[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
VOTES: Recorded votes for recent clusters
Below is a list of votes that includes some votes that were sent to me
directly instead of the list. They are for the following clusters:
NTCONFIG, VERIFY-TOOL, NETCONF, CFMISC, DESC, NOVULN, DATA,
NT-REGISTRY, SA-LITTLE, SA-ATTACK, SA-HIST, SA-OTHER, MPAN, and MULT.
- Steve
--------------------- CLUSTER NTCONFIG ---------------------
NTCONFIG (13 candidates)
--------------------
Proposed: 7/20
Scheduled Proposed: 7/6
Scheduled Interim Decision: 8/2
Scheduled Final Decision: 8/6
Configuration problems related to NT
Voters:
Shostack ACCEPT(12) REJECT(1)
Wall ACCEPT(12) REVIEWING(1)
Ozancin ACCEPT(9) MODIFY(3) RECAST(1)
Christey ACCEPT(2)
Northcutt ACCEPT(2) MODIFY(1) NOOP(1) RECAST(3) REJECT(6)
Baker ACCEPT(8) MODIFY(2) REJECT(1) REVIEWING(2)
<PROPOSED> --> 13
ACCEPT --> 3
MODIFY --> 1
RECAST --> 3
REJECT --> 6
=================================
Candidate: CAN-1999-0499
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
NETBIOS share information may be published through SNMP registry keys
in NT.
VOTES:
ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin
=================================
Candidate: CAN-1999-0534
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
A Windows NT user has inappropriate rights or privileges, e.g. Act as
System, Add Workstation, Backup, Change System Time, Create Pagefile,
Create Permanent Object, Create Token Name, Debug, Generate Security
Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory,
Profile Single Process, Remote Shutdown, Replace Process Token,
Restore, System Environment, Take Ownership, or Unsolicited Input.
VOTES:
ACCEPT(5) Wall, Baker, Shostack, Ozancin, Christey
MODIFY(1) Northcutt
COMMENTS:
Northcutt> If we are going to write a laundry list put access to the scheduler in it.
Christey> The list of privileges is very useful for lookup.
=================================
Candidate: CAN-1999-0535
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
A Windows NT account policy for passwords has inappropriate,
security-critical settings, e.g. for password length, password age, or
uniqueness.
VOTES:
ACCEPT(2) Wall, Shostack
MODIFY(1) Baker
RECAST(2) Northcutt, Ozancin
COMMENTS:
Northcutt> inappropriate implies there is appropriate. As a guy who has been
Northcutt> monitoring
Northcutt> networks for years I have deep reservations about justiying the existance
Northcutt> of any fixed cleartext password. For appropriate to exist, some "we" would
Northcutt> have to establish some criteria for appropriate passwords.
Baker> Perhaps this could be re-worded a bit. The CVE CAN-1999-00582
Baker> specifies "...settings for lockouts". To remain consistent with the
Baker> other, maybe it should specify "...settings for passwords" I think
Baker> most people would agree that passwords should be at least 8
Baker> characters; contain letters (upper and lowercase), numbers and at
Baker> least one non-alphanumeric; should only be good a limited time 30-90
Baker> days; and should not contain character combinations from user's prior
Baker> 2 or 3 passwords.
Baker> Suggested rewrite -
Baker> A Windows NT account policy does not enforce reasonable minimum
Baker> security-critical settings for passwords, e.g. passwords of sufficient
Baker> length, periodic required password changes, or new password uniqueness
Ozancin> What is appropriate?
=================================
Candidate: CAN-1999-0546
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
The Windows NT guest account is enabled.
VOTES:
ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin
=================================
Candidate: CAN-1999-0562
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
The registry in Windows NT can be accessed remotely by users who are
not administrators.
VOTES:
ACCEPT(4) Wall, Baker, Shostack, Ozancin
RECAST(1) Northcutt
COMMENTS:
Northcutt> This isn't all or nothing, users may be allowed to access part of the
Northcutt> registry.
=================================
Candidate: CAN-1999-0572
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
..reg files are associated with the Windows NT registry editor, making
the registry susceptible to Trojan Horse attacks.
VOTES:
ACCEPT(4) Wall, Baker, Shostack, Ozancin
NOOP(1) Northcutt
COMMENTS:
Northcutt> I don't quite get what this means, sorry
=================================
Candidate: CAN-1999-0575
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
A Windows NT system's user audit policy does not log an event success
or failure, e.g. for Logon and Logoff, File and Object Access, Use of
User Rights, User and Group Management, Security Policy Changes,
Restart, Shutdown, and System, and Process Tracking.
VOTES:
ACCEPT(4) Wall, Shostack, Ozancin, Christey
RECAST(1) Northcutt
REVIEWING(1) Baker
COMMENTS:
Northcutt> It isn't a great truth that you should enable all or the above, if you
Northcutt> do you potentially introduce a vulnerbility of filling up the file
Northcutt> system with stuff you will never look at.
Ozancin> It is far less interesting what a user does successfully that what they
Ozancin> attempt and fail at.
Christey> The list of event types is very useful for lookup.
=================================
Candidate: CAN-1999-0576
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
A Windows NT system's file audit policy does not log an event success
or failure for security-critical files or directories.
VOTES:
ACCEPT(3) Wall, Baker, Shostack
MODIFY(1) Ozancin
REJECT(1) Northcutt
COMMENTS:
Northcutt> 1.) Too general are we ready to state what the security-critical files
Northcutt> and directories are
Northcutt> 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability
Ozancin> Some files and directories are clearly understood to be critical. Others are
Ozancin> unclear. We need to clarify that critical is.
=================================
Candidate: CAN-1999-0577
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
A Windows NT system's file audit policy does not log an event success
or failure for non-critical files or directories.
VOTES:
ACCEPT(2) Wall, Shostack
MODIFY(1) Ozancin
REJECT(1) Northcutt
REVIEWING(1) Baker
COMMENTS:
Ozancin> It is far less interesting what a user does successfully that what they
Ozancin> attempt and fail at.
Ozancin> Perhaps only failure should be logged.
=================================
Candidate: CAN-1999-0578
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
A Windows NT system's registry audit policy does not log an event
success or failure for security-critical registry keys.
VOTES:
ACCEPT(4) Wall, Baker, Shostack, Ozancin
REJECT(1) Northcutt
COMMENTS:
Ozancin> with reservation
Ozancin> Again what is defined as critical
=================================
Candidate: CAN-1999-0579
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
A Windows NT system's registry audit policy does not log an event
success or failure for non-critical registry keys.
VOTES:
ACCEPT(3) Wall, Baker, Shostack
MODIFY(1) Ozancin
REJECT(1) Northcutt
COMMENTS:
Ozancin> Again only failure may be of interest. It would be impractical to wad
Ozancin> through the incredibly large amount of logging that this would generate. It
Ozancin> could overwhelm log entries that you might find interesting.
=================================
Candidate: CAN-1999-0582
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
A Windows NT account policy has inappropriate, security-critical
settings for lockout, e.g. lockout duration, lockout after bad logon
attempts, etc.
VOTES:
ACCEPT(3) Wall, Shostack, Ozancin
MODIFY(1) Baker
REJECT(1) Northcutt
COMMENTS:
Northcutt> The definition is?
Baker> Maybe a rewording of this one too. I think most people would agree on
Baker> some "minimum" policies like 3-5 bad attempts lockout for an hour or
Baker> until the administrator unlocks the account.
Baker> Suggested rewrite -
Baker> A Windows NT account policy does not enforce reasonable minimum
Baker> security-critical settings for lockouts, e.g. lockout duration,
Baker> lockout after bad logon attempts, etc.
Ozancin> with reservations
Ozancin> What is appropriate?
=================================
Candidate: CAN-1999-0585
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990721
Assigned: 19990607
Category: CF
A Windows NT administrator account has the default name of
Administrator.
VOTES:
ACCEPT(1) Ozancin
REJECT(3) Northcutt, Baker, Shostack
REVIEWING(1) Wall
COMMENTS:
Wall> Some sources say this is not a vulnerability, but a warning. It just
Wall> slows down the search for the admin account (SID = 500) which can
Wall> always be found.
Northcutt> I change this on all NT systems I am responsible for, but is
Northcutt> root a vulnerability?
Baker> There are ways to identify the administrator account anyway, so this
Baker> is only a minor delay to someone that is knowledgeable. This, in and
Baker> of itself, doesn't really strike me as a vulnerability, anymore than
Baker> the root account on a Unix box.
Shostack> (there is no way to hide the account name today)
--------------------- CLUSTER VERIFY-TOOL ---------------------
VERIFY-TOOL (7 candidates)
--------------------
Proposed: 7/27
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
Problems mentioned in a tool, but not seen in other VDB's
Voters:
Frech NOOP(1)
Shostack MODIFY(1)
Northcutt ACCEPT(5) NOOP(2)
<PROPOSED> --> 7
ACCEPT --> 4
MODIFY --> 1
NOOP --> 2
=================================
Candidate: CAN-1999-0220
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Attackers can do a denial of service of IRC by crashing the server.
VOTES:
NOOP(1) Northcutt
=================================
Candidate: CAN-1999-0226
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Windows NT TCP/IP processes fragmented IP packets improperly, causing
a denial of service.
VOTES:
ACCEPT(1) Northcutt
=================================
Candidate: CAN-1999-0240
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Some filters or firewalls allow fragmented SYN packets with IP
reserved bits in violation of their implemented policy.
VOTES:
ACCEPT(1) Northcutt
=================================
Candidate: CAN-1999-0247
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Buffer overflow in nnrpd program in INN allows remote users to execute
arbitrary commands.
VOTES:
NOOP(1) Northcutt
=================================
Candidate: CAN-1999-0248
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
sshd 1.2.17 can be compromised through the SSH protocol.
VOTES:
ACCEPT(1) Northcutt
MODIFY(1) Shostack
NOOP(1) Frech
COMMENTS:
Shostack> http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html
Shostack> looks to me to be about the correct message that came from Tatu.
Shostack> There are comments in changelog: * Improved the security of
Shostack> auth_input_request_forwarding().
Shostack>
Shostack> I'm not in favor of moving this forward without additional detail, but
Shostack> thought I'd add a confirming URL and comment. We have insufficient
Shostack> detail to accept it as a CVE.
Frech> Try http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1; to wit
Frech> (see asterisked section):
Frech> ...
Frech> *****
Frech> Versions of ssh prior to 1.2.17 had problems with authentication agent
Frech> handling on some machines. There is a chance (a race condition) that a
Frech> malicious user could steal another user's credentials. This should be fixed
Frech> in 1.2.17.
Frech> *****
=================================
Candidate: CAN-1999-0493
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
A remote attacker can bounce RPC calls through rpc.statd.
VOTES:
ACCEPT(1) Northcutt
=================================
Candidate: CAN-1999-0495
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
A remote attacker can gain access to a file system using .. (dot dot)
when accessing SMB shares.
VOTES:
ACCEPT(1) Northcutt
--------------------- CLUSTER NETCONF ---------------------
NETCONF (12 candidates)
--------------------
Proposed: 7/26
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
Network configuration problems
Voters:
Northcutt ACCEPT(3) NOOP(1) RECAST(1) REJECT(7)
<PROPOSED> --> 12
ACCEPT --> 3
NOOP --> 1
RECAST --> 1
REJECT --> 7
=================================
Candidate: CAN-1999-0510
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
A router or firewall allows source routed packets from arbitrary
hosts.
VOTES:
ACCEPT(1) Northcutt
=================================
Candidate: CAN-1999-0511
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
IP forwarding is enabled on a machine which is not a router or
firewall.
VOTES:
ACCEPT(1) Northcutt
=================================
Candidate: CAN-1999-0523
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
ICMP echo (ping) is allowed from arbitrary hosts.
VOTES:
REJECT(1) Northcutt
COMMENTS:
Northcutt> (Though I sympathize with this one :)
=================================
Candidate: CAN-1999-0524
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
ICMP information such as netmask and timestamp is allowed from
arbitrary hosts.
VOTES:
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0525
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
IP traceroute is allowed from arbitrary hosts.
VOTES:
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0528
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
A router or firewall forwards external packets that claim to come from
inside the network that the router/firewall is in front of.
VOTES:
ACCEPT(1) Northcutt
=================================
Candidate: CAN-1999-0529
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
A router or firewall forwards packets that claim to come from IANA
reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x,
etc.
VOTES:
REJECT(1) Northcutt
COMMENTS:
Northcutt> I have seen ISPs "assign" private addresses within their domain
=================================
Candidate: CAN-1999-0532
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
A DNS server allows zone transfers.
VOTES:
REJECT(1) Northcutt
COMMENTS:
Northcutt> (With split DNS implementations this is quite appropriate)
=================================
Candidate: CAN-1999-0533
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
A DNS server allows inverse queries.
VOTES:
REJECT(1) Northcutt
COMMENTS:
Northcutt> (rule of thumb)
=================================
Candidate: CAN-1999-0550
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
A router's routing tables can be obtained from arbitrary hosts.
VOTES:
RECAST(1) Northcutt
COMMENTS:
Northcutt> Don't you mean obtained by arbitrary hosts
=================================
Candidate: CAN-1999-0571
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Feb5,1999
A router allows arbitrary hosts to connect to its configuration
service, or related services such as telnet.
VOTES:
NOOP(1) Northcutt
=================================
Candidate: CAN-1999-0588
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: CF
A filter in a router or firewall allows unusual fragmented packets.
VOTES:
REJECT(1) Northcutt
COMMENTS:
Northcutt> I want to vote to accept this one, but unusual is a shade broad.
--------------------- CLUSTER CFMISC ---------------------
CFMISC (18 candidates)
--------------------
Proposed: 7/28
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
Miscellaneous CF problems
Voters:
Shostack ACCEPT(5) RECAST(6) REJECT(6)
Northcutt ACCEPT(6) NOOP(3) REJECT(8)
<PROPOSED> --> 17
ACCEPT --> 3
RECAST --> 4
REJECT --> 10
=================================
Candidate: CAN-1999-0497
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Anonymous FTP is enabled
VOTES:
ACCEPT(1) Shostack
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0512
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Mail relay is enabled, allowing abuse by spammers.
VOTES:
ACCEPT(2) Northcutt, Shostack
=================================
Candidate: CAN-1999-0515
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
An unrestricted remote trust relationship for Unix systems has been
set up, e.g. by using a + sign in /etc/hosts.equiv.
VOTES:
ACCEPT(1) Northcutt
REJECT(1) Shostack
COMMENTS:
Shostack> Overly broad
=================================
Candidate: CAN-1999-0530
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A system is operating in "promiscuous" mode which allows it to perform
packet sniffing.
VOTES:
ACCEPT(1) Northcutt
REJECT(1) Shostack
=================================
Candidate: CAN-1999-0531
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO.
VOTES:
RECAST(1) Shostack
REJECT(1) Northcutt
COMMENTS:
Shostack> I think expn != vrfy, help, esmtp.
=================================
Candidate: CAN-1999-0539
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A trust relationship exists between two Unix hosts.
VOTES:
REJECT(2) Northcutt, Shostack
COMMENTS:
Northcutt> Too non specific
=================================
Candidate: CAN-1999-0547
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
An SSH server allows authentication through the .rhosts file.
VOTES:
ACCEPT(1) Shostack
NOOP(1) Northcutt
=================================
Candidate: CAN-1999-0548
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A superfluous NFS server is running, but it is not importing or exporting
any file systems.
VOTES:
ACCEPT(1) Shostack
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0555
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A Unix account with a name other than "root" has UID 0, i.e. root
privileges.
VOTES:
REJECT(2) Northcutt, Shostack
COMMENTS:
Northcutt> This is very bogus
=================================
Candidate: CAN-1999-0556
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Two or more Unix accounts have the same UID.
VOTES:
REJECT(2) Northcutt, Shostack
=================================
Candidate: CAN-1999-0561
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
IIS has the #exec function enabled for Server Side Include (SSI) files.
VOTES:
NOOP(1) Northcutt
RECAST(1) Shostack
=================================
Candidate: CAN-1999-0564
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
An attacker can force a printer to print arbitrary documents (e.g. if
the printer doesn't require a password) or to become disabled.
VOTES:
ACCEPT(1) Shostack
NOOP(1) Northcutt
=================================
Candidate: CAN-1999-0565
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A Sendmail alias allows input to be piped to a program.
VOTES:
ACCEPT(1) Northcutt
RECAST(1) Shostack
COMMENTS:
Shostack> Is this a default alias? Is my .procmailrc an instance of this?
=================================
Candidate: CAN-1999-0568
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
rpc.admind in Solaris is not running in a secure mode.
VOTES:
ACCEPT(1) Northcutt
RECAST(1) Shostack
COMMENTS:
Shostack> are there secure modes?
=================================
Candidate: CAN-1999-0583
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
There is a one-way or two-way trust relationship between Windows NT
domains.
VOTES:
REJECT(2) Northcutt, Shostack
=================================
Candidate: CAN-1999-0586
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A network service is running on a nonstandard port.
VOTES:
RECAST(1) Shostack
REJECT(1) Northcutt
COMMENTS:
Shostack> Might be acceptable if clearer; is that a standard service on a
Shostack> non-standard port, or any service on an unassigned port?
=================================
Candidate: CAN-1999-0590
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A system does not present an appropriate legal message or warning to a
user who is accessing it.
VOTES:
ACCEPT(1) Northcutt
RECAST(1) Shostack
--------------------- CLUSTER DESC ---------------------
DESC (2 candidates)
--------------------
Proposed: 7/28
Scheduled Proposed: 7/27
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
Description/information problems
Voters:
Wall MODIFY(1) NOOP(1)
Northcutt NOOP(2)
<PROPOSED> --> 2
MODIFY --> 1
NOOP --> 1
=================================
Candidate: CAN-1999-0001
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-98-13-tcp-denial-of-service
Denial of service in BSD-derived TCP/IP implementations, as described
in CERT CA-98-13.
VOTES:
NOOP(2) Wall, Northcutt
=================================
Candidate: CAN-1999-0345
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Jolt ICMP attack causes a denial of service in Windows 95 and Windows
NT systems.
VOTES:
MODIFY(1) Wall
NOOP(1) Northcutt
COMMENTS:
Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and
Wall> Windows NT systems.
Wall> Reference: Q154174.
Wall> Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death.
Wall> It is a modified teardrop 2 attack.
--------------------- CLUSTER NOVULN ---------------------
NOVULN (19 candidates)
--------------------
Proposed: 7/28
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
Problems that may be regarded as "not a vulnerability"
Voters:
Wall ACCEPT(5) NOOP(5) REJECT(9)
Northcutt ACCEPT(6) NOOP(6) REJECT(7)
<PROPOSED> --> 19
ACCEPT --> 3
NOOP --> 3
REJECT --> 13
=================================
Candidate: CAN-1999-0119
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Windows NT 4.0 beta allows users to read and delete shares.
VOTES:
NOOP(1) Northcutt
REJECT(1) Wall
COMMENTS:
Wall> Reject based on beta copy.
=================================
Candidate: CAN-1999-0361
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan29,1999
NetWare version of LaserFiche stores usernames and passwords
unencrypted, and allows administrative changes without logging.
VOTES:
NOOP(2) Wall, Northcutt
=================================
Candidate: CAN-1999-0364
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb04,1999
Microsoft Access 97 stores a database password as plaintext in a
foreign mdb, allowing access to data.
VOTES:
NOOP(2) Wall, Northcutt
=================================
Candidate: CAN-1999-0397
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: L0PHT:Jan21,1999
Reference: BUGTRAQ:Jan21,1999
The demo version of the Quakenbush NT Password Appraiser sends
passwords across the network in plaintext.
VOTES:
ACCEPT(1) Northcutt
REJECT(1) Wall
=================================
Candidate: CAN-1999-0403
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb4,1999
Reference: XF:cyrix-hang
A bug in Cyrix CPU's on Linux allows local users to perform a denial
of service.
VOTES:
ACCEPT(1) Northcutt
NOOP(1) Wall
=================================
Candidate: CAN-1999-0453
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
An attacker can identify a CISCO device by sending a SYN packet to
port 1999, which is for the Cisco Dicsovery Protocol (CDP).
VOTES:
NOOP(2) Wall, Northcutt
=================================
Candidate: CAN-1999-0454
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
A remote attacker can sometimes identify the operating system of a
host based on how it reacts to some IP or ICMP packets, using a tool
such as nmap or queso.
VOTES:
NOOP(1) Wall
REJECT(1) Northcutt
COMMENTS:
Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced
Northcutt> ways to accomplish this. To pursue making the world signature free
Northcutt> is as much a vulnerability as having signatures, nay more.
=================================
Candidate: CAN-1999-0459
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: XF:linux-milo-halt
Local users can perform a denial of service in Alpha Linux, using MILO
to force a reboot.
VOTES:
NOOP(1) Northcutt
REJECT(1) Wall
=================================
Candidate: CAN-1999-0465
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: XF:http-img-overflow
Remote attackers can crash Lynx and Internet Explorer using an IMG tag
with a large width parameter.
VOTES:
ACCEPT(1) Northcutt
REJECT(1) Wall
=================================
Candidate: CAN-1999-0570
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.
VOTES:
ACCEPT(1) Northcutt
REJECT(1) Wall
COMMENTS:
Northcutt> Here we are crossing into the best practices arena again. However since
Northcutt> passfilt does establish a measurable standard and since we aren't the
Northcutt> ones defining the stanard, simply saying it should be employed I will
Northcutt> vote for this.
=================================
Candidate: CAN-1999-0584
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A Windows NT file system is not NTFS.
VOTES:
ACCEPT(2) Wall, Northcutt
COMMENTS:
Wall> NTFS partition provides the security. This could be re-worded
Wall> to "A Windows NT file system is FAT" since it is either NTFS or FAT
Wall> and FAT is less secure.
=================================
Candidate: CAN-1999-0592
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
The Logon box of a Windows NT system displays the name of the last
user who logged in.
VOTES:
REJECT(2) Wall, Northcutt
COMMENTS:
Wall> Information gathering, not vulnerability
Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing
Northcutt> not just vulnerability
=================================
Candidate: CAN-1999-0593
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A user is allowed to shut down a Windows NT system without logging in.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
COMMENTS:
Wall> Still a denial of service.
Northcutt> May well be appropriate
=================================
Candidate: CAN-1999-0594
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A Windows NT system does not restrict access to removable media drives
such as a floppy disk drive or CDROM drive.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
COMMENTS:
Wall> Perhaps it can be re-worded to "removable media drives
Wall> such as a floppy disk drive or CDROM drive can be accessed (shared) in a
Wall> Windows NT system."
Northcutt> - what good is my NT w/o its floppy
=================================
Candidate: CAN-1999-0595
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A Windows NT system does not clear the system page file during
shutdown.
VOTES:
ACCEPT(1) Wall
NOOP(1) Northcutt
=================================
Candidate: CAN-1999-0596
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A Windows NT log file has an inappropriate maximum size or retention
period.
VOTES:
REJECT(2) Wall, Northcutt
COMMENTS:
Northcutt> define appropriate
=================================
Candidate: CAN-1999-0597
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
A Windows NT account policy does not forcibly disconnect remote users
from the server when their logon hours expire.
VOTES:
ACCEPT(1) Northcutt
REJECT(1) Wall
=================================
Candidate: CAN-1999-0603
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: CF
In Windows NT, an inappropriate user is a member of a group,
e.g. Administrator, Backup Operators, Domain Admins, Domain Guests,
Power Users, Print Operators, Replicators, System Operators, etc.
VOTES:
REJECT(2) Wall, Northcutt
=================================
Candidate: CAN-1999-0654
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SA
The OS/2 or POSIX subsystem in NT is enabled.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
COMMENTS:
Wall> These subsystems could still allow a process to persist across logins.
--------------------- CLUSTER DATA ---------------------
DATA (10 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/28
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
CF problems related to data access
Voters:
Wall ACCEPT(10)
Northcutt ACCEPT(3) RECAST(6) REJECT(1)
<PROPOSED> --> 10
ACCEPT --> 3
RECAST --> 6
REJECT --> 1
=================================
Candidate: CAN-1999-0509
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
Perl, sh, csh, or other shell interpreters are accessible on a WWW
site.
VOTES:
ACCEPT(2) Wall, Northcutt
=================================
Candidate: CAN-1999-0520
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
A system-critical NETBIOS/SMB share has inappropriate access control.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> I think we need to enumerate the shares and or the access control
=================================
Candidate: CAN-1999-0522
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
Reference: CERT:CA-96.10
The permissions for a system-critical NIS+ table (e.g. passwd) are
inappropriate.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> Why not say world readable, this is what you do further down in the
Northcutt> file (world exportable in CAN-1999-0554)
=================================
Candidate: CAN-1999-0527
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
The permissions for system-critical data in an anonymous FTP account
are inappropriate. For example, the root directory is writeable by
world, a real password file is obtainable, or executable commands such
as "ls" can be overwritten.
VOTES:
ACCEPT(2) Wall, Northcutt
COMMENTS:
Northcutt> That that starts to get specific :)
=================================
Candidate: CAN-1999-0554
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
NFS exports system-critical data to the world, e.g. / or a password
file.
VOTES:
ACCEPT(2) Wall, Northcutt
=================================
Candidate: CAN-1999-0559
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
A system-critical Unix file or directory has inappropriate
permissions.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> Writable other than by root/bin/wheelgroup?
=================================
Candidate: CAN-1999-0560
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
A system-critical Windows NT file or directory has inappropriate
permissions.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> I think we should specify these
=================================
Candidate: CAN-1999-0569
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
A URL for a WWW directory allows auto-indexing, which provides a list
of all files in that directory.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
COMMENTS:
Northcutt> I do this intentionally somethings in high content directories
=================================
Candidate: CAN-1999-0587
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
A WWW server is not running in a restricted file system, e.g. through
a chroot, thus allowing access to system-critical data.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> While I would accept this for Unix, I am not sure this applies to NT,
Northcutt> VMS, palm pilots, or commodore 64
=================================
Candidate: CAN-1999-0591
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
An event log in Windows NT has inappropriate access permissions.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> splain Lucy, splain
--------------------- CLUSTER NT-REGISTRY ---------------------
NT-REGISTRY (6 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/28
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
CF problems related to NT registry settings
Voters:
Wall ACCEPT(6)
Northcutt RECAST(6)
<PROPOSED> --> 6
RECAST --> 6
=================================
Candidate: CAN-1999-0580
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate,
system-critical permissions.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
Northcutt> and see if you can't see a way to phrase specific keys in a way that
Northcutt> defines inappropriate.
=================================
Candidate: CAN-1999-0581
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate,
system-critical permissions.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
Northcutt> and see if you can't see a way to phrase specific keys in a way that
Northcutt> defines inappropriate.
=================================
Candidate: CAN-1999-0589
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
A system-critical Windows NT registry key has inappropriate
permissions.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
Northcutt> and see if you can't see a way to phrase specific keys in a way that
Northcutt> defines inappropriate.
=================================
Candidate: CAN-1999-0611
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990607
Category: CF
A system-critical Windows NT registry key has an inappropriate value.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
Northcutt> and see if you can't see a way to phrase specific keys in a way that
Northcutt> defines inappropriate.
=================================
Candidate: CAN-1999-0664
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990803
Category: CF
An application-critical Windows NT registry key has inappropriate
permissions.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
Northcutt> and see if you can't see a way to phrase specific keys in a way that
Northcutt> defines inappropriate.
=================================
Candidate: CAN-1999-0665
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990803
Assigned: 19990803
Category: CF
An application-critical Windows NT registry key has an inappropriate
value.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
Northcutt> and see if you can't see a way to phrase specific keys in a way that
Northcutt> defines inappropriate.
--------------------- CLUSTER SA-LITTLE ---------------------
SA-LITTLE (5 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/29
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
Presence of "little" services that are rarely necessary
Voters:
Wall ACCEPT(3) NOOP(2)
Northcutt ACCEPT(1) REJECT(4)
<PROPOSED> --> 5
ACCEPT --> 1
REJECT --> 4
=================================
Candidate: CAN-1999-0635
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The echo service is running.
VOTES:
ACCEPT(2) Wall, Northcutt
COMMENTS:
Northcutt> The method to my madness is echo is the common denom in the dos attack
=================================
Candidate: CAN-1999-0636
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The discard service is running.
VOTES:
NOOP(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0637
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The systat service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0638
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The daytime service is running.
VOTES:
NOOP(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0639
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The chargen service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
--------------------- CLUSTER SA-ATTACK ---------------------
SA-ATTACK (10 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/29
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
Presence of services that are common attack points
Voters:
Wall ACCEPT(9) REJECT(1)
Northcutt REJECT(10)
<PROPOSED> --> 10
REJECT --> 10
=================================
Candidate: CAN-1999-0615
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The SNMP service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0620
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
A component service related to NIS is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0630
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The NT Alerter and Messenger services are running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0633
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The HTTP/WWW service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0641
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The UUCP service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0645
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The IRC service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0646
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The LDAP service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0651
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The rsh/rlogin service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0653
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
A component service related to NIS+ is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0659
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
A Windows NT Primary Domain Controller (PDC) or Backup Domain
Controller (BDC) is present.
VOTES:
REJECT(2) Wall, Northcutt
COMMENTS:
Wall> Don't consider this a service or a problem.
--------------------- CLUSTER SA-HIST ---------------------
SA-HIST (13 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/29
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
Presence of services with a history of problems
Voters:
Wall ACCEPT(12) NOOP(1)
Northcutt REJECT(13)
<PROPOSED> --> 13
REJECT --> 13
=================================
Candidate: CAN-1999-0614
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The FTP service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0616
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The TFTP service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0617
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The SMTP service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0619
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The Telnet service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0621
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
A component service related to NETBIOS is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0622
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
A component service related to DNS service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0623
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The X Windows service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0631
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The NFS service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0632
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The RPC portmapper service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0634
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The SSH service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0642
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
A POP service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0643
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The IMAP service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0657
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
WinGate is being used.
VOTES:
NOOP(1) Wall
REJECT(1) Northcutt
--------------------- CLUSTER SA-OTHER ---------------------
SA-OTHER (8 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 7/29
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
Other SA candidates
Voters:
Wall ACCEPT(5) NOOP(3)
Northcutt REJECT(8)
<PROPOSED> --> 8
REJECT --> 8
=================================
Candidate: CAN-1999-0640
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The Gopher service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0644
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The NNTP news service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0648
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The X25 service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0649
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The FSP service is running.
VOTES:
NOOP(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0650
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The netstat service is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0652
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
A database service is running, e.g. a SQL server, Oracle, or mySQL.
VOTES:
NOOP(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0656
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
The ugidd service is running.
VOTES:
NOOP(1) Wall
REJECT(1) Northcutt
=================================
Candidate: CAN-1999-0658
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: SA
DCOM is running.
VOTES:
ACCEPT(1) Wall
REJECT(1) Northcutt
--------------------- CLUSTER MPAN ---------------------
MPAN (4 candidates)
--------------------
Proposed: 8/3
Scheduled Proposed: 8/3
Scheduled Interim Decision: 8/23
Scheduled Final Decision: 8/27
MP/AN category candidates
Voters:
Wall ACCEPT(4)
Northcutt ACCEPT(3) RECAST(1)
<PROPOSED> --> 4
ACCEPT --> 3
RECAST --> 1
=================================
Candidate: CAN-1999-0660
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: MP
A hacker utility or Trojan Horse is installed on a system,
e.g. NetBus, Back Orifice, Rootkit, etc.
VOTES:
ACCEPT(2) Wall, Northcutt
=================================
Candidate: CAN-1999-0661
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: MP
A system is running a version of software that was replaced with a
Trojan Horse at its distribution point, e.g. TCP Wrappers, wuftpd,
etc.
VOTES:
ACCEPT(2) Wall, Northcutt
=================================
Candidate: CAN-1999-0662
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: AN
A system-critical program or library does not have the appropriate
patch, hotfix, or service pack installed, or is outdated or obsolete.
VOTES:
ACCEPT(2) Wall, Northcutt
=================================
Candidate: CAN-1999-0663
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990804
Assigned: 19990607
Category: AN
A system-critical program, library, or file has a checksum or other
integrity measurement that indicates that it has been modified.
VOTES:
ACCEPT(1) Wall
RECAST(1) Northcutt
COMMENTS:
Northcutt> This needs to be worded carefully.
Northcutt> 1. Rootkits evade checksum detection.
Northcutt> 2. The modification could be positive (a patch)
--------------------- CLUSTER MULT ---------------------
MULT (35 candidates)
--------------------
Proposed: 6/23
Scheduled Interim Decision: 7/5
Scheduled Final Decision: 7/9
Multiple executables split into
Voters:
Frech ACCEPT(11) MODIFY(19) RECAST(2) REVIEWING(2)
<PROPOSED> --> 34
ACCEPT --> 11
MODIFY --> 19
RECAST --> 2
REVIEWING --> 2
=================================
Candidate: CAN-1999-0009
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-bo
Reference: SUN:00180
Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0010
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-dos
Denial of Service vulnerability in BIND 8 Releases via maliciously
formatted DNS messages.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0011
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-dos
Reference: SUN:00180
Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases
via CNAME record and zone transfer.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> Change XF reference to:
Frech> XF:bind-axfr-dos
=================================
Candidate: CAN-1999-0016
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.28.Teardrop_Land
Reference: FreeBSD:FreeBSD-SA-98:01
Reference: XF:cisco-land
Reference: XF:land
Reference: XF:95-verv-tcp
Reference: XF:land-exploit
Reference: XF:land-patch
Reference: CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml
Land IP denial of service
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:ver-tcpip-sys (applies to a check, not a vulnerability, and is thus not
Frech> listed on website)
Frech> XF:land-exploit (obsolete, replaced by land)
=================================
Candidate: CAN-1999-0025
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul
Reference: XF:df-bo
root privileges via buffer overflow in df command on SGI IRIX
systems.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0026
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.20.IRIX.pset.buffer.overflow.vul
Reference: XF:pset-bo
root privileges via buffer overflow in pset command on SGI IRIX
systems.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0027
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul
Reference: XF:eject-bo
root privileges via buffer overflow in eject command on SGI IRIX
systems.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0028
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.22.IRIX.login.scheme.buffer.overflow.vul
root privileges via buffer overflow in login/scheme command on SGI
IRIX systems.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:sgi-schemebo
=================================
Candidate: CAN-1999-0029
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.23-IRIX.ordist.buffer.overflow.vul
Reference: XF:ordist-bo
root privileges via buffer overflow in ordist command on SGI IRIX
systems.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0030
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul
Reference: XF:sgi-xlockbo
Reference: SGI:19970508-02-PX
root privileges via buffer overflow in xlock command on SGI IRIX
systems.
VOTES:
RECAST(1) Frech
COMMENTS:
Frech> XF:xlock-bo (also add)
Frech> As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and
Frech> several Linii.
Frech> Also, don't you mean to cite SGI:19970502-02-PX? The one you list is
Frech> login/scheme.
=================================
Candidate: CAN-1999-0068
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-php-mylog
CGI PHP mylog script allows an attacker to read any file on the
target server.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0075
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:pasvcore
PASV core dump in FTP daemon
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> There is no pasvcore record; delete and add
Frech> XF:ftp-pasvcore
=================================
Candidate: CAN-1999-0076
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:ftp-args
Core dump from FTP arguments
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0092
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:006.1
Various vulnerabilities in the AIX portmir command allows
local users to obtain root access.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:ibm-portmir
=================================
Candidate: CAN-1999-0101
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:001.1
Reference: SUN:00137
Reference: NAI:NAI-1
Buffer overflow in AIX and Solaris "gethostbyname" library call allows
root access through corrupt DNS host names.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:ghbn-bo
Frech> in addition to ERS:1997:001.1, also include 1996:007.1
Frech> Sun's bulletin is 137a, not 137.
=================================
Candidate: CAN-1999-0124
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability
Reference: XF:gopher-vuln
Vulnerabilities in UMN gopher and gopher+ allow an intruder to read
any files that can be accessed by the gopher daemon.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0126
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:VB-98.04.xterm.Xaw
Reference: CIAC:J-010
SGI IRIX buffer overflow in xterm and Xaw allows root access.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:xfree86-xterm-xaw
Frech> XF:xfree86-xaw
=================================
Candidate: CAN-1999-0127
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.27.hp_sw_install
Reference: AUSCERT:AA-96.04
Reference: XF:hpux-swinstall
swinstall and swmodify commands in SD-UX package in HP-UX systems
allow local users to create or overwrite arbitrary files to gain root
access.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> (keep current XF: reference, and add)
Frech> XF:hpux-sqwmodify
=================================
Candidate: CAN-1999-0138
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.12.suidperl_vul
The suidperl and sperl program do not give up root privileges when
changing UIDs back to the original users, allowing root access.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:sperl-suid
=================================
Candidate: CAN-1999-0231
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6
packages using a long VRFY command, causing a denial of service and
possibly remote access.
VOTES:
RECAST(1) Frech
COMMENTS:
Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below)
Frech> XF:smtp-vrfy-bo (many mail packages)
=================================
Candidate: CAN-1999-0261
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:chamelion-smtp-dos
=================================
Candidate: CAN-1999-0282
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.12.sun.loadmodule.vul
Vulnerabilities in loadmodule and modload programs in SunOS and OpenWindows
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:sun-loadmodule
Frech> XF:sun-modload (CERT CA-93.18 very old!)
=================================
Candidate: CAN-1999-0284
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:smtp-helo-bo
Denial of service to NT mail servers including Ipswitch, Mdaemon, and
Exchange through a buffer overflow in the SMTP HELO command.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification)
Frech> XF:mdaemon-helo-bo
Frech> XF:lotus-notes-helo-crash
Frech> XF:slmail-helo-overflow
Frech> XF:smtp-helo-bo (mentions several products)
Frech> XF:smtp-exchangedos
=================================
Candidate: CAN-1999-0333
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK
Reference: XF:omniback-remote
Omniback allows remote execution of commands as root via spoofing, and
local users can gain root access via a symlink attack.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0346
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
CGI PHP mlog script allows an attacker to read any file on the target
server.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:http-cgi-php-mlog
=================================
Candidate: CAN-1999-0354
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NTBUGTRAQ:Jan27,1999
Reference: MS:MS99-002
Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution
of Visual Basic programs to the IE client through the Word 97
template, which doesn't warn the user that the template contains
executable content. Also applies to Outlook when the client views a
malicious email message.
VOTES:
REVIEWING(1) Frech
=================================
Candidate: CAN-1999-0368
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-99.03
Reference: NETECT:palmetto.ftpd
Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to
remote root access, a.k.a. palmetto.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:palmetto-ftpd-bo
=================================
Candidate: CAN-1999-0415
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers
The Clickstart web server in Cisco 700 series routers allows remote
attackers to execute commands on the router, or perform information
gathering, without authentication.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> Reference: ISS:March11,1999 (consistent with cluster 1, CAN-1999-0008)
Frech> XF:cisco-router-commands
Frech> XF:cisco-web-config
=================================
Candidate: CAN-1999-0416
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers
The Clickstart web server in Cisco 700 series routers allows remote
attackers to perform a denial of service.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> Reference: ISS:March11,1999
Frech> XF:cisco-web-crash
=================================
Candidate: CAN-1999-0435
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9903-096
MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain
privileges through SAM.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:hp-servicegaurd
=================================
Candidate: CAN-1999-0467
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-webcom-guestbook
The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a
remote attacker to read arbitrary files using the template key.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0488
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MS:MS99-012
MSHTML.DLL in Internet Explorer allows a remote attacker to execute
security scripts in a different security context, using malicious
URLs.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:ie-mshtml-crossframe
=================================
Candidate: CAN-1999-0489
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MS:MS99-012
MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to read
the contents of a user's clipboard, aka untrusted scripted paste.
VOTES:
REVIEWING(1) Frech
COMMENTS:
Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a
Frech> clipboard in either.
Frech> I cannot proceed on this one without further clarification.
=================================
Candidate: CAN-1999-0490
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MS:MS99-012
MSHTML.DLL in Internet Explorer allows a remote attacker to learn
information about a local user's files.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:ie-scriplet-fileread