[FINAL] ACCEPT 17 candidates from various clusters

To: cve-editorial-board-list@lists.mitre.org
Subject: [FINAL] ACCEPT 17 candidates from various clusters
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Mon, 3 Jan 2000 22:19:41 -0500 (EST)
Delivery-Date: Mon Jan 3 22:25:38 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made a Final Decision to ACCEPT the following candidates.
These candidates are now assigned CVE names as noted below.  The
resulting CVE entries will be published in the near future in a new
version of CVE.  Voting details and comments are provided at the end
of this report.

- Steve


Candidate	CVE Name
---------	----------
CAN-1999-0151	CVE-1999-0151
CAN-1999-0212	CVE-1999-0212
CAN-1999-0275	CVE-1999-0275
CAN-1999-0280	CVE-1999-0280
CAN-1999-0290	CVE-1999-0290
CAN-1999-0291	CVE-1999-0291
CAN-1999-0297	CVE-1999-0297
CAN-1999-0304	CVE-1999-0304
CAN-1999-0318	CVE-1999-0318
CAN-1999-0322	CVE-1999-0322
CAN-1999-0343	CVE-1999-0343
CAN-1999-0408	CVE-1999-0408
CAN-1999-0409	CVE-1999-0409
CAN-1999-0421	CVE-1999-0421
CAN-1999-0428	CVE-1999-0428
CAN-1999-0439	CVE-1999-0439
CAN-1999-0470	CVE-1999-0470



=================================
Candidate: CAN-1999-0151
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.07a.REVISED.satan.vul
Reference: CERT:CA-95.06.satan.vul

The SATAN session key may be disclosed if the user points the web
browser to other sites, possibly allowing root access.

INFERRED VOTE: CAN-1999-0151 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Hill, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:satan-scan


=================================
Candidate: CAN-1999-0212
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00168
Reference: CIAC:I-048
Reference: XF:sun-mountd

Solaris rpc.mountd generates error messages that allow a remote
attacker to determine what files are on the server.

Modifications:
  DESC remove Linux
  ADDREF XF:sun-mountd
  ADDREF CIAC:I-048

INFERRED VOTE: CAN-1999-0212 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(1) Prosser
   MODIFY(2) Northcutt, Frech
   NOOP(1) Christey

COMMENTS:
 Northcutt> I am concerned that Linux is becoming too
 Northcutt> non descript a word, in the past two weeks I have run
 Northcutt> across 3 Linuxes I had never heard of before.  I think we need
 Northcutt> to start being specific when we mention Linux either by
 Northcutt> the kernal or vendor or something.
 Frech> Reference: XF:sun-mountd
 Christey> Does this affect more than Solaris mountd?


=================================
Candidate: CAN-1999-0275
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: XF:nt-dnscrash
Reference: XF:nt-dnsver
Reference: MS:Q169461

Denial of service in Windows NT DNS servers by flooding port 53 with
too many characters.

Modifications:
  CHANGEREF XF:nt-dns-crash XF:nt-dnscrash
  DESC slight change to mention port 53 specifically.
  ADDREF XF:nt-dnsver

INFERRED VOTE: CAN-1999-0275 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(1) Ozancin
   MODIFY(2) Wall, Frech
   NOOP(1) Christey

COMMENTS:
 Wall> Denial of service in Windows NT DNS servers by malicious telnet attack.
 Frech> Change XF:nt-dns-crash to XF:nt-dnscrash
 Frech> ADDREF XF:nt-dnsver
 Christey> The XF entry, and the corresponding Microsoft KB articles,
 Christey> indicate that there is more than one vulnerability related to
 Christey> the DNS server.  Other candidates need to be created for the
 Christey> other cases, including the telnet case that Mike mentions.


=================================
Candidate: CAN-1999-0280
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: NTBUGTRAQ:19970317 Internet Explorer Bug #4
Reference: CIAC:H-38
Reference: XF:http-ie-lnkurl

Remote command execution in Microsoft Internet Explorer using .lnk and
.url files.

Modifications:
  ADDREF CIAC:H-38
  ADDREF XF:http-ie-lnkurl
  ADDREF NTBUGTRAQ:19970317 Internet Explorer Bug #4

INFERRED VOTE: CAN-1999-0280 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Hill, Wall, Northcutt, Proctor, Balinsky
   MODIFY(2) Frech, Prosser
   NOOP(1) Christey

COMMENTS:
 Frech> XF:http-ie-lnkurl
 Prosser> additional source
 Prosser> CIAC Bulletin H-38
 Prosser> http://www.ciac.org
 Prosser> Microsoft Internet Explorer Security Updates
 Prosser> "Internet Explorer 3.02 Includes All Security"
 Prosser> http://www.microsoft.com/windows/ie/security
 Christey> Mike's Microsoft reference is no longer listed there.
 Christey> This topic appears to have generated a long NTBugtraq thread.


=================================
Candidate: CAN-1999-0290
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19980221 WinGate DoS
Reference: BUGTRAQ:19980326 WinGate Intermediary Fix/Update
Reference: XF:wingate-dos

The WinGate telnet proxy allows remote attackers to cause a denial of
service via a large number of connections to localhost.

Modifications:
  ADDREF BUGTRAQ:19980221 WinGate DoS
  ADDREF BUGTRAQ:19980326 WinGate Intermediary Fix/Update
  ADDREF XF:wingate-dos
  DESC Add localhost info

INFERRED VOTE: CAN-1999-0290 ACCEPT (4 accept, 0 review)

VOTES:
   ACCEPT(3) Hill, Blake, Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> XF:wingate-dos
 Prosser> additional source
 Prosser> Hrvoje Crvelin
 Prosser> Security Bugware
 Prosser> http://161.53.42.3/~crv/security/bugs/NT/wingate2.html


=================================
Candidate: CAN-1999-0291
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990630
Assigned: 19990607
Category: unknown
Reference: XF:wingate-unpassworded

The WinGate proxy is installed without a password, which allows
remote attackers to redirect connections without authentication.

Modifications:
  ADDREF XF:wingate-unpassworded

INFERRED VOTE: CAN-1999-0291 ACCEPT (5 accept, 0 review)

VOTES:
   ACCEPT(4) Hill, Blake, Northcutt, Ozancin
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> Description needs more info or references on how this redirection takes
 Frech> place. Is it by password access" If so, consider these two references:
 Frech> XF:wingate-unpassworded
 Frech> XF:wingate-registry-passwords
 Prosser> believe this is the "WinGate Bounce" described in
 Prosser> Hrvoje Crvelin's
 Prosser> Security Bugware
 Prosser> http://161.53.42.3/~crv/security/bugs/NT/wingate.htm


=================================
Candidate: CAN-1999-0297
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991216-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NAI:NAI-3
Reference: AUSCERT:AA-96.21
Reference: CIAC:H-17
Reference: XF:vixie-cron

Buffer overflow in Vixie Cron library up to version 3.0 allows local
users to obtain root access via a long environmental variable.

Modifications:
  ADDREF AUSCERT:AA-96.21
  ADDREF CIAC:H-17
  ADDREF XF:vixie-cron
  DESC identify the environmental variable, modify version

INFERRED VOTE: CAN-1999-0297 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(2) Prosser, Frech

COMMENTS:
 Prosser> This appears to be the same as the Cron BO reported in CIAC
 Prosser> H-17 which affects versions of the vixie cron package up to and including
 Prosser> 3.0
 Frech> XF:vixie-cron


=================================
Candidate: CAN-1999-0304
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:bsd-mmap
Reference: FreeBSD:FreeBSD-SA-98:02

mmap function in BSD allows local attackers in the kmem group to
modify memory through devices.

INFERRED VOTE: CAN-1999-0304 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(3) Hill, Frech, Northcutt


=================================
Candidate: CAN-1999-0318
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991216-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961125 Security Problems in XMCD
Reference: BUGTRAQ:19961125 XMCD v2.1 released (was: Security Problems in XMCD)
Reference: XF:xmcd-envbo

Buffer overflow in xmcd 2.0p12 allows local users to gain access
through an environmental variable.

Modifications:
  ADDREF BUGTRAQ:19961125 Security Problems in XMCD
  ADDREF BUGTRAQ:19961125 XMCD v2.1 released (was: Security Problems in XMCD)

INFERRED VOTE: CAN-1999-0318 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(3) Northcutt, Hill, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0322
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-97:05
Reference: XF:freebsd-open

The open() function in FreeBSD allows local attackers to write
to arbitrary files.

INFERRED VOTE: CAN-1999-0322 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(3) Hill, Frech, Northcutt


=================================
Candidate: CAN-1999-0343
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19981002 Announcements from The Palace (fwd)
Reference: XF:palace-malicious-servers-vuln

A malicious Palace server can force a client to execute arbitrary
programs.

Modifications:
  ADDREF BUGTRAQ:19981002 Announcements from The Palace (fwd)
  CHANGEREF XF:palace-execute XF:palace-malicious-servers-vuln

INFERRED VOTE: CAN-1999-0343 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Northcutt, Baker
   MODIFY(1) Frech
   NOOP(2) Shostack, Prosser

COMMENTS:
 Shostack> The description worries me.  Can force any client?  Can force an
 Shostack> overly trusting client?
 Frech> XF reference above is obsolete; replace with
 Frech> XF:palace-malicious-servers-vuln


=================================
Candidate: CAN-1999-0408
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990225 Cobalt root exploit
Reference: XF:cobalt-raq-history-exposure
Reference: BID:337

Files created from interactive shell sessions in Cobalt RaQ
microservers (e.g. .bash_history) are world readable, and thus are
accessible from the web server.

Modifications:
  CHANGEREF BUGTRAQ add title

INFERRED VOTE: CAN-1999-0408 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Ozancin, Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0409
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990304 Linux /usr/bin/gnuplot overflow
Reference: XF:gnuplot-home-overflow
Reference: BID:319

Buffer overflow in gnuplot in Linux version 3.5 allows local users to
obtain root access.

INFERRED VOTE: CAN-1999-0409 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Ozancin, Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0421
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations
Reference: XF:linux-slackware-install
Reference: BID:338

During a reboot after an installation of Linux Slackware 3.6, a remote
attacker can obtain root access by logging in to the root account
without a password.

Modifications:
  ADDREF BID:338
  ADDREF XF:linux-slackware-install

INFERRED VOTE: CAN-1999-0421 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Hill, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:linux-slackware-install


=================================
Candidate: CAN-1999-0428
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990322 OpenSSL/SSLeay Security Alert
Reference: XF:ssl-session-reuse

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and
bypass access controls.

Modifications:
  CHANGEREF BUGTRAQ [add title]
  DESC add "bypass access controls"

INFERRED VOTE: CAN-1999-0428 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Wall, Frech


=================================
Candidate: CAN-1999-0439
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991207-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990405 Re: [SECURITY] new version of procmail with security fixes
Reference: DEBIAN:19990422
Reference: CALDERA:CSSA-1999:007
Reference: XF:procmail-overflow

Buffer overflow in procmail before version 3.12 allows remote or local
attackers to execute commands via expansions in the procmailrc
configuration file.

Modifications:
  DESC reword

INFERRED VOTE: CAN-1999-0439 ACCEPT_ACK (2 accept, 2 ack, 0 review)

VOTES:
   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall

COMMENTS:
 Frech> Poorly summarized.  See procmail-overflow.


=================================
Candidate: CAN-1999-0470
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: XF:netware-remotenlm-passwords
Reference: BUGTRAQ:19990409 New Novell Remote.NLM Password Decryption Algorithm with Exploit

A weak encryption algorithm is used for passwords in Novell
Remote.NLM, allowing them to be easily decrypted.

Modifications:
  CHANGEREF BUGTRAQ [add title]

INFERRED VOTE: CAN-1999-0470 ACCEPT (4 accept, 0 review)

VOTES:
   ACCEPT(5) Wall, Northcutt, Baker, Ozancin, Frech
Prev by Date: [FINAL] ACCEPT 17 candidates from UNIX-VEN cluster
Next by Date: [FINAL] ACCEPT 25 candidates from WEB cluster
Prev by thread: [FINAL] ACCEPT 17 candidates from UNIX-VEN cluster
Next by thread: [FINAL] ACCEPT 25 candidates from WEB cluster
Index(es):
- Date
- Thread