[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-07 - 23 candidates



The following cluster contains 23 candidates, all of which were
announced between 1/15/2000 and 1/31/2000.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0088
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: MS:MS00-002
Reference: XF:office-malformed-convert
Reference: BID:946

Buffer overflow in the conversion utilities for Japanese, Korean and
Chinese Word 5 documents allows an attacker to execute commands, aka
the "Malformed Conversion Data" vulnerability.


VOTE:

=================================
Candidate: CAN-2000-0089
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: NTBUGTRAQ:20000121 RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition
Reference: BUGTRAQ:20000122 RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition
Reference: MS:MS00-004
Reference: MSKB:Q249108
Reference: BID:947
Reference: XF:nt-rdisk-enum-file

The rdisk utility in Microsoft Terminal Server Edition stores registry
hive information in a temporary file with permissions that allow
local users to read it, aka the "RDISK Registry Enumeration File"
vulnerability.


VOTE:

=================================
Candidate: CAN-2000-0090
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: BUGTRAQ:20000124 VMware 1.1.2 Symlink Vulnerability
Reference: XF:linux-vmware-symlink
Reference: BID:943

VMWare 1.1.2 allows local users to cause a denial of service via a
symlink attack.


VOTE:

=================================
Candidate: CAN-2000-0091
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: BUGTRAQ:20000122 remote root qmail-pop with vpopmail advisory and exploit with patch
Reference: BUGTRAQ:20000123 Re: vpopmail/vchkpw remote root exploit
Reference: BID:942

Buffer overflow in vchkpw/vpopmail POP authentication package allows
remote attackers to gain root privileges via a long username or
password.


VOTE:

=================================
Candidate: CAN-2000-0092
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:01
Reference: BID:939

The BSD make program allows local users to modify files via a symlink
attack when the -j option is being used.


VOTE:

=================================
Candidate: CAN-2000-0093
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: BUGTRAQ:20000122 NIS security advisory : password method downgrade
Reference: BUGTRAQ:20000121 Rh 6.1 initial root password encryption

An installation of Red Hat uses DES password encryption with crypt()
for the initial password, instead of md5.


VOTE:

=================================
Candidate: CAN-2000-0094
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: BUGTRAQ:20000121 *BSD procfs vulnerability
Reference: FREEBSD:FreeBSD-SA-00:02
Reference: BID:940

procfs in BSD systems allows local users to gain root privileges by
modifying the /proc/pid/mem interface via a modified file descriptor
for stderr.


VOTE:

=================================
Candidate: CAN-2000-0095
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: HP:HPSBUX0001-110
Reference: BID:944

The PMTU discovery procedure used by HP-UX 10.30 and 11.00 for
determining the optimum MTU generates large amounts of traffic in
response to small packets, allowing remote attackers to cause the
system to be used as a packet amplifier.


VOTE:

=================================
Candidate: CAN-2000-0096
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: BUGTRAQ:20000126 Qpopper security bug
Reference: BID:948

Buffer overflow in qpopper 3.0 beta versions allows local users to
gain privileges via a long LIST command.


VOTE:

=================================
Candidate: CAN-2000-0097
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: NTBUGTRAQ:20000127 Alert: MS IIS 4 / IS 2 (Cerberus Security Advisory CISADV000126)
Reference: MS:MS00-006
Reference: BID:950
Reference: XF:http-indexserver-dirtrans

The WebHits ISAPI filter in Microsoft Index Server allows remote
attackers to read arbitrary files, aka the "Malformed Hit-Highlighting
Argument" vulnerability.


VOTE:

=================================
Candidate: CAN-2000-0098
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: MS:MS00-006

Microsoft Index Server allows remote attackers to determine the real
path for a web directory via a request to an Internet Data Query file
that does not exist.


VOTE:

=================================
Candidate: CAN-2000-0099
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: BUGTRAQ:20000119 Unixware ppptalk

Buffer overflow in UnixWare ppptalk command allows local users to gain
privileges via a long prompt argument.


VOTE:

=================================
Candidate: CAN-2000-0100
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: CF
Reference: NTBUGTRAQ:20000115 Security Vulnerability with SMS 2.0 Remote Control

The SMS Remote Control program is installed with insecure permissions,
which allows local users to gain privileges by modifying or replacing
the program.


VOTE:

=================================
Candidate: CAN-2000-0111
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000129 [LoWNOISE] Rightfax web client 5.2
Reference: BID:953

The RightFax web client uses predictable session numbers, which allows
remote attackers to hijack user sessions.


VOTE:

=================================
Candidate: CAN-2000-0113
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000128 SyGate 3.11 Port 7323 / Remote Admin hole
Reference: BUGTRAQ:20000202 SV: SyGate 3.11 Port 7323 / Remote Admin hole
Reference: BUGTRAQ:20000203 UPDATE: Sygate 3.11 Port 7323 Telnet Hole
Reference: BID:952

The SyGate Remote Management program does not properly restrict access
to its administration service, which allows remote attackers to
cause a denial of service, or access network traffic statistics.


VOTE:

=================================
Candidate: CAN-2000-0115
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: NTBUGTRAQ:20000121 Strange behaviour IIS and RegExp

IIS allows local users to cause a denial of service via invalid
regular expressions in a Visual Basic script in an ASP page.


VOTE:

=================================
Candidate: CAN-2000-0116
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: NTBUGTRAQ:20000129 "Strip Script Tags" in FW-1 can be circumvented
Reference: BUGTRAQ:20000129 "Strip Script Tags" in FW-1 can be circumvented

Firewall-1 does not properly filter script tags, which allows remote
attackers to bypass the "Strip Script Tags" restriction by including
an extra < in front of the SCRIPT tag.


VOTE:

=================================
Candidate: CAN-2000-0117
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000127 Cobalt RaQ2 - a user of mine changed my admin password..
Reference: BUGTRAQ:20000131 [ Cobalt ] Security Advisory -- 01.31.2000

The siteUserMod.cgi program in Cobalt RaQ2 servers allows any Site
Administrator to modify passwords for other users, site
administrators, and possibly admin (root).


VOTE:

=================================
Candidate: CAN-2000-0118
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000130 RedHat 6.1 /and others/ PAM

The Red Hat Linux su program does not log failed password guesses if
the su process is killed before it times out, which allows local
attackers to conduct brute force password guessing.


VOTE:

=================================
Candidate: CAN-2000-0119
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: CF
Reference: BUGTRAQ:20000130 Bypass Virus Checking

The default configurations for McAfee Virus Scan and Norton Anti-Virus
virus checkers do not check files in the RECYCLED folder that is used
by the Windows Recycle Bin utility, which allows attackers to store
malicious code without detection.


VOTE:

=================================
Candidate: CAN-2000-0120
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: ALLAIRE:ASB00-04
Reference: BID:955

The Remote Access Service invoke.cfm template in Allaire Spectra 1.0
allows users to bypass authentication via the bAuthenticated
parameter.


VOTE:

=================================
Candidate: CAN-2000-0130
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000127 New SCO patches...

Buffer overflow in SCO scohelp program allows remote attackers to
execute commands.


VOTE:

=================================
Candidate: CAN-2000-0132
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000201 `Microsoft VM for Java' allows reading local files using `getSystemResourceAsStream'.
Reference: BID:957

Microsoft Java Virtual Machine allows remote attackers to read
files via the getSystemResourceAsStream function.


VOTE:

Page Last Updated or Reviewed: May 22, 2007