|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: PROPOSAL: Cluster 24 - FINGER (6 candidates)
The following votes and comments are from Steve Northcutt, who points out that we haven't clearly defined what finger "should" do, thus it's not clear whether some of these candidates should be considered vulnerabilities. In my opinion, if some finger application offers some sort of access control, or a capability which limits what kinds of data can be presented, then when a bug in that application *fails* to restrict that information, then it's a CVE vulnerability as a result of the second bullet of the definition: > - (2) allows an entity to read or modify data belonging to another > entity, when it is contrary to the specified access restrictions > for that data - Steve >From Stephen.Northcutt@bmdo.osd.mil Tue Jul 27 08:11:19 1999 Message-ID: <A0CCBD88DC7ED1118BBD00005A4441D403C1B091@hqbmdofs01.bmdo.osd.mil> From: "Northcutt, Stephen, CIV, BMDO/DSC" <Stephen.Northcutt@bmdo.osd.mil> To: "'Steven M. Christey'" <coley@linus.mitre.org> Subject: RE: PROPOSAL: Cluster 24 - FINGER (6 candidates) Date: Tue, 27 Jul 1999 08:11:45 -0400 Content-Type: text/plain; charset="iso-8859-1" Steven, note I only responded to you, your choice whether to push forward. You argue that if finger releases more information than it should ... but we don't define what it should, not is it clear to me, we should be making that call. -----Original Message----- From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG] Sent: Monday, July 26, 1999 8:42 PM To: cve-editorial-board-list@lists.mitre.org Subject: PROPOSAL: Cluster 24 - FINGER (6 candidates) The following candidates all deal with bugs in the finger service. If running finger is not a vulnerability, what if finger has a bug? If the bug causes a denial of service or other problem outside the scope of finger itself, then that's a CVE vulnerability based on other portions of the definition. But what if the bug just releases more user information than it should have? In this case, I argue that these are vulnerabilities, since the finger application in question does *not* work as intended. - Steve Summary of votes to use (in ascending order of "severity"): ACCEPT - member accepts the candidate as proposed NOOP - member has no opinion on the candidate MODIFY - member wants to change some minor detail (e.g. reference/description) REVIEWING - member is reviewing/researching the candidate RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. ================================= Candidate: CAN-1999-0105 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF finger allows recursive searches by using a long string of @ symbols. VOTE:REJECT ================================= Candidate: CAN-1999-0106 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF Finger redirection allows finger bombs. VOTE:ACCEPT ================================= Candidate: CAN-1999-0197 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF finger 0@host on some systems may print information on some user accounts. VOTE:REJECT ================================= Candidate: CAN-1999-0198 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF finger .@host on some systems may print information on some user accounts. VOTE:REJECT ================================= Candidate: CAN-1999-0259 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF cfingerd lists all users on a system via search.**@target. VOTE:NOOP ================================= Candidate: CAN-1999-0492 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Apr23,1999 The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses. VOTE:ACCEPT
|
||||
