|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] PROPOSAL: Cluster 28 - DESC (2 candidates)
Most of the SF-MISC cluster has been merged with the NOVULN cluster, and the two remaining SF-MISC candidates have been put into this DESC cluster. Thus SF-MISC need not be proposed. We now look at DESC. These 2 candidates touch on the problem of deciding when we have enough information to place a vulnerability into the CVE, and the problems with relying on the description alone to distinguish between very similar vulnerabilities. CAN-1999-0001 doesn't provide much information, but is confirmed by CERT. A look at some BSD code that patches the problem indicates it has something to do with fragmentation and/or IP header processing, but even that information isn't necessarily enough to write a description that is sufficient to distinguish it from other similar vulnerabilities. We have this problem with Teardrop and its variants. This description is also aesthetically challenged because it uses a reference in the description itself. CAN-1999-0001, and a number of other candidates, show the importance of having references available to anyone who's looking up a vulnerability's CVE name, especially if the details of the vulnerability are so obscure (or unknown) that even a typical security expert can't necessarily easily distinguish between them. Consider rdist, which has at least two separate vulnerabilities in CAN-1999-0022 and CAN-1999-0023 (rather, CVE-1999-0022 and CVE-1999-0023, since they've both been ACCEPTed). The only distinguishing factor in the description is the name of the function where the buffer overflow occurs, which most security analysts never knew, or would need to look up; but the CERT advisories help to easily mark the distinction. >Name: CVE-1999-0022 >Reference: CERT:CA-97.23.rdist >Reference: XF:rdist-bo3 >Reference: XF:rdist-sept97 > >Local user gains root privileges via buffer overflow in rdist, via >expstr() function. > > >Name: CVE-1999-0023 >Reference: CERT:CA-96.14.rdist_vul >Reference: XF:rdist-bo >Reference: XF:rdist-bo2 > >Local user gains root privileges via buffer overflow in rdist, via >lookup() function. > CAN-1999-0345 describes the vulnerability exploited by Jolt, which I've seen in a number of places; but is this the same, or different than the other Teardrops? Summary of votes to use (in ascending order of "severity"): ACCEPT - member accepts the candidate as proposed NOOP - member has no opinion on the candidate MODIFY - member wants to change some minor detail (e.g. reference/description) REVIEWING - member is reviewing/researching the candidate RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. ================================= Candidate: CAN-1999-0001 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990728 Assigned: 19990607 Category: SF Reference: CERT:CA-98-13-tcp-denial-of-service Denial of service in BSD-derived TCP/IP implementations, as described in CERT CA-98-13. VOTE: ================================= Candidate: CAN-1999-0345 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990728 Assigned: 19990607 Category: SF Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. VOTE:
|
||||
