[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-26 - 22 candidates



The following cluster contains 22 candidates that were announced
between 6/26/2000 and 6/30/2000.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-2000-0585
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000624 Possible root exploit in ISC DHCP client.
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0247.html
Reference: OPENBSD:20000624 A serious bug in dhclient(8) could allow strings from a malicious dhcp server to be executed in the shell as root.
Reference: URL:http://www.openbsd.org/errata.html#dhclient
Reference: DEBIAN:20000628 dhcp client: remote root exploit in dhcp client
Reference: URL:http://www.debian.org/security/2000/20000628
Reference: BUGTRAQ:20000702 [Security Announce] dhcp update
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0014.html
Reference: SUSE:20000711 Security Hole in dhclient < 2.0
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_56.txt
Reference: XF:openbsd-isc-dhcp-bo
Reference: NETBSD:NetBSD-SA2000-008
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-008.txt.asc
Reference: BID:1388
Reference: URL:http://www.securityfocus.com/bid/1388

ISC DHCP client program dhclient allows remote attackers to execute
arbitrary commands via shell metacharacters.


ED_PRI CAN-2000-0585 1


VOTE:

=================================
Candidate: CAN-2000-0596
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000627 IE 5 and Access 2000 vulnerability - executing programs
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39589359.762392DB@nat.bg
Reference: BUGTRAQ:20000627 FW: IE 5 and Access 2000 vulnerability - executing programs
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=000d01bfe0fb$418f59b0$96217aa8@src.bu.edu
Reference: MS:MS00-049
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-049.asp
Reference: XF:ie-access-vba-code-execute
Reference: BID:1398
Reference: URL:http://www.securityfocus.com/bid/1398

Internet Explorer 5.x does not warn a user before opening a Microsoft
Access database file that is referenced within ActiveX OBJECT tags in
an HTML document, which could allow remote attackers to execute
arbitrary commands, aka the "IE Script" vulnerability.


ED_PRI CAN-2000-0596 1


VOTE:

=================================
Candidate: CAN-2000-0597
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000627 IE 5 and Excel 2000, PowerPoint 2000 vulnerability - executing programs
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39589349.ED9DBCAB@nat.bg
Reference: MS:MS00-049
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-049.asp
Reference: BID:1399
Reference: URL:http://www.securityfocus.com/bid/1399
Reference: XF:ie-powerpoint-activex-object-execute

Microsoft Office 2000 (Excel and PowerPoint) and PowerPoint 97 are
marked as safe for scripting, which allows remote attackers to force
Internet Explorer or some email clients to save files to arbitrary
locations via the Visual Basic for Applications (VBA) SaveAs function,
aka the "Office HTML Script" vulnerability.


ED_PRI CAN-2000-0597 1


VOTE:

=================================
Candidate: CAN-2000-0616
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: HP:HPSBMP0006-007
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0294.html
Reference: BID:1405
Reference: URL:http://www.securityfocus.com/bid/1405

Vulnerability in HP TurboIMAGE DBUTIL allows local users to gain
additional privileges via DBUTIL.PUB.SYS.


ED_PRI CAN-2000-0616 1


VOTE:

=================================
Candidate: CAN-2000-0582
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000630 SecureXpert Advisory [SX-20000620-3]
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630162106.4619C-100000@fjord.fscinternet.com
Reference: XF:fw1-resource-overload-dos
Reference: BID:1416
Reference: URL:http://www.securityfocus.com/bid/1416

Check Point Firewall-1 4.0 and 4.1 allows remote attackers to cause a
denial of service by sending a stream of binary zeros to the SMTP
Security Server proxy.


ED_PRI CAN-2000-0582 2


VOTE:

=================================
Candidate: CAN-2000-0583
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000626 vpopmail-3.4.11 problems
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=395BD2A8.5D3396A7@secureaustin.com
Reference: CONFIRM:http://www.vpopmail.cx/vpopmail-ChangeLog
Reference: BID:1418
Reference: URL:http://www.securityfocus.com/bid/1418

vchkpw program in vpopmail before version 4.8 does not properly cleanse
an untrusted format string used in a call to syslog, which allows
remote attackers to cause a denial of service via a USER or PASS
command that contains arbitrary formatting directives.


ED_PRI CAN-2000-0583 2


VOTE:

=================================
Candidate: CAN-2000-0588
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000626 sawmill5.0.21 old path bug & weak hash algorithm
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0271.html
Reference: BUGTRAQ:20000706 Patch for Flowerfire Sawmill Vulnerabilities Available
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0080.html
Reference: BID:1402
Reference: URL:http://www.securityfocus.com/bid/1402
Reference: XF:sawmill-file-access

SawMill 5.0.21 CGI program allows remote attackers to read the first
line of arbitrary files by listing the file in the rfcf parameter,
whose contents SawMill attempts to parse as configuration commands.


ED_PRI CAN-2000-0588 2


VOTE:

=================================
Candidate: CAN-2000-0568
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000630 Multiple vulnerabilities in Sybergen Secure Desktop
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4125690E.00524395.00@guardianit.se
Reference: XF:sybergen-routing-table-modify
Reference: BID:1417
Reference: URL:http://www.securityfocus.com/bid/1417

Sybergen Secure Desktop 2.1 does not properly protect against false
router advertisements (ICMP type 9), which allows remote attackers to
modify default routes.


ED_PRI CAN-2000-0568 3


VOTE:

=================================
Candidate: CAN-2000-0569
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: MISC:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0189.html
Reference: BID:1420
Reference: URL:http://www.securityfocus.com/bid/1420

Sybergen Sygate allows remote attackers to cause a denial of service
by sending a malformed DNS UDP packet to its internal interface.


ED_PRI CAN-2000-0569 3


VOTE:

=================================
Candidate: CAN-2000-0570
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000627 DoS in FirstClass Internet Services 5.770
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0295.html
Reference: XF:firstclass-large-bcc-dos
Reference: BID:1421
Reference: URL:http://www.securityfocus.com/bid/1421

FirstClass Internet Services server allows remote attackers to cause a
denial of service by sending an email with a long To: mail header.


ED_PRI CAN-2000-0570 3


VOTE:

=================================
Candidate: CAN-2000-0575
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000630 Kerberos security vulnerability in SSH-1
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007010511.BAA16944@syrinx.oankali.net
Reference: BID:1426
Reference: URL:http://www.securityfocus.com/bid/1426

SSH 1.2.27 with Kerberos authentication support stores Kerberos
tickets in a file which is created in the current directory of the
user who is logging in, which could allow remote attackers to sniff
the ticket cache if the home directory is installed on NFS.


ED_PRI CAN-2000-0575 3


VOTE:

=================================
Candidate: CAN-2000-0580
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000630 SecureXpert Advisory [SX-20000620-2]
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161935.4619B-100000@fjord.fscinternet.com
Reference: XF:win2k-cpu-overload-dos
Reference: BID:1415
Reference: URL:http://www.securityfocus.com/bid/1415

Windows 2000 Server allows remote attackers to cause a denial of
service by sending a continuous stream of binary zeros to various TCP
and UDP ports, which significantly increases the CPU utilization.


ED_PRI CAN-2000-0580 3


VOTE:

=================================
Candidate: CAN-2000-0581
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000630 SecureXpert Advisory [SX-20000620-1]
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161841.4619A-100000@fjord.fscinternet.com
Reference: XF:win2k-telnetserver-dos
Reference: BID:1414
Reference: URL:http://www.securityfocus.com/bid/1414

Windows 2000 Telnet Server allows remote attackers to cause a denial
of service by sending a continuous stream of binary zeros, which
causes the server to crash.


ED_PRI CAN-2000-0581 3


VOTE:

=================================
Candidate: CAN-2000-0586
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: VULN-DEV:20000628 dalnet 4.6.5 remote vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vuln-dev/2000-q2/1092.html
Reference: XF:ircd-dalnet-summon-bo
Reference: BID:1404
Reference: URL:http://www.securityfocus.com/bid/1404

Buffer overflow in Dalnet IRC server 4.6.5 allows remote attackers to
cause a denial of service or execute arbitrary commands via the SUMMON
command.


ED_PRI CAN-2000-0586 3


VOTE:

=================================
Candidate: CAN-2000-0587
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: XF:glftpd-privpath-directive
Reference: BUGTRAQ:20000626 Glftpd privpath bugs... +fix
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10006261041360.31907-200000@twix.thrijswijk.nl
Reference: BUGTRAQ:20000627 Re: Glftpd privpath bugs... +fix
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0317.html
Reference: BID:1401
Reference: URL:http://www.securityfocus.com/bid/1401

The privpath directive in glftpd 1.18 allows remote attackers to
bypass access restrictions for directories by using the file name
completion capability.


ED_PRI CAN-2000-0587 3


VOTE:

=================================
Candidate: CAN-2000-0589
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000626 sawmill5.0.21 old path bug & weak hash algorithm
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0271.html
Reference: BUGTRAQ:20000706 Patch for Flowerfire Sawmill Vulnerabilities Available
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0080.html
Reference: BID:1403
Reference: URL:http://www.securityfocus.com/bid/1403
Reference: XF:sawmill-weak-encryption

SawMill 5.0.21 uses weak encryption to store passwords, which allows
attackers to easily decrypt the password and modify the SawMill
configuration.


ED_PRI CAN-2000-0589 3


VOTE:

=================================
Candidate: CAN-2000-0592
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000627 [SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp
Reference: XF:winproxy-command-bo
Reference: BID:1400
Reference: URL:http://www.securityfocus.com/bid/1400

Buffer overflows in POP3 service in WinProxy 2.0 and 2.0.1 allow
remote attackers to execute arbitrary commands via long USER, PASS,
LIST, RETR, or DELE commands.


ED_PRI CAN-2000-0592 3


VOTE:

=================================
Candidate: CAN-2000-0593
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000627 [SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp
Reference: XF:winproxy-get-dos
Reference: BID:1400
Reference: URL:http://www.securityfocus.com/bid/1400

WinProxy 2.0 and 2.0.1 allows remote attackers to cause a denial of
service by sending an HTTP GET request without listing an HTTP version
number.


ED_PRI CAN-2000-0593 3


VOTE:

=================================
Candidate: CAN-2000-0598
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000626 Proxy+ Telnet Gateway Problems
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0268.html
Reference: BID:1395
Reference: URL:http://www.securityfocus.com/bid/1395
Reference: XF:fortech-proxy-telnet-gateway
Reference: XF:proxyplus-telnet-gateway

Fortech Proxy+ allows remote attackers to bypass access restrictions
for to the administration service by redirecting their connections
through the telnet proxy.


ED_PRI CAN-2000-0598 3


VOTE:

=================================
Candidate: CAN-2000-0599
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000629 iMesh 1.02 vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0335.html
Reference: XF:imesh-tcp-port-overflow
Reference: BID:1407
Reference: URL:http://www.securityfocus.com/bid/1407

Buffer overflow in iMesh 1.02 allows remote attackers to execute
arbitrary commands via a long string to the iMesh port.


ED_PRI CAN-2000-0599 3


VOTE:

=================================
Candidate: CAN-2000-0600
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000626 Netscape Enterprise Server for NetWare Virtual Directory Vulnerab ility
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-06/0264.html
Reference: BID:1393
Reference: URL:http://www.securityfocus.com/bid/1393
Reference: XF:netscape-virtual-directory-bo
Reference: XF:netscape-enterprise-netware-bo

Netscape Enterprise Server in NetWare 5.1 allows remote attackers to
cause a denial of service or execute arbitrary commands via a
malformed URL.


ED_PRI CAN-2000-0600 3


VOTE:

=================================
Candidate: CAN-2000-0612
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000719
Assigned: 20000719
Category: SF
Reference: BUGTRAQ:20000629 Buggy ARP handling in Windoze
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=395B7E64.9FB3D4DB@starzetz.de
Reference: XF:win-arp-spoofing
Reference: BID:1406
Reference: URL:http://www.securityfocus.com/bid/1406

Windows 95 and Windows 98 do not properly process spoofed ARP packets,
which allows remote attackers to overwrite static entries in the cache
table.


ED_PRI CAN-2000-0612 3


VOTE:

Page Last Updated or Reviewed: May 22, 2007