[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[PROPOSAL] Cluster RECENT-36 - 15 candidates
The following cluster contains 15 candidates that were announced
between July 25 and August 31, 2000.
Note that the voting web site will not be updated with this cluster
until late tonight.
The candidates are listed in order of priority. Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.
If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.
- Steve
Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------
ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.
1) Please write your vote on the line that starts with "VOTE: ". If
you want to add comments or details, add them to lines after the
VOTE: line.
2) If you see any missing references, please mention them so that they
can be included. References help greatly during mapping.
3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
So if you don't have sufficient information for a candidate but you
don't want to NOOP, use a REVIEWING.
********** NOTE ********** NOTE ********** NOTE ********** NOTE **********
Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.
======================================================
Candidate: CAN-2000-0812
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0812
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20000926
Category: SF/CF/MP/SA/AN/unknown
Reference: SUN:00197
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/197&type=0&nav=sec.sba
Reference: MISC:http://www.securityfocus.com/templates/advisory.html?id=2542
The administration module in Sun Java web server allows remote
attackers to execute arbitrary commands by uploading Java code to the
module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet
by requesting a URL that begins with a /servlet/ tag.
Analysis
----------------
ED_PRI CAN-2000-0812 1
Vendor Acknowledgement: unknown
ABSTRACTION:
This appears to be the same as CAN-2000-0629. However, according to
Casper Dik, CAN-2000-0629 was related to example code, but this one
has more to do with a bug in the administration server itself. Thus
this should remain separate from CAN-2000-0629.
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0824
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0824
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20001015
Category: SF
Reference: BUGTRAQ:19990917 A few bugs...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/0992.html
Reference: BUGTRAQ:20000831 glibc unsetenv bug
Reference: URL:http://www.securityfocus.com/archive/1/79537
Reference: CALDERA:CSSA-2000-028.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-028.0.txt
Reference: DEBIAN:20000902 glibc: local root exploit
Reference: URL:http://www.debian.org/security/2000/20000902
Reference: MANDRAKE:MDKSA-2000:040
Reference: URL:http://www.linux-mandrake.com/en/updates/MDKSA-2000-040.php3
Reference: MANDRAKE:MDKSA-2000:045
Reference: URL:http://www.linux-mandrake.com/en/updates/MDKSA-2000-045.php3
Reference: REDHAT:RHSA-2000:057-04
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-057-04.html
Reference: TURBO:TLSA2000020-1
Reference: URL:http://www.turbolinux.com/pipermail/tl-security-announce/2000-September/000020.html
Reference: SUSE:20000924 glibc locale security problem
Reference: URL:http://www.suse.de/de/support/security/adv5_draht_glibc_txt.txt
Reference: BUGTRAQ:20000902 Conectiva Linux Security Announcement - glibc
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0436.html
Reference: BUGTRAQ:20000905 Conectiva Linux Security Announcement - glibc
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0509.html
Reference: BUGTRAQ:20000906 [slackware-security]: glibc 2.1.3 vulnerabilities patched
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0525.html
Reference: BID:648
Reference: URL:http://www.securityfocus.com/bid/648
Reference: BID:1639
Reference: URL:http://www.securityfocus.com/bid/1639
The unsetenv function in glibc 2.1.1 does not properly unset an
environmental variable if the variable is provided twice to a program,
which could allow local users to execute arbitrary commands in setuid
programs by specifying their own duplicate environmental variables
such as LD_PRELOAD or LD_LIBRARY_PATH.
Analysis
----------------
ED_PRI CAN-2000-0824 1
Vendor Acknowledgement: yes
ABSTRACTION:
This problem was initially discovered in September 1999, but it wasn't
fully noticed and addressed until September 2000.
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0862
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0862
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20001018
Category:
Reference: ALLAIRE:ASB00-23
Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q3/0059.html
Vulnerability in an administrative interface utility for Allaire
Spectra 1.0.1 allows remote attackers to read and modify sensitive
configuration information.
Analysis
----------------
ED_PRI CAN-2000-0862 1
Vendor Acknowledgement: yes
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0864
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0864
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20001018
Category:
Reference: FREEBSD:FreeBSD-SA-00:45
Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0365.html
Reference: BUGTRAQ:20000911 Patch for esound-0.2.19
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0095.html
Reference: MANDRAKE:MDKSA-2000:051
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0328.htm
Reference: BID:1659
Reference: URL:http://www.securityfocus.com/bid/1659
Reference: REDHAT:RHSA-2000:077-03
Race condition in the creation of a Unix domain socket in GNOME esound
0.2.19 and earlier allows a local user to change the permissions of
arbitrary files and directories, and gain additional privileges, via a
symlink attack.
Analysis
----------------
ED_PRI CAN-2000-0864 1
Vendor Acknowledgement: yes advisory
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0804
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0804
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20000925
Category: SF/CF/MP/SA/AN/unknown
Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#One-way_Connection
Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers
to bypass the directionality check via fragmented TCP connection
requests or reopening closed TCP connection requests, aka "One-way
Connection Enforcement Bypass."
Analysis
----------------
ED_PRI CAN-2000-0804 2
Vendor Acknowledgement: yes advisory
INCLUSION:
In Check Point's advisory, they say that "The directionality check is
an additional layer of security which VPN-1/FireWall-1 adds to these
protocols. An attack which bypasses this check is not in itself a
security risk, however this check would otherwise substantially
minimize the effects of [other vulnerabilities]."
As such, is this more of a bug fix (or design improvement) than an
inherent vulnerability or exposure? Are there comparable products
that have this sort of problem?
A general question is: if something is "state-of-the-art," but
limitations are found in that state-of-the-art, is that a
vulnerability, an exposure, or neither? And is this functionality
state-of-the-art? What if the technology doesn't become
"state-of-the-art" anymore - does it then become "worthy" of inclusion
in CVE?
Similar candidates are CAN-1999-0598 through CAN-1999-0602, which
describe fundamental problems in intrusion detection systems that were
discovered and publicized by Ptacek and Newsham.
Also consider CAN-2000-0093, in which Red Hat Linux would use
"relatively weak" DES encryption instead of MD5. Problems related to
weak encryption are covered by CD:DESIGN-WEAK-ENCRYPTION.
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0805
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0805
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20000925
Category: SF/CF/MP/SA/AN/unknown
Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#Retransmission_of
Check Point VPN-1/FireWall-1 4.1 and earlier improperly retransmits
encapsulated FWS packets, even if they do not come from a valid FWZ
client, aka "Retransmission of Encapsulated Packets."
Analysis
----------------
ED_PRI CAN-2000-0805 3
Vendor Acknowledgement: unknown
INCLUSION:
The Check Point advisory says: "NOTE: This is not a vulnerability in
itself, although it may be used to facilitate an attack."
In other words, this is an exposure, and thus should be included in
CVE.
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0806
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0806
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20000925
Category: SF/CF/MP/SA/AN/unknown
Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#Inter-module_Communications
The inter-module authentication mechanism (fwa1) in Check Point
VPN-1/FireWall-1 4.1 and earlier may allow remote attackers to conduct
a denial of service, aka "Inter-module Communications Bypass."
Analysis
----------------
ED_PRI CAN-2000-0806 3
Vendor Acknowledgement: unknown
INCLUSION:
The Check Point advisory states that "This allowed theoretical denial
of service attacks" and "There is no known risk to customers because
of this issue." Its solution is apparently to "strengthen" their
authentication mechanism.
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0807
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0807
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20000925
Category: SF/CF/MP/SA/AN/unknown
Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#OPSEC_Authentication
The OPSEC communications authentication mechanism (fwn1) in Check
Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to
spoof connections, aka the "OPSEC Authentication Vulnerability."
Analysis
----------------
ED_PRI CAN-2000-0807 3
Vendor Acknowledgement: unknown
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0808
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0808
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20000925
Category: SF/CF/MP/SA/AN/unknown
Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#One-time_Password
The seed generation mecahnism in the inter-module S/Key authentication
mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows
remote attackers to bypass authentication via a brute force attack,
aka "One-time (s/key) Password Authentication."
Analysis
----------------
ED_PRI CAN-2000-0808 3
Vendor Acknowledgement: unknown
The advisory is vague about the cause of the problem, or how "brute
force" the mechanism really is. An indicator that the problem is in
generating the seed is as follows: "the S/Key seed generation
mechanism has been strengthened in the new Service Packs."
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0809
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0809
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20000925
Category: SF/CF/MP/SA/AN/unknown
Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#Getkey_Buffer
Buffer overflow in Getkey in the protocol checker in the inter-module
communication mechanism in Check Point VPN-1/FireWall-1 4.1 and
earlier allows remote attackers to cause a denial of service.
Analysis
----------------
ED_PRI CAN-2000-0809 3
Vendor Acknowledgement: unknown
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0813
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0813
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20000926
Category: SF/CF/MP/SA/AN/unknown
Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#FTP_Connection
Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers
to redirect FTP connections to other servers ("FTP Bounce") via
invalid FTP commands that are processed improperly by FireWall-1, aka
"FTP Connection Enforcement Bypass."
Analysis
----------------
ED_PRI CAN-2000-0813 3
Vendor Acknowledgement: unknown
INCLUSION:
This looks like it might be the same as CVE-2000-0150, however
CVE-2000-0150 was announced on February 9. At the very least, the
issues are closely related. CVE-2000-0150 was related to hiding PASV
commands, whereas this one (a way of doing an FTP Bounce) is done with
the PORT command. See ftp://ftp.cert.org/pub/tech_tips/FTP_PORT_attacks
for a description of FTP bounce attacks.
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0825
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0825
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20001015
Category: SF
Reference: WIN2KSEC:20000817 Imail Web Service Remote DoS Attack v.2
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0071.html
Reference: MISC:http://www.ipswitch.com/support/patches-upgrades.html#IMail
Ipswitch Imail 6.0 allows remote attackers to cause a denial of
service via a large number of connections in which a long Host: header
is sent, which causes a thread to crash.
Analysis
----------------
ED_PRI CAN-2000-0825 3
Vendor Acknowledgement: unknown
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0832
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0832
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20001015
Category: SF
Reference: BUGTRAQ:20000817 Htgrep CGI Arbitrary File Viewing Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0208.html
Htgrep CGI program allows remote attackers to read arbitrary files by
specifying the full pathname in the hdr parameter.
Analysis
----------------
ED_PRI CAN-2000-0832 3
Vendor Acknowledgement:
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0837
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0837
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20001015
Category: SF
Reference: BUGTRAQ:20000804 FTP Serv-U 2.5e vulnerability.
Reference: URL:http://www.securityfocus.com/archive/1/73843
Reference: BID:1543
Reference: URL:http://www.securityfocus.com/bid/1543
Reference: XF:servu-null-character-dos
Reference: URL:http://xforce.iss.net/static/5029.php
FTP Serv-U 2.5e allows remote attackers to cause a denial of service
by sending a large number of null bytes.
Analysis
----------------
ED_PRI CAN-2000-0837 3
Vendor Acknowledgement:
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS:
======================================================
Candidate: CAN-2000-0846
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0846
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001018
Assigned: 20001018
Category: SF
Reference: BUGTRAQ:20000821 Darxite daemon remote exploit/DoS problem
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0256.html
Reference: BID:1598
Reference: URL:http://www.securityfocus.com/bid/1598
Reference: XF:darxite-login-bo
Reference: URL:http://xforce.iss.net/static/5134.php
Buffer overflow in Darxite 0.4 and earlier allows a remote attacker to
execute arbitrary commands via a long username or password.
Analysis
----------------
ED_PRI CAN-2000-0846 3
Vendor Acknowledgement:
Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
HAS-INDEPENDENT-CONFIRMATION, or provide other reason.
VOTE:
ACCEPT_REASON:
COMMENTS: