(3) Armstrong, Ozancin, Prosser
MODIFY(3) Cole, Frech, Stracener
COMMENTS:
Cole> I would add at the end that this vulnerability can be used to execute
Cole> arbitrary programs.
Frech> XF:cde-ttsession-rpc-auth
Frech> MODREF:CIAC:K-001 (J-051 relates to Calendar Manager)
Stracener> Remove REF: CIAC: J-051 (Advisory not relevant to this CAN). It should
Stracener> be "ToolTalk" rather than "Tooltalk"
=================================
Candidate: CAN-1999-0689
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990913 Vulnerability in dtspcd
Reference: SUN:00185
Reference: HP:HPSBUX9909-103
Reference: CERT:CA-99-11
Reference: XF:cde-dtspcd-file-auth
Reference: BID:636
The CDE dtspcd daemon allows local users to execute arbitrary commands
via a symlink attack.
Modifications:
DESC Change impact
DESC ADDREF XF:cde-dtspcd-file-auth
INFERRED VOTE: CAN-1999-0689 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
MODIFY(2) Cole, Frech
COMMENTS:
Cole> The attack indirectly allows users to gain privileges. The main
Cole> vulnerability of the attack is that users can execute commands as root. I
Cole> would update the exploit to reflect this.
Frech> XF:cde-dtspcd-file-auth
=================================
Candidate: CAN-1999-0691
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990913 Vulnerability in dtaction
Reference: SUN:00185
Reference: HP:HPSBUX9909-103
Reference: COMPAQ:SSRTO615U_DTACTION
Reference: CERT:CA-99-11
Reference: XF:cde-dtaction-username-bo
Reference: BID:635
Buffer overflow in the AddSuLog function of the CDE dtaction utility
allows local users to gain root privileges via a long user name.
Modifications:
DESC Add AddSuLog to description.
ADDREF XF:cde-dtaction-username-bo
INFERRED VOTE: CAN-1999-0691 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Armstrong, Ozancin, Stracener
MODIFY(2) Frech, Prosser
COMMENTS:
Frech> XF:cde-dtaction-username-bo
Prosser> Overflow is in the AddSuLog function. Might want to add this to the
Prosser> description to differentiate from other CDE dtaction vulnerabilities
=================================
Candidate: CAN-1999-0692
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: CF
Reference: CERT:CA-99-09
Reference: CIAC:J-052
Reference: SGI:19990701-01-P
Reference: XF:sgi-arrayd
The default configuration of the Array Services daemon (arrayd)
disables authentication, allowing remote users to gain root
privileges.
Modifications:
ADDREF XF:sgi-arrayd
INFERRED VOTE: CAN-1999-0692 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:sgi-arrayd
=================================
Candidate: CAN-1999-0693
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: CERT:CA-99-11
Reference: SUN:00185
Reference: HP:HPSBUX9909-103
Reference: BID:641
Reference: XF:cde-dtsession-env-bo
Buffer overflow in TT_SESSION environment variable in ToolTalk shared
library allows local users to gain root privileges.
Modifications:
DESC Add impact
ADDREF XF:cde-dtsession-env-bo
INFERRED VOTE: CAN-1999-0693 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
MODIFY(2) Cole, Frech
COMMENTS:
Cole> I would add that this allows users to execute commands as root.
Frech> XF:cde-dtsession-env-bo
=================================
Candidate: CAN-1999-0704
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: REDHAT:RHSA-1999:032-01
Reference: CALDERA:CSSA-1999:024.0
Reference: FREEBSD:SA-99:06
Reference: DEBIAN:19991018
Reference: BID:614
Reference: CERT:CA-99-12
Reference: XF:amd-bo
Buffer overflow in Berkeley automounter daemon (amd) logging facility
provided in the Linux am-utils package and others.
INFERRED VOTE: CAN-1999-0704 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(6) Cole, Armstrong, Frech, Ozancin, Prosser, Stracener
=================================
Candidate: CAN-1999-0722
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: CF
Reference: XF:cobalt-raq2-default-config
Reference: CERT:CA-99-10
The default configuration of Cobalt RaQ2 servers allows remote
users to install arbitrary software packages.
Modifications:
ADDREF XF:cobalt-raq2-default-config
INFERRED VOTE: CAN-1999-0722 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Armstrong, Ozancin, Stracener
MODIFY(2) Frech, Prosser
COMMENTS:
Frech> XF:cobalt-raq2-default-config
Prosser> Additional reference http://noram.cobaltnet.com/support/security/index.html
=================================
Candidate: CAN-1999-0833
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: BID:788
Reference: XF:bind-nxt-bo
Buffer overflow in BIND 8.2 via NXT records.
Modifications:
ADDREF BID:788
ADDREF XF:bind-nxt-bo
INFERRED VOTE: CAN-1999-0833 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(3) Armstrong, Ozancin, Stracener
MODIFY(3) Cole, Frech, Prosser
COMMENTS:
Cole> I would that a Buffer overflow in Bind 8.2 falis to validate NXT records,
Cole> which would allow an attacker to execute arbitrary code.
Frech> XF:bind-nxt-bo
Prosser> additional reference: BID 788
=================================
Candidate: CAN-1999-0835
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-sigrecord-dos
Reference: BID:788
Denial of service in BIND named via malformed SIG records.
Modifications:
DESC Add "malformed"
ADDREF XF:bind-sigrecord-dos
ADDREF BID:788
INFERRED VOTE: CAN-1999-0835 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(3) Armstrong, Ozancin, Stracener
MODIFY(3) Cole, Frech, Prosser
COMMENTS:
Cole> I would change it to a Denial of service in BIND based on the failure
Cole> to properly validate SIG records, which could result in crashing the
Cole> named daemon.
Frech> XF:bind-sigrecord-dos
Prosser> additional reference: BID 788
=================================
Candidate: CAN-1999-0837
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-solinger-dos
Reference: BID:788
Denial of service in BIND by improperly closing TCP sessions via
so_linger.
Modifications:
ADDREF XF:bind-solinger-dos
ADDREF BID:788
INFERRED VOTE: CAN-1999-0837 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Armstrong, Ozancin, Stracener
MODIFY(2) Frech, Prosser
COMMENTS:
Frech> XF:bind-solinger-dos
Prosser> additional reference: BID 788
=================================
Candidate: CAN-1999-0848
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: BID:788
Reference: XF:bind-fdmax-dos
Denial of service in BIND named via consuming more than "fdmax" file
descriptors.
Modifications:
ADDREF XF:bind-fdmax-dos
ADDREF BID:788
INFERRED VOTE: CAN-1999-0848 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(3) Armstrong, Ozancin, Stracener
MODIFY(3) Cole, Frech, Prosser
COMMENTS:
Cole> I would add consuming more "fdmax file descriptors that BIND can properly
Cole> manage.
Cole> Just a general comment. I do not know what the copyrights restritions are
Cole> but CERT seems to do a pretty good job in coming up with the descriptions.
Cole> Can we just use them because it seems like some of the above ones leaves out
Cole> some detail that would be necessary to pinpoint a specific exploit.
Frech> XF:bind-fdmax-dos
Prosser> additional reference: BID 788
=================================
Candidate: CAN-1999-0849
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-maxdname-bo
Denial of service in BIND named via maxdname.
Modifications:
ADDREF XF:bind-maxdname-bo
INFERRED VOTE: CAN-1999-0849 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
MODIFY(2) Cole, Frech
COMMENTS:
Cole> I would add at the end that this is accomplshed by not properly handling the
Cole> copying of data from the network.
Frech> XF:bind-maxdname-bo
=================================
Candidate: CAN-1999-0851
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-naptr-dos
Denial of service in BIND named via naptr.
Modifications:
ADDREF XF:bind-naptr-dos
INFERRED VOTE: CAN-1999-0851 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
MODIFY(2) Cole, Frech
COMMENTS:
Cole> I would add that this is done by failing to validate zone information loaded
Cole> from disk files.
Frech> XF:bind-naptr-dos
=================================
Candidate: CAN-1999-0868
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-97.08
Reference: XF:inn-ucbmail-shell-meta
ucbmail allows remote attackers to execute commands via shell
metacharacters that are passed to it from INN.
Modifications:
ADDREF XF:inn-ucbmail-shell-meta
INFERRED VOTE: CAN-1999-0868 ACCEPT (5 accept, 0 review)
VOTES:
ACCEPT(3) Ozancin, Prosser, Stracener
MODIFY(2) Cole, Frech
NOOP(2) Armstrong, Christey
COMMENTS:
Cole> This is accomplished because INN does not remove certain shell
Cole> metacharacters from the data in the control message.
Cole> I am assuming that the other vulnerability in innd is covered by a different
Cole> CVE number. I just want to make sure we do not miss it.
Frech> XF:inn-ucbmail-shell-meta
Christey> The other INN problem is CVE-1999-0043.
=================================
Candidate: CAN-1999-0878
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: AUSCERT:AA-1999.01
Reference: CERT:CA-99-13
Reference: REDHAT:RHSA1999031_01
Reference: XF:wu-ftpd-dir-name
Reference: BID:599
Buffer overflow in WU-FTPD and related FTP servers allows remote
attackers to gain root privileges via MAPPING_CHDIR.
Modifications:
ADDREF XF:wu-ftpd-dir-name
ADDREF AUSCERT:AA-1999.01
INFERRED VOTE: CAN-1999-0878 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:wu-ftpd-dir-name
=================================
Candidate: CAN-1999-0879
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-99-13
Reference: XF:wuftp-message-file-root
Buffer overflow in WU-FTPD and related FTP servers allows remote
attackers to gain root privileges via macro variables in a message
file.
Modifications:
ADDREF XF:wuftp-message-file-root
INFERRED VOTE: CAN-1999-0879 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
MODIFY(2) Cole, Frech
COMMENTS:
Cole> This is accomplished by overwriting the stack of the FTP daemon.
Frech> XF:wuftp-message-file-root
=================================
Candidate: CAN-1999-0880
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-99-13
Reference: XF:wuftp-site-newer-dos
Denial of service in WU-FTPD via the SITE NEWER command, which does
not free memory properly.
Modifications:
ADDREF XF:wuftp-site-newer-dos
DESC change "memory leak" to "free memory"
INFERRED VOTE: CAN-1999-0880 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
MODIFY(2) Cole, Frech
COMMENTS:
Cole> It is not really a memory leak, it is just that the program fails to free up
Cole> memory under certain circumstances.
Frech> XF:wuftp-site-newer-dos
=================================
Candidate: CAN-1999-0938
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:VN-99-03
Reference: XF:sdr-execute
MBone SDR Package allows remote attackers to execute commands via
shell metacharacters in Sesion Initiation Protocol (SIP) messages.
Modifications:
ADDREF XF:sdr-execute
INFERRED VOTE: CAN-1999-0938 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:sdr-execute
=================================
Candidate: CAN-1999-0956
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-93.02a
Reference: XF:next-netinfo
The NeXT NetInfo _writers property allows local users to gain root
privileges or conduct a denial of service.
Modifications:
ADDREF XF:next-netinfo
INFERRED VOTE: CAN-1999-0956 ACCEPT (5 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Ozancin, Prosser, Stracener
MODIFY(1) Frech
NOOP(1) Armstrong
COMMENTS:
Frech> XF:next-netinfo
=================================
Candidate: CAN-1999-0960
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: AUSCERT:AA-96.11
Reference: SGI:19980301-01-PX
Reference: XF:irix-cdplayer-directory-create
IRIX cdplayer allows local users to create directories in arbitrary
locations via a command line option.
Modifications:
ADDREF XF:irix-cdplayer-directory-create
INFERRED VOTE: CAN-1999-0960 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:irix-cdplayer-directory-create
=================================
Candidate: CAN-1999-0962
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: AUSCERT:AA-96.13
Reference: HP:HPSBUX9701-045
Reference: XF:hp-password-cmd-bo
Buffer overflow in HPUX passwd command allows local users to gain root
privileges via a command line option.
Modifications:
ADDREF XF:hp-password-cmd-bo
INFERRED VOTE: CAN-1999-0962 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:hp-password-cmd-bo
=================================
Candidate: CAN-1999-0963
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19960316 BoS: SECURITY BUG in FreeBS
Reference: CERT:VB-96.06
Reference: XF:freebsd-mount-union-root
FreeBSD mount_union command allows local users to gain root privileges
via a symlink attack.
Modifications:
ADDREF XF:freebsd-mount-union-root
INFERRED VOTE: CAN-1999-0963 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:freebsd-mount-union-root
=================================
Candidate: CAN-1999-0965
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-93.17
Reference: XF:xterm
Race condition in xterm allows local users to modify arbitrary files
via the logging option.
Modifications:
ADDREF XF:xterm
INFERRED VOTE: CAN-1999-0965 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:xterm