Re: First candidate cluster for validation: CERT

To: "Steven M. Christey" <coley@linus.mitre.org>, cve-review@linus.mitre.org
Subject: Re: First candidate cluster for validation: CERT
From: Adam Shostack <adam@netect.com>
Date: Wed, 9 Jun 1999 13:51:51 -0400
In-Reply-To: <199906091726.NAA24034@basie.mitre.org>; from Steven M. Christey on Wed, Jun 09, 1999 at 01:26:56PM -0400
References: <199906091726.NAA24034@basie.mitre.org>
Reply-To: adam@netect.com

On Wed, Jun 09, 1999 at 01:26:56PM -0400, Steven M. Christey wrote:
| Here's the first review that came in from Steve Northcutt.  I've
| forwarded it along to the list.  I'll comment on his non-ACCEPTs
| later.

I comment here only on Steve's non-accepts, and will add full comments 
on the bulk later.

| ------------------------------------------
| Candidate: CAN-1999-0017
| Proposer: 001
| Assigned: 19990607
| Announced: 19990607
| Category: SF
| Reference: CERT:CA-97.27.FTP_bounce
| Reference: XF:ftp-bounce
| Reference: XF:ftp-privileged-port
| 
| FTP bounce attack to connect to arbitrary ports on machines other than
| the FTP client.
| MODIFY - the primary vulnerability is in some FTP server implementations
| that allow this as opposed to the actual connecting to the ports

I don't think that the text of the CVE entry says where the
vulnerability is, and have NO OPINION here.

| Candidate: CAN-1999-0067
| Proposer: 001
| Assigned: 19990607
| Announced: 19990607
| Category: SF
| Reference: CERT:CA-96.06.cgi_example_code
| Reference: XF:http-cgi-phf
| 
| CGI phf program allows remote command execution
| MODIFY, this is not about phf it is about escape_shell_cmd(),
| you had the same thing with php and so forth.

I disagree, failure to properly handle shell commands in input is not
the appropriate level of abstraction, and suggest ACCEPT

| ------------------------------------------
| Candidate: CAN-1999-0513
| Proposer: 001
| Assigned: 19990607
| Announced: 19990607
| Category: CF
| Reference: CERT:CA-98.01.smurf
| Reference: FreeBSD:FreeBSD-SA-98:06
| Reference: XF:smurf
| 
| ICMP messages to broadcast addresses are allowed, allowing for a
| Smurf attack that can cause a denial of service.
| 
| MODIFY - If you put it this way then ping mapping becomes part of 
| smurf.  I would consider calling the vulnerability ICMP to broadcast
| addresses
| and in the text state allowing for a Smurf denial or service or ICMP ping
| mapping
| to acquire intelligence data about a network.

I believe that ping mapping is indeed part of smurf, and suggest ACCEPT.

References:
- RE: First candidate cluster for validation: CERT
  - From: "Steven M. Christey" <coley@linus.mitre.org>

Prev by Date: RE: First candidate cluster for validation: CERT
Next by Date: Re: First candidate cluster for validation: CERT
Prev by thread: RE: First candidate cluster for validation: CERT
Next by thread: Re: First candidate cluster for validation: CERT
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

Re: First candidate cluster for validation: CERT