[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[INTERIM] ACCEPT 30 candidates from various clusters (Final 1/18)
I have made an Interim Decision to ACCEPT the following candidates
from various clusters. I will make a Final Decision on January 18.
This decision includes a mixture of legacy and new issues, which will
be just enough to allow us to barely exceed 500 entries on the 18th,
when candidate numbering is expected to go live. A few candidates
were accepted with the minimum number of votes.
The candidates come from the following clusters:
1 MULT
2 CGI
1 FINGER
2 MS
1 CERT2
4 RECENT-01
5 LINUX
1 UNIX-VEN
2 WEB
6 NET-01
5 RECENT-03
Voters:
Shostack ACCEPT(1)
Wall ACCEPT(4) MODIFY(1) NOOP(2)
Ozancin ACCEPT(1) NOOP(2)
Cole ACCEPT(14) MODIFY(6) NOOP(6)
Stracener ACCEPT(22) MODIFY(4)
Frech MODIFY(11) REVIEWING(1)
Christey MODIFY(1) NOOP(10)
Northcutt ACCEPT(2) NOOP(1)
Armstrong ACCEPT(5)
Prosser ACCEPT(9) MODIFY(1) NOOP(1)
Blake ACCEPT(8)
- Steve
=================================
Candidate: CAN-1999-0101
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000105-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:001.1
Reference: ERS:ERS-SVA-E01-1996:007.1
Reference: SUN:00137a
Reference: CIAC:H-13
Reference: NAI:NAI-1
Buffer overflow in AIX and Solaris "gethostbyname" library call allows
root access through corrupt DNS host names.
Modifications:
ADDREF CIAC:H-13
CONTENT-DECISIONS: SF-CODEBASE
INFERRED ACTION: CAN-1999-0101 ACCEPT_ACK (2 accept, 3 ack, 0 review) HAS_CDS
Current Votes:
ACCEPT(1) Prosser
MODIFY(1) Frech
NOOP(1) Christey
Comments:
Frech> XF:ghbn-bo
Frech> in addition to ERS:1997:001.1, also include 1996:007.1
Frech> Sun's bulletin is 137a, not 137.
Prosser> concur wtih Andre, sun bul is 137a
Christey> The NAI advisory discusses a problem with programs trusting
Christey> the length field that is returned from gethostbyname().
Christey> The ERS and SUN advisories implicitly refer to
Christey> BUGTRAQ:19961118 Serious hole in Solaris 2.5[.1]
Christey> gethostbyname() (exploit included)
Christey> which allows local users to gain access by providing
Christey> arguments *to* gethostbyname().
Christey> As both Andre and Mike's comments relate to the advisories,
Christey> NAI-1 will be deleted as a reference for this candidate, and
Christey> a new candidate will be proposed later on.
=================================
Candidate: CAN-1999-0233
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MSKB:Q148188
Reference: XF:http-iis-cmd
IIS allows users to execute arbitrary commands using .bat or .cmd
files.
Modifications:
ADDREF MSKB:Q148188
DESC Remove WebSite reference.
INFERRED ACTION: CAN-1999-0233 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)
Current Votes:
ACCEPT(2) Northcutt, Prosser
NOOP(1) Christey
REVIEWING(1) Frech
Comments:
Frech> XF reference is correct, but cannot find supporting reference for WebSite
Frech> vulnerability.
Frech> No further action to be taken unless more information forthcoming.
Christey> Can't find the WebSite mention now, so I will remove it.
=================================
Candidate: CAN-1999-0259
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000106-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19970523 cfingerd vulnerability
Reference: XF:cfinger-user-enumeration
cfingerd lists all users on a system via search.**@target.
Modifications:
ADDREF BUGTRAQ:19970523 cfingerd vulnerability
ADDREF XF:cfinger-user-enumeration
INFERRED ACTION: CAN-1999-0259 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(1) Shostack
MODIFY(1) Frech
NOOP(1) Northcutt
Comments:
Frech> XF:cfinger-user-enumeration
=================================
Candidate: CAN-1999-0270
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CIAC:I-041
Reference: XF:sgi-pfdispaly
pfdispaly CGI program for SGI's Performer API Search Tool allows read
access to files.
Modifications:
ADDREF CIAC:I-041
ADDREF XF:sgi-pfdispaly
INFERRED ACTION: CAN-1999-0270 ACCEPT (3 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(2) Northcutt, Prosser
MODIFY(1) Frech
NOOP(1) Christey
Comments:
Prosser> additional source
Prosser> CIAC Security Bulletin I-041
Prosser> http://www.ciac.org
Frech> XF:sgi-pfdispaly
Frech> XF:sgi-dispaly-patch-vuln
Christey> There are two bugs here, as described in Bugtraq. The first one
Christey> allowed read access to files outside of a document root (a dot dot
Christey> problem). The second one was a shell metacharacter problem.
Christey> Reference: BUGTRAQ:19980407: perfomer_tools again
Christey> CAN-1999-0270 refers to the first problem only.
=================================
Candidate: CAN-1999-0683
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: XF:gauntlet-dos
Reference: BUGTRAQ:19990729 Remotely Lock Up Gauntlet 5.0
Reference: BID:556
Denial of service in Gauntlet Firewall via a malformed ICMP packet.
INFERRED ACTION: CAN-1999-0683 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(1) Stracener
MODIFY(1) Cole
Comments:
Cole> The BUGTRAQ number is 19990730 and the BID is 556. This also occurs when an
Cole> ICMP Protocol Problem packet's (ICMP_PARAMPROB) encapsulated IP packet has a
Cole> random protocol field and certain IP options set.
=================================
Candidate: CAN-1999-0694
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: CIAC:J-055
Reference: IBM:ERS-SVA-E01-1999:002.1
Reference: XF:aix-ptrace-halt
Denial of service in AIX ptrace system call allows local users to
crash the system.
Modifications:
ADDREF XF:aix-ptrace-halt
DELREF BUGTRAQ:19990713
INFERRED ACTION: CAN-1999-0694 ACCEPT (4 accept, 3 ack, 0 review)
Current Votes:
ACCEPT(3) Blake, Stracener, Prosser
MODIFY(1) Frech
NOOP(2) Cole, Christey
Comments:
Frech> XF:aix-ptrace-halt
Frech> Please add title to the BugTraq reference, since it was not evident to which
Frech> message you were referring.
Christey> I couldn't find the Bugtraq reference either, which is
Christey> especially odd because the IBM advisory says that the
Christey> problem was discussed in Bugtraq. Bugtraq reference deleted.
=================================
Candidate: CAN-1999-0708
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000106-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow
Reference: BID:651
Buffer overflow in cfingerd allows local users to gain root privileges
via a long GECOS field.
Modifications:
DELREF DEBIAN:19990806
CHANGEREF BUGTRAQ BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow
DESC Add GECOS qualifier
INFERRED ACTION: CAN-1999-0708 ACCEPT (3 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(2) Blake, Stracener
MODIFY(1) Cole
NOOP(1) Christey
Comments:
Cole> This is to general. I would add: By setting a carefully designed GECOS
Cole> field it is possible to execute arbitrary code with root (or nobody )
Cole> privileges
Christey> There is no associated DEBIAN reference here, as
Christey> DEBIAN:19990806 refers to an older remote-only buffer overflow
Christey> in the username, not GECOS. (BID:512 also discusses that
Christey> remote problem, though it may not be exploitable).
=================================
Candidate: CAN-1999-0734
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991125
Category: CF
Reference: CISCO: CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability
Reference: XF:ciscosecure-read-write
A default configuration of CiscoSecure Access Control Server (ACS)
allows remote users to modify the server database without
authentication.
INFERRED ACTION: CAN-1999-0734 ACCEPT_ACK (2 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(2) Cole, Stracener
=================================
Candidate: CAN-1999-0742
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: DEBIAN:19990623
Reference: BID:480
The Debian mailman package uses weak authentication, which allows
attackers to gain privileges.
Modifications:
ADDREF BID:480
INFERRED ACTION: CAN-1999-0742 ACCEPT_ACK (2 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(2) Blake, Stracener
NOOP(1) Cole
=================================
Candidate: CAN-1999-0743
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: XF:trn-symlinks
Reference: DEBIAN:19990823c
Reference: SUSE:19990824 Security hole in trn
Trn allows local users to overwrite other users' files via symlinks.
Modifications:
ADDREF SUSE:19990824 Security hole in trn
INFERRED ACTION: CAN-1999-0743 ACCEPT_ACK (2 accept, 3 ack, 0 review)
Current Votes:
ACCEPT(1) Blake
MODIFY(1) Stracener
NOOP(1) Cole
Comments:
Stracener> Add Ref: SUSE: Security hole in trn 24.08.99
=================================
Candidate: CAN-1999-0753
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: unknown
Reference: BUGTRAQ:19990817 Stupid bug in W3-msql
Reference: XF:mini-sql-w3-msql-cgi
Reference: BID:591
The w3-msql CGI script provided with Mini SQL allows remote attackers
to view restricted directories.
Modifications:
ADDREF XF:mini-sql-w3-msql-cgi
INFERRED ACTION: CAN-1999-0753 ACCEPT (3 accept, 0 ack, 0 review)
Current Votes:
ACCEPT(3) Cole, Blake, Stracener
NOOP(1) Christey
Comments:
Christey> May be a configuration error and not a software flaw. See
Christey> BUGTRAQ:19990820 Re: Stupid bug in W3-msql (David J. Hughes)
=================================
Candidate: CAN-1999-0768
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BID:602
Reference: REDHAT:RHSA-1999:030-02
Reference: SUSE:19990829 Security hole in cron
Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO
environmental variable.
INFERRED ACTION: CAN-1999-0768 ACCEPT (3 accept, 3 ack, 0 review)
Current Votes:
ACCEPT(1) Blake
MODIFY(3) Cole, Christey, Stracener
Comments:
Cole> I would be a little clear, By utilizing the MAILTO environment variable, a
Cole> buffer can be overflown in the cron_popen() function, allowing an attacker
Cole> to execute arbitrary code.
Christey> Although the descriptions don't reflect it, CAN-1999-0872 and
Christey> CAN-1999-0768 are different. One has to do with a buffer
Christey> overflow; the other deals with a user supplying their own
Christey> Sendmail config file. BID:602 and BID:611 show this.
Stracener> Add Ref: SUSE: Security hole in cron 29.08.1999:
=================================
Candidate: CAN-1999-0770
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990729 Simple DOS attack on FW-1
Reference: BID:549
Reference: CHECKPOINT:ACK DOS ATTACK
Firewall-1 sets a long timeout for connections that begin with ACK or
other packets except SYN, allowing an attacker to conduct a denial of
service via a large number of connection attempts to unresponsive
systems.
INFERRED ACTION: CAN-1999-0770 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(2) Cole, Stracener
=================================
Candidate: CAN-1999-0775
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: CISCO:19990610 Cisco IOS Software established Access List Keyword Error
Reference: XF:cisco-gigaswitch
Cisco Gigabit Switch routers running IOS allow remote attackers to
forward unauthorized packets due to improper handling of the
"established" keyword in an access list.
Modifications:
ADDREF XF:cisco-gigaswitch
INFERRED ACTION: CAN-1999-0775 ACCEPT_ACK (2 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(2) Cole, Stracener
=================================
Candidate: CAN-1999-0811
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes
Reference: REDHAT:RHSA-1999:022-02
Reference: CALDERA:CSSA-1999:018.0
Reference: SUSE:19990816 Security hole in Samba
Reference: DEBIAN:19990731 Samba
Reference: XF:samba-message-bo
Reference: BID:536
Buffer overflow in Samba smbd program via a malformed message
command.
Modifications:
DESC add details
ADDREF CALDERA:CSSA-1999:018.0
ADDREF SUSE:19990816 Security hole in Samba
ADDREF DEBIAN:19990731 Samba
ADDREF XF:samba-message-bo
ADDREF BID:536
INFERRED ACTION: CAN-1999-0811 ACCEPT_ACK (2 accept, 5 ack, 0 review)
Current Votes:
ACCEPT(1) Blake
MODIFY(1) Stracener
NOOP(1) Cole
Comments:
Stracener> Add Ref: CALDERA: CSSA-1999:018.0
Stracener> Add Ref: DEBIAN: Samba [31-Jul-1999]
Stracener> Add Ref: SUSE: Security hole in Samba 16.08.1999
=================================
Candidate: CAN-1999-0831
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CALDERA:CSSA-1999-035.0
Reference: REDHAT:RHSA1999055-01
Reference: SUSE:19991118 syslogd-1.3.33 (a1)
Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available]
Reference: BID:809
Reference: XF:slackware-syslogd-dos
Denial of service in Linux syslogd via a large number of connections.
Modifications:
ADDREF CALDERA:CSSA-1999-035.0
ADDREF REDHAT:RHSA1999055-01
ADDREF SUSE:19991118 syslogd-1.3.33 (a1)
DESC Change description to apply to all Linux
ADDREF XF:slackware-syslogd-dos
ADDREF BID:809
INFERRED ACTION: CAN-1999-0831 ACCEPT (5 accept, 4 ack, 0 review)
Current Votes:
ACCEPT(3) Armstrong, Cole, Prosser
MODIFY(2) Stracener, Frech
NOOP(1) Christey
Comments:
Christey> ADDREF CALDERA:CSSA-1999-035.0
Christey> ADDREF REDHAT:RHSA1999055-01
Christey> ADDREF SUSE:19991118 syslogd-1.3.33 (a1)
Christey> Change description to apply to all Linux
Stracener> Given that this issue is not slackware-specific, the description should
Stracener> be made more generic, possibly: "Denial of service in syslogd via a
Stracener> large number of connections"
Stracener> Add Ref: CSSA-1999-035.0
Stracener> Add Ref: RHSA1999055-01
Stracener> Add Ref: SuSE Security Announcement - syslogd (a1)
Stracener> Add Ref: Cobalt Networks -- Security Advisory -- 11.20.1999 (syslog)
Frech> XF:slackware-syslogd-dos
=================================
Candidate: CAN-1999-0834
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991201 Security Advisory: Buffer overflow in RSAREF2
Reference: BUGTRAQ:19991202 OpenBSD sslUSA26 advisory (Re: CORE-SDI: Buffer overflow in RSAREF2)
Reference: CERT:CA-99-15
Reference: BID:843
Reference: XF:rsaref-bo
Buffer overflow in RSAREF2 via the encryption and decryption functions
in the RSAREF library.
Modifications:
ADDREF XF:rsaref-bo
INFERRED ACTION: CAN-1999-0834 ACCEPT (5 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(3) Armstrong, Cole, Stracener
MODIFY(2) Prosser, Frech
Comments:
Prosser> Ref: CERT Ca-99-15, Buffer Overflows in SSH Daemon and RSAREF2 Library
Prosser> SecuriTeam.com, SSH1.2.27 is vulnerable to a remote buffer overflow (RSAREF)
Frech> XF:rsaref-bo
=================================
Candidate: CAN-1999-0847
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991129 FICS buffer overflow
Reference: XF:fics-board-bo
Buffer overflow in free internet chess server (FICS) program, xboard.
Modifications:
ADDREF XF:fics-board-bo
INFERRED ACTION: CAN-1999-0847 ACCEPT (3 accept, 0 ack, 0 review)
Current Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(1) Frech
NOOP(2) Cole, Prosser
Comments:
Frech> XF:fics-board-bo
=================================
Candidate: CAN-1999-0853
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:847
Reference: ISS:19991201 Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure
Reference: XF:netscape-fasttrack-auth-bo
Buffer overflow in Netscape Enterprise Server and Netscape
FastTrack Server allows remote attackers to gain privileges via the
HTTP Basic Authentication procedure.
Modifications:
ADDREF XF:netscape-fasttrack-auth-bo
INFERRED ACTION: CAN-1999-0853 ACCEPT (5 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(3) Armstrong, Stracener, Prosser
MODIFY(2) Cole, Frech
Comments:
Cole> I would add that this is a remote buffer overflow...
Frech> XF:netscape-fasttrack-auth-bo
=================================
Candidate: CAN-1999-0875
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991208
Category: CF
Reference: L0PHT:19990811
Reference: MSKB:Q216141
Reference: BID:578
Reference: XF:irdp-gateway-spoof
DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow
remote attackers to modify their default routes.
Modifications:
ADDREF XF:irdp-gateway-spoof
INFERRED ACTION: CAN-1999-0875 ACCEPT_ACK (2 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(2) Cole, Stracener
=================================
Candidate: CAN-1999-0881
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991025 Falcon Web Server
Reference: BINDVIEW:Falcon Web Server
Reference: BID:743
Reference: XF:falcon-path-parsing
Falcon web server allows remote attackers to read arbitrary files via
a .. (dot dot) attack.
Modifications:
ADDREF XF:falcon-path-parsing
ADDREF BID:743
INFERRED ACTION: CAN-1999-0881 ACCEPT_ACK (2 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(2) Blake, Stracener
NOOP(1) Cole
=================================
Candidate: CAN-1999-0898
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649
Reference: XF:nt-printer-spooler-bo
Reference: BID:768
Buffer overflows in Windows NT 4.0 print spooler allow remote
attackers to gain privileges or cause a denial of service via a
malformed spooler request.
Modifications:
ADDREF XF:nt-printer-spooler-bo
ADDREF BID:768
INFERRED ACTION: CAN-1999-0898 ACCEPT (5 accept, 3 ack, 0 review)
Current Votes:
ACCEPT(4) Cole, Wall, Prosser, Stracener
MODIFY(1) Frech
NOOP(2) Ozancin, Christey
Comments:
Frech> XF:nt-printer-spooler-bo
Prosser> (Modify)
Prosser> This maybe should be seperated into two entries. One for the DoS which is
Prosser> just done with random data and one for the more experienced attack of
Prosser> gaining privileges on the host.
Christey> While the advisory is not entirely explicit, the difference
Christey> between the DoS and the command execution is only in effect,
Christey> and appears to be in the same line of code, so the SF-LOC
Christey> content decision applies here.
=================================
Candidate: CAN-1999-0899
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649
Reference: BID:769
Reference: XF:nt-printer-spooler-bo
The Windows NT 4.0 print spooler allows a local user to execute
arbitrary commands due to inappropriate permissions that allow the
user to specify an alternate print provider.
Modifications:
ADDREF XF:nt-printer-spooler-bo
ADDREF BID:769
INFERRED ACTION: CAN-1999-0899 ACCEPT (5 accept, 3 ack, 0 review)
Current Votes:
ACCEPT(4) Cole, Wall, Prosser, Stracener
MODIFY(1) Frech
NOOP(2) Ozancin, Christey
Comments:
Frech> XF:nt-printer-spooler-bo
Cole>
Cole> [Originally rejected; vote changed to ACCEPT based on feedback]
Cole> This should be combined with the previous one to state it can cause
Cole> a denial of service
Cole> or allow commands to ve executed. Just because a vulnerability can
Cole> be exploited in different ways
Cole> does not mean there should be separate entries since the underlying
Cole> exploit is the same.
Christey> This is different than CAN-1999-0898 because 898 is a buffer
Christey> overflow, while this one is incorrect permissions. They
Christey> are different bugs, so should have separate entries. Note
Christey> that MS99-047 also discriminates between these two candidates,
Christey> i.e. it contains the phrase "A second vulnerability exists..."
Christey> and goes on to describe CAN-1999-0899.
=================================
Candidate: CAN-1999-0905
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991020 Remote DoS in Axent's Raptor 6.0
Reference: BID:736
Reference: XF:raptor-ipoptions-dos
Denial of service in Axent Raptor firewall via malformed zero-length
IP options.
Modifications:
ADDREF BID:736
ADDREF XF:raptor-ipoptions-dos
INFERRED ACTION: CAN-1999-0905 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(1) Stracener
MODIFY(1) Cole
Comments:
Cole> This occurs when the SECURITY and TIMESTAMP IP options length is set to 0
=================================
Candidate: CAN-1999-0955
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-94.08
Reference: CIAC:E-17
Reference: XF:ftp-exec
Race condition in wu-ftpd and BSDI ftpd allows remote attackers gain
root access via the SITE EXEC command.
Modifications:
ADDREF XF:ftp-exec
INFERRED ACTION: CAN-1999-0955 ACCEPT (6 accept, 3 ack, 0 review)
Current Votes:
ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
MODIFY(1) Frech
Comments:
Cole> There are actually two vulnerabilities listed in this CERT. I am assuming
Cole> that the other one is listed in a different CVE.
Frech> XF:ftp-exec
=================================
Candidate: CAN-1999-0992
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: HP:HPSBUX9912-107
HP VirtualVault with the PHSS_17692 patch allows unprivileged
processes to bypass access restrictions via the Trusted Gateway Proxy
(TGP).
INFERRED ACTION: CAN-1999-0992 ACCEPT_ACK (2 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(2) Cole, Stracener
NOOP(1) Wall
=================================
Candidate: CAN-1999-0994
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: BINDVIEW:19991216 Windows NT's SYSKEY feature
Reference: MS:MS99-056
Reference: MSKB:Q248183
Reference: BID:873
Windows NT with SYSKEY reuses the keystream that is used for
encrypting SAM password hashes, allowing an attacker to crack
passwords.
INFERRED ACTION: CAN-1999-0994 ACCEPT (3 accept, 4 ack, 0 review)
Current Votes:
ACCEPT(3) Wall, Cole, Stracener
=================================
Candidate: CAN-1999-0995
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: NAI:19991216 Windows NT LSA Remote Denial of Service
Reference: MS:MS99-057
Reference: MSKB:Q248185
Reference: BID:875
Windows NT Local Security Authority (LSA) allows remote attackers to
cause a denial of service via malformed arguments to the LsaLookupSids
function which looks up the SID, aka "Malformed Security Identifier
Request."
Modifications:
ADDREF BID:875
INFERRED ACTION: CAN-1999-0995 ACCEPT (3 accept, 4 ack, 0 review)
Current Votes:
ACCEPT(3) Wall, Cole, Stracener
=================================
Candidate: CAN-1999-0999
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: MS:MS99-059
Reference: MSKB:Q248749
Reference: BID:817
Microsoft SQL 7.0 server allows a remote attacker to cause a denial of
service via a malformed TDS packet.
Modifications:
DESC Add version
ADDREF BID:817
INFERRED ACTION: CAN-1999-0999 ACCEPT (3 accept, 3 ack, 0 review)
Current Votes:
ACCEPT(2) Cole, Stracener
MODIFY(1) Wall
Comments:
Wall> Microsoft SQL 7.0 server allows a remote attacker to cause a denial of
Wall> service via a malformed TDS packet.
=================================
Candidate: CAN-1999-1001
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities
Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities
Cisco Cache Engine allows a remote attacker to gain access via a null
username and password.
INFERRED ACTION: CAN-1999-1001 ACCEPT_ACK (2 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(1) Stracener
MODIFY(1) Cole
NOOP(2) Wall, Christey
Comments:
Cole> The references are not that clear.
Christey> While vendor-supplied advisories sometimes aren't clear, they
Christey> have acknowledged the problem and provided enough information
Christey> to attach a CVE name to them.