|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] VOTES: Recorded votes for recent clusters
Below is a list of votes that includes some votes that were sent to me directly instead of the list. They are for the following clusters: NTCONFIG, VERIFY-TOOL, NETCONF, CFMISC, DESC, NOVULN, DATA, NT-REGISTRY, SA-LITTLE, SA-ATTACK, SA-HIST, SA-OTHER, MPAN, and MULT. - Steve --------------------- CLUSTER NTCONFIG --------------------- NTCONFIG (13 candidates) -------------------- Proposed: 7/20 Scheduled Proposed: 7/6 Scheduled Interim Decision: 8/2 Scheduled Final Decision: 8/6 Configuration problems related to NT Voters: Shostack ACCEPT(12) REJECT(1) Wall ACCEPT(12) REVIEWING(1) Ozancin ACCEPT(9) MODIFY(3) RECAST(1) Christey ACCEPT(2) Northcutt ACCEPT(2) MODIFY(1) NOOP(1) RECAST(3) REJECT(6) Baker ACCEPT(8) MODIFY(2) REJECT(1) REVIEWING(2) <PROPOSED> --> 13 ACCEPT --> 3 MODIFY --> 1 RECAST --> 3 REJECT --> 6 ================================= Candidate: CAN-1999-0499 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF NETBIOS share information may be published through SNMP registry keys in NT. VOTES: ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin ================================= Candidate: CAN-1999-0534 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input. VOTES: ACCEPT(5) Wall, Baker, Shostack, Ozancin, Christey MODIFY(1) Northcutt COMMENTS: Northcutt> If we are going to write a laundry list put access to the scheduler in it. Christey> The list of privileges is very useful for lookup. ================================= Candidate: CAN-1999-0535 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness. VOTES: ACCEPT(2) Wall, Shostack MODIFY(1) Baker RECAST(2) Northcutt, Ozancin COMMENTS: Northcutt> inappropriate implies there is appropriate. As a guy who has been Northcutt> monitoring Northcutt> networks for years I have deep reservations about justiying the existance Northcutt> of any fixed cleartext password. For appropriate to exist, some "we" would Northcutt> have to establish some criteria for appropriate passwords. Baker> Perhaps this could be re-worded a bit. The CVE CAN-1999-00582 Baker> specifies "...settings for lockouts". To remain consistent with the Baker> other, maybe it should specify "...settings for passwords" I think Baker> most people would agree that passwords should be at least 8 Baker> characters; contain letters (upper and lowercase), numbers and at Baker> least one non-alphanumeric; should only be good a limited time 30-90 Baker> days; and should not contain character combinations from user's prior Baker> 2 or 3 passwords. Baker> Suggested rewrite - Baker> A Windows NT account policy does not enforce reasonable minimum Baker> security-critical settings for passwords, e.g. passwords of sufficient Baker> length, periodic required password changes, or new password uniqueness Ozancin> What is appropriate? ================================= Candidate: CAN-1999-0546 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF The Windows NT guest account is enabled. VOTES: ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin ================================= Candidate: CAN-1999-0562 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF The registry in Windows NT can be accessed remotely by users who are not administrators. VOTES: ACCEPT(4) Wall, Baker, Shostack, Ozancin RECAST(1) Northcutt COMMENTS: Northcutt> This isn't all or nothing, users may be allowed to access part of the Northcutt> registry. ================================= Candidate: CAN-1999-0572 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF ..reg files are associated with the Windows NT registry editor, making the registry susceptible to Trojan Horse attacks. VOTES: ACCEPT(4) Wall, Baker, Shostack, Ozancin NOOP(1) Northcutt COMMENTS: Northcutt> I don't quite get what this means, sorry ================================= Candidate: CAN-1999-0575 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking. VOTES: ACCEPT(4) Wall, Shostack, Ozancin, Christey RECAST(1) Northcutt REVIEWING(1) Baker COMMENTS: Northcutt> It isn't a great truth that you should enable all or the above, if you Northcutt> do you potentially introduce a vulnerbility of filling up the file Northcutt> system with stuff you will never look at. Ozancin> It is far less interesting what a user does successfully that what they Ozancin> attempt and fail at. Christey> The list of event types is very useful for lookup. ================================= Candidate: CAN-1999-0576 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories. VOTES: ACCEPT(3) Wall, Baker, Shostack MODIFY(1) Ozancin REJECT(1) Northcutt COMMENTS: Northcutt> 1.) Too general are we ready to state what the security-critical files Northcutt> and directories are Northcutt> 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability Ozancin> Some files and directories are clearly understood to be critical. Others are Ozancin> unclear. We need to clarify that critical is. ================================= Candidate: CAN-1999-0577 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories. VOTES: ACCEPT(2) Wall, Shostack MODIFY(1) Ozancin REJECT(1) Northcutt REVIEWING(1) Baker COMMENTS: Ozancin> It is far less interesting what a user does successfully that what they Ozancin> attempt and fail at. Ozancin> Perhaps only failure should be logged. ================================= Candidate: CAN-1999-0578 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys. VOTES: ACCEPT(4) Wall, Baker, Shostack, Ozancin REJECT(1) Northcutt COMMENTS: Ozancin> with reservation Ozancin> Again what is defined as critical ================================= Candidate: CAN-1999-0579 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys. VOTES: ACCEPT(3) Wall, Baker, Shostack MODIFY(1) Ozancin REJECT(1) Northcutt COMMENTS: Ozancin> Again only failure may be of interest. It would be impractical to wad Ozancin> through the incredibly large amount of logging that this would generate. It Ozancin> could overwhelm log entries that you might find interesting. ================================= Candidate: CAN-1999-0582 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc. VOTES: ACCEPT(3) Wall, Shostack, Ozancin MODIFY(1) Baker REJECT(1) Northcutt COMMENTS: Northcutt> The definition is? Baker> Maybe a rewording of this one too. I think most people would agree on Baker> some "minimum" policies like 3-5 bad attempts lockout for an hour or Baker> until the administrator unlocks the account. Baker> Suggested rewrite - Baker> A Windows NT account policy does not enforce reasonable minimum Baker> security-critical settings for lockouts, e.g. lockout duration, Baker> lockout after bad logon attempts, etc. Ozancin> with reservations Ozancin> What is appropriate? ================================= Candidate: CAN-1999-0585 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT administrator account has the default name of Administrator. VOTES: ACCEPT(1) Ozancin REJECT(3) Northcutt, Baker, Shostack REVIEWING(1) Wall COMMENTS: Wall> Some sources say this is not a vulnerability, but a warning. It just Wall> slows down the search for the admin account (SID = 500) which can Wall> always be found. Northcutt> I change this on all NT systems I am responsible for, but is Northcutt> root a vulnerability? Baker> There are ways to identify the administrator account anyway, so this Baker> is only a minor delay to someone that is knowledgeable. This, in and Baker> of itself, doesn't really strike me as a vulnerability, anymore than Baker> the root account on a Unix box. Shostack> (there is no way to hide the account name today) --------------------- CLUSTER VERIFY-TOOL --------------------- VERIFY-TOOL (7 candidates) -------------------- Proposed: 7/27 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Problems mentioned in a tool, but not seen in other VDB's Voters: Frech NOOP(1) Shostack MODIFY(1) Northcutt ACCEPT(5) NOOP(2) <PROPOSED> --> 7 ACCEPT --> 4 MODIFY --> 1 NOOP --> 2 ================================= Candidate: CAN-1999-0220 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Attackers can do a denial of service of IRC by crashing the server. VOTES: NOOP(1) Northcutt ================================= Candidate: CAN-1999-0226 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0240 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0247 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Buffer overflow in nnrpd program in INN allows remote users to execute arbitrary commands. VOTES: NOOP(1) Northcutt ================================= Candidate: CAN-1999-0248 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF sshd 1.2.17 can be compromised through the SSH protocol. VOTES: ACCEPT(1) Northcutt MODIFY(1) Shostack NOOP(1) Frech COMMENTS: Shostack> http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html Shostack> looks to me to be about the correct message that came from Tatu. Shostack> There are comments in changelog: * Improved the security of Shostack> auth_input_request_forwarding(). Shostack> Shostack> I'm not in favor of moving this forward without additional detail, but Shostack> thought I'd add a confirming URL and comment. We have insufficient Shostack> detail to accept it as a CVE. Frech> Try http://www.uni-karlsruhe.de/~ig25/ssh-faq/ssh-faq-6.html#ss6.1; to wit Frech> (see asterisked section): Frech> ... Frech> ***** Frech> Versions of ssh prior to 1.2.17 had problems with authentication agent Frech> handling on some machines. There is a chance (a race condition) that a Frech> malicious user could steal another user's credentials. This should be fixed Frech> in 1.2.17. Frech> ***** ================================= Candidate: CAN-1999-0493 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF A remote attacker can bounce RPC calls through rpc.statd. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0495 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares. VOTES: ACCEPT(1) Northcutt --------------------- CLUSTER NETCONF --------------------- NETCONF (12 candidates) -------------------- Proposed: 7/26 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Network configuration problems Voters: Northcutt ACCEPT(3) NOOP(1) RECAST(1) REJECT(7) <PROPOSED> --> 12 ACCEPT --> 3 NOOP --> 1 RECAST --> 1 REJECT --> 7 ================================= Candidate: CAN-1999-0510 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall allows source routed packets from arbitrary hosts. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0511 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF IP forwarding is enabled on a machine which is not a router or firewall. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0523 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF ICMP echo (ping) is allowed from arbitrary hosts. VOTES: REJECT(1) Northcutt COMMENTS: Northcutt> (Though I sympathize with this one :) ================================= Candidate: CAN-1999-0524 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF ICMP information such as netmask and timestamp is allowed from arbitrary hosts. VOTES: REJECT(1) Northcutt ================================= Candidate: CAN-1999-0525 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF IP traceroute is allowed from arbitrary hosts. VOTES: REJECT(1) Northcutt ================================= Candidate: CAN-1999-0528 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of. VOTES: ACCEPT(1) Northcutt ================================= Candidate: CAN-1999-0529 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc. VOTES: REJECT(1) Northcutt COMMENTS: Northcutt> I have seen ISPs "assign" private addresses within their domain ================================= Candidate: CAN-1999-0532 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A DNS server allows zone transfers. VOTES: REJECT(1) Northcutt COMMENTS: Northcutt> (With split DNS implementations this is quite appropriate) ================================= Candidate: CAN-1999-0533 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A DNS server allows inverse queries. VOTES: REJECT(1) Northcutt COMMENTS: Northcutt> (rule of thumb) ================================= Candidate: CAN-1999-0550 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router's routing tables can be obtained from arbitrary hosts. VOTES: RECAST(1) Northcutt COMMENTS: Northcutt> Don't you mean obtained by arbitrary hosts ================================= Candidate: CAN-1999-0571 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Feb5,1999 A router allows arbitrary hosts to connect to its configuration service, or related services such as telnet. VOTES: NOOP(1) Northcutt ================================= Candidate: CAN-1999-0588 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A filter in a router or firewall allows unusual fragmented packets. VOTES: REJECT(1) Northcutt COMMENTS: Northcutt> I want to vote to accept this one, but unusual is a shade broad. --------------------- CLUSTER CFMISC --------------------- CFMISC (18 candidates) -------------------- Proposed: 7/28 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Miscellaneous CF problems Voters: Shostack ACCEPT(5) RECAST(6) REJECT(6) Northcutt ACCEPT(6) NOOP(3) REJECT(8) <PROPOSED> --> 17 ACCEPT --> 3 RECAST --> 4 REJECT --> 10 ================================= Candidate: CAN-1999-0497 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Anonymous FTP is enabled VOTES: ACCEPT(1) Shostack REJECT(1) Northcutt ================================= Candidate: CAN-1999-0512 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Mail relay is enabled, allowing abuse by spammers. VOTES: ACCEPT(2) Northcutt, Shostack ================================= Candidate: CAN-1999-0515 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv. VOTES: ACCEPT(1) Northcutt REJECT(1) Shostack COMMENTS: Shostack> Overly broad ================================= Candidate: CAN-1999-0530 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A system is operating in "promiscuous" mode which allows it to perform packet sniffing. VOTES: ACCEPT(1) Northcutt REJECT(1) Shostack ================================= Candidate: CAN-1999-0531 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO. VOTES: RECAST(1) Shostack REJECT(1) Northcutt COMMENTS: Shostack> I think expn != vrfy, help, esmtp. ================================= Candidate: CAN-1999-0539 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A trust relationship exists between two Unix hosts. VOTES: REJECT(2) Northcutt, Shostack COMMENTS: Northcutt> Too non specific ================================= Candidate: CAN-1999-0547 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An SSH server allows authentication through the .rhosts file. VOTES: ACCEPT(1) Shostack NOOP(1) Northcutt ================================= Candidate: CAN-1999-0548 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A superfluous NFS server is running, but it is not importing or exporting any file systems. VOTES: ACCEPT(1) Shostack REJECT(1) Northcutt ================================= Candidate: CAN-1999-0555 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Unix account with a name other than "root" has UID 0, i.e. root privileges. VOTES: REJECT(2) Northcutt, Shostack COMMENTS: Northcutt> This is very bogus ================================= Candidate: CAN-1999-0556 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Two or more Unix accounts have the same UID. VOTES: REJECT(2) Northcutt, Shostack ================================= Candidate: CAN-1999-0561 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF IIS has the #exec function enabled for Server Side Include (SSI) files. VOTES: NOOP(1) Northcutt RECAST(1) Shostack ================================= Candidate: CAN-1999-0564 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled. VOTES: ACCEPT(1) Shostack NOOP(1) Northcutt ================================= Candidate: CAN-1999-0565 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Sendmail alias allows input to be piped to a program. VOTES: ACCEPT(1) Northcutt RECAST(1) Shostack COMMENTS: Shostack> Is this a default alias? Is my .procmailrc an instance of this? ================================= Candidate: CAN-1999-0568 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF rpc.admind in Solaris is not running in a secure mode. VOTES: ACCEPT(1) Northcutt RECAST(1) Shostack COMMENTS: Shostack> are there secure modes? ================================= Candidate: CAN-1999-0583 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF There is a one-way or two-way trust relationship between Windows NT domains. VOTES: REJECT(2) Northcutt, Shostack ================================= Candidate: CAN-1999-0586 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A network service is running on a nonstandard port. VOTES: RECAST(1) Shostack REJECT(1) Northcutt COMMENTS: Shostack> Might be acceptable if clearer; is that a standard service on a Shostack> non-standard port, or any service on an unassigned port? ================================= Candidate: CAN-1999-0590 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A system does not present an appropriate legal message or warning to a user who is accessing it. VOTES: ACCEPT(1) Northcutt RECAST(1) Shostack --------------------- CLUSTER DESC --------------------- DESC (2 candidates) -------------------- Proposed: 7/28 Scheduled Proposed: 7/27 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Description/information problems Voters: Wall MODIFY(1) NOOP(1) Northcutt NOOP(2) <PROPOSED> --> 2 MODIFY --> 1 NOOP --> 1 ================================= Candidate: CAN-1999-0001 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: CERT:CA-98-13-tcp-denial-of-service Denial of service in BSD-derived TCP/IP implementations, as described in CERT CA-98-13. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0345 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. VOTES: MODIFY(1) Wall NOOP(1) Northcutt COMMENTS: Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and Wall> Windows NT systems. Wall> Reference: Q154174. Wall> Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. Wall> It is a modified teardrop 2 attack. --------------------- CLUSTER NOVULN --------------------- NOVULN (19 candidates) -------------------- Proposed: 7/28 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Problems that may be regarded as "not a vulnerability" Voters: Wall ACCEPT(5) NOOP(5) REJECT(9) Northcutt ACCEPT(6) NOOP(6) REJECT(7) <PROPOSED> --> 19 ACCEPT --> 3 NOOP --> 3 REJECT --> 13 ================================= Candidate: CAN-1999-0119 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Windows NT 4.0 beta allows users to read and delete shares. VOTES: NOOP(1) Northcutt REJECT(1) Wall COMMENTS: Wall> Reject based on beta copy. ================================= Candidate: CAN-1999-0361 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan29,1999 NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0364 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb04,1999 Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data. VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0397 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: L0PHT:Jan21,1999 Reference: BUGTRAQ:Jan21,1999 The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext. VOTES: ACCEPT(1) Northcutt REJECT(1) Wall ================================= Candidate: CAN-1999-0403 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb4,1999 Reference: XF:cyrix-hang A bug in Cyrix CPU's on Linux allows local users to perform a denial of service. VOTES: ACCEPT(1) Northcutt NOOP(1) Wall ================================= Candidate: CAN-1999-0453 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Dicsovery Protocol (CDP). VOTES: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0454 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso. VOTES: NOOP(1) Wall REJECT(1) Northcutt COMMENTS: Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced Northcutt> ways to accomplish this. To pursue making the world signature free Northcutt> is as much a vulnerability as having signatures, nay more. ================================= Candidate: CAN-1999-0459 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: XF:linux-milo-halt Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot. VOTES: NOOP(1) Northcutt REJECT(1) Wall ================================= Candidate: CAN-1999-0465 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: XF:http-img-overflow Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter. VOTES: ACCEPT(1) Northcutt REJECT(1) Wall ================================= Candidate: CAN-1999-0570 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Windows NT is not using a password filter utility, e.g. PASSFILT.DLL. VOTES: ACCEPT(1) Northcutt REJECT(1) Wall COMMENTS: Northcutt> Here we are crossing into the best practices arena again. However since Northcutt> passfilt does establish a measurable standard and since we aren't the Northcutt> ones defining the stanard, simply saying it should be employed I will Northcutt> vote for this. ================================= Candidate: CAN-1999-0584 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT file system is not NTFS. VOTES: ACCEPT(2) Wall, Northcutt COMMENTS: Wall> NTFS partition provides the security. This could be re-worded Wall> to "A Windows NT file system is FAT" since it is either NTFS or FAT Wall> and FAT is less secure. ================================= Candidate: CAN-1999-0592 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF The Logon box of a Windows NT system displays the name of the last user who logged in. VOTES: REJECT(2) Wall, Northcutt COMMENTS: Wall> Information gathering, not vulnerability Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing Northcutt> not just vulnerability ================================= Candidate: CAN-1999-0593 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A user is allowed to shut down a Windows NT system without logging in. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt COMMENTS: Wall> Still a denial of service. Northcutt> May well be appropriate ================================= Candidate: CAN-1999-0594 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt COMMENTS: Wall> Perhaps it can be re-worded to "removable media drives Wall> such as a floppy disk drive or CDROM drive can be accessed (shared) in a Wall> Windows NT system." Northcutt> - what good is my NT w/o its floppy ================================= Candidate: CAN-1999-0595 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT system does not clear the system page file during shutdown. VOTES: ACCEPT(1) Wall NOOP(1) Northcutt ================================= Candidate: CAN-1999-0596 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT log file has an inappropriate maximum size or retention period. VOTES: REJECT(2) Wall, Northcutt COMMENTS: Northcutt> define appropriate ================================= Candidate: CAN-1999-0597 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire. VOTES: ACCEPT(1) Northcutt REJECT(1) Wall ================================= Candidate: CAN-1999-0603 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc. VOTES: REJECT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0654 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SA The OS/2 or POSIX subsystem in NT is enabled. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt COMMENTS: Wall> These subsystems could still allow a process to persist across logins. --------------------- CLUSTER DATA --------------------- DATA (10 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/28 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 CF problems related to data access Voters: Wall ACCEPT(10) Northcutt ACCEPT(3) RECAST(6) REJECT(1) <PROPOSED> --> 10 ACCEPT --> 3 RECAST --> 6 REJECT --> 1 ================================= Candidate: CAN-1999-0509 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF Perl, sh, csh, or other shell interpreters are accessible on a WWW site. VOTES: ACCEPT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0520 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical NETBIOS/SMB share has inappropriate access control. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we need to enumerate the shares and or the access control ================================= Candidate: CAN-1999-0522 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF Reference: CERT:CA-96.10 The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> Why not say world readable, this is what you do further down in the Northcutt> file (world exportable in CAN-1999-0554) ================================= Candidate: CAN-1999-0527 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten. VOTES: ACCEPT(2) Wall, Northcutt COMMENTS: Northcutt> That that starts to get specific :) ================================= Candidate: CAN-1999-0554 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF NFS exports system-critical data to the world, e.g. / or a password file. VOTES: ACCEPT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0559 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Unix file or directory has inappropriate permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> Writable other than by root/bin/wheelgroup? ================================= Candidate: CAN-1999-0560 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Windows NT file or directory has inappropriate permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we should specify these ================================= Candidate: CAN-1999-0569 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt COMMENTS: Northcutt> I do this intentionally somethings in high content directories ================================= Candidate: CAN-1999-0587 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> While I would accept this for Unix, I am not sure this applies to NT, Northcutt> VMS, palm pilots, or commodore 64 ================================= Candidate: CAN-1999-0591 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF An event log in Windows NT has inappropriate access permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> splain Lucy, splain --------------------- CLUSTER NT-REGISTRY --------------------- NT-REGISTRY (6 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/28 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 CF problems related to NT registry settings Voters: Wall ACCEPT(6) Northcutt RECAST(6) <PROPOSED> --> 6 RECAST --> 6 ================================= Candidate: CAN-1999-0580 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0581 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0589 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Windows NT registry key has inappropriate permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0611 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Windows NT registry key has an inappropriate value. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0664 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990803 Category: CF An application-critical Windows NT registry key has inappropriate permissions. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0665 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990803 Category: CF An application-critical Windows NT registry key has an inappropriate value. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. --------------------- CLUSTER SA-LITTLE --------------------- SA-LITTLE (5 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/29 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Presence of "little" services that are rarely necessary Voters: Wall ACCEPT(3) NOOP(2) Northcutt ACCEPT(1) REJECT(4) <PROPOSED> --> 5 ACCEPT --> 1 REJECT --> 4 ================================= Candidate: CAN-1999-0635 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The echo service is running. VOTES: ACCEPT(2) Wall, Northcutt COMMENTS: Northcutt> The method to my madness is echo is the common denom in the dos attack ================================= Candidate: CAN-1999-0636 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The discard service is running. VOTES: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0637 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The systat service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0638 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The daytime service is running. VOTES: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0639 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The chargen service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt --------------------- CLUSTER SA-ATTACK --------------------- SA-ATTACK (10 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/29 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Presence of services that are common attack points Voters: Wall ACCEPT(9) REJECT(1) Northcutt REJECT(10) <PROPOSED> --> 10 REJECT --> 10 ================================= Candidate: CAN-1999-0615 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The SNMP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0620 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to NIS is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0630 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The NT Alerter and Messenger services are running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0633 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The HTTP/WWW service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0641 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The UUCP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0645 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The IRC service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0646 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The LDAP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0651 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The rsh/rlogin service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0653 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to NIS+ is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0659 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present. VOTES: REJECT(2) Wall, Northcutt COMMENTS: Wall> Don't consider this a service or a problem. --------------------- CLUSTER SA-HIST --------------------- SA-HIST (13 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/29 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Presence of services with a history of problems Voters: Wall ACCEPT(12) NOOP(1) Northcutt REJECT(13) <PROPOSED> --> 13 REJECT --> 13 ================================= Candidate: CAN-1999-0614 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The FTP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0616 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The TFTP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0617 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The SMTP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0619 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The Telnet service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0621 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to NETBIOS is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0622 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to DNS service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0623 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The X Windows service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0631 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The NFS service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0632 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The RPC portmapper service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0634 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The SSH service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0642 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A POP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0643 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The IMAP service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0657 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA WinGate is being used. VOTES: NOOP(1) Wall REJECT(1) Northcutt --------------------- CLUSTER SA-OTHER --------------------- SA-OTHER (8 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/29 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Other SA candidates Voters: Wall ACCEPT(5) NOOP(3) Northcutt REJECT(8) <PROPOSED> --> 8 REJECT --> 8 ================================= Candidate: CAN-1999-0640 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The Gopher service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0644 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The NNTP news service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0648 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The X25 service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0649 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The FSP service is running. VOTES: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0650 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The netstat service is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0652 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A database service is running, e.g. a SQL server, Oracle, or mySQL. VOTES: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0656 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The ugidd service is running. VOTES: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0658 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA DCOM is running. VOTES: ACCEPT(1) Wall REJECT(1) Northcutt --------------------- CLUSTER MPAN --------------------- MPAN (4 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 8/3 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 MP/AN category candidates Voters: Wall ACCEPT(4) Northcutt ACCEPT(3) RECAST(1) <PROPOSED> --> 4 ACCEPT --> 3 RECAST --> 1 ================================= Candidate: CAN-1999-0660 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: MP A hacker utility or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc. VOTES: ACCEPT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0661 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: MP A system is running a version of software that was replaced with a Trojan Horse at its distribution point, e.g. TCP Wrappers, wuftpd, etc. VOTES: ACCEPT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0662 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: AN A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete. VOTES: ACCEPT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0663 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: AN A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified. VOTES: ACCEPT(1) Wall RECAST(1) Northcutt COMMENTS: Northcutt> This needs to be worded carefully. Northcutt> 1. Rootkits evade checksum detection. Northcutt> 2. The modification could be positive (a patch) --------------------- CLUSTER MULT --------------------- MULT (35 candidates) -------------------- Proposed: 6/23 Scheduled Interim Decision: 7/5 Scheduled Final Decision: 7/9 Multiple executables split into Voters: Frech ACCEPT(11) MODIFY(19) RECAST(2) REVIEWING(2) <PROPOSED> --> 34 ACCEPT --> 11 MODIFY --> 19 RECAST --> 2 REVIEWING --> 2 ================================= Candidate: CAN-1999-0009 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-98.05.bind_problems Reference: SGI:19980603-01-PX Reference: HP:HPSBUX9808-083 Reference: XF:bind-bo Reference: SUN:00180 Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0010 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-98.05.bind_problems Reference: SGI:19980603-01-PX Reference: HP:HPSBUX9808-083 Reference: XF:bind-dos Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages. VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0011 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-98.05.bind_problems Reference: SGI:19980603-01-PX Reference: HP:HPSBUX9808-083 Reference: XF:bind-dos Reference: SUN:00180 Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer. VOTES: MODIFY(1) Frech COMMENTS: Frech> Change XF reference to: Frech> XF:bind-axfr-dos ================================= Candidate: CAN-1999-0016 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-97.28.Teardrop_Land Reference: FreeBSD:FreeBSD-SA-98:01 Reference: XF:cisco-land Reference: XF:land Reference: XF:95-verv-tcp Reference: XF:land-exploit Reference: XF:land-patch Reference: CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml Land IP denial of service VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:ver-tcpip-sys (applies to a check, not a vulnerability, and is thus not Frech> listed on website) Frech> XF:land-exploit (obsolete, replaced by land) ================================= Candidate: CAN-1999-0025 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.19.IRIX.df.buffer.overflow.vul Reference: XF:df-bo root privileges via buffer overflow in df command on SGI IRIX systems. VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0026 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.20.IRIX.pset.buffer.overflow.vul Reference: XF:pset-bo root privileges via buffer overflow in pset command on SGI IRIX systems. VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0027 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.21.IRIX.eject.buffer.overflow.vul Reference: XF:eject-bo root privileges via buffer overflow in eject command on SGI IRIX systems. VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0028 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.22.IRIX.login.scheme.buffer.overflow.vul root privileges via buffer overflow in login/scheme command on SGI IRIX systems. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:sgi-schemebo ================================= Candidate: CAN-1999-0029 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.23-IRIX.ordist.buffer.overflow.vul Reference: XF:ordist-bo root privileges via buffer overflow in ordist command on SGI IRIX systems. VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0030 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul Reference: XF:sgi-xlockbo Reference: SGI:19970508-02-PX root privileges via buffer overflow in xlock command on SGI IRIX systems. VOTES: RECAST(1) Frech COMMENTS: Frech> XF:xlock-bo (also add) Frech> As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and Frech> several Linii. Frech> Also, don't you mean to cite SGI:19970502-02-PX? The one you list is Frech> login/scheme. ================================= Candidate: CAN-1999-0068 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-php-mylog CGI PHP mylog script allows an attacker to read any file on the target server. VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0075 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:pasvcore PASV core dump in FTP daemon VOTES: MODIFY(1) Frech COMMENTS: Frech> There is no pasvcore record; delete and add Frech> XF:ftp-pasvcore ================================= Candidate: CAN-1999-0076 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:ftp-args Core dump from FTP arguments VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0092 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1997:006.1 Various vulnerabilities in the AIX portmir command allows local users to obtain root access. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:ibm-portmir ================================= Candidate: CAN-1999-0101 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1997:001.1 Reference: SUN:00137 Reference: NAI:NAI-1 Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:ghbn-bo Frech> in addition to ERS:1997:001.1, also include 1996:007.1 Frech> Sun's bulletin is 137a, not 137. ================================= Candidate: CAN-1999-0124 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability Reference: XF:gopher-vuln Vulnerabilities in UMN gopher and gopher+ allow an intruder to read any files that can be accessed by the gopher daemon. VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0126 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:VB-98.04.xterm.Xaw Reference: CIAC:J-010 SGI IRIX buffer overflow in xterm and Xaw allows root access. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:xfree86-xterm-xaw Frech> XF:xfree86-xaw ================================= Candidate: CAN-1999-0127 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-96.27.hp_sw_install Reference: AUSCERT:AA-96.04 Reference: XF:hpux-swinstall swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. VOTES: MODIFY(1) Frech COMMENTS: Frech> (keep current XF: reference, and add) Frech> XF:hpux-sqwmodify ================================= Candidate: CAN-1999-0138 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-96.12.suidperl_vul The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:sperl-suid ================================= Candidate: CAN-1999-0231 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. VOTES: RECAST(1) Frech COMMENTS: Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) Frech> XF:smtp-vrfy-bo (many mail packages) ================================= Candidate: CAN-1999-0261 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Netmanager Chameleon SMTPd has several buffer overflows that cause a crash. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:chamelion-smtp-dos ================================= Candidate: CAN-1999-0282 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-95.12.sun.loadmodule.vul Vulnerabilities in loadmodule and modload programs in SunOS and OpenWindows VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:sun-loadmodule Frech> XF:sun-modload (CERT CA-93.18 very old!) ================================= Candidate: CAN-1999-0284 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:smtp-helo-bo Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command. VOTES: MODIFY(1) Frech COMMENTS: Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification) Frech> XF:mdaemon-helo-bo Frech> XF:lotus-notes-helo-crash Frech> XF:slmail-helo-overflow Frech> XF:smtp-helo-bo (mentions several products) Frech> XF:smtp-exchangedos ================================= Candidate: CAN-1999-0333 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK Reference: XF:omniback-remote Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack. VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0346 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF CGI PHP mlog script allows an attacker to read any file on the target server. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:http-cgi-php-mlog ================================= Candidate: CAN-1999-0354 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: NTBUGTRAQ:Jan27,1999 Reference: MS:MS99-002 Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message. VOTES: REVIEWING(1) Frech ================================= Candidate: CAN-1999-0368 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-99.03 Reference: NETECT:palmetto.ftpd Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:palmetto-ftpd-bo ================================= Candidate: CAN-1999-0415 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers The Clickstart web server in Cisco 700 series routers allows remote attackers to execute commands on the router, or perform information gathering, without authentication. VOTES: MODIFY(1) Frech COMMENTS: Frech> Reference: ISS:March11,1999 (consistent with cluster 1, CAN-1999-0008) Frech> XF:cisco-router-commands Frech> XF:cisco-web-config ================================= Candidate: CAN-1999-0416 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers The Clickstart web server in Cisco 700 series routers allows remote attackers to perform a denial of service. VOTES: MODIFY(1) Frech COMMENTS: Frech> Reference: ISS:March11,1999 Frech> XF:cisco-web-crash ================================= Candidate: CAN-1999-0435 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: HP:HPSBUX9903-096 MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:hp-servicegaurd ================================= Candidate: CAN-1999-0467 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:http-cgi-webcom-guestbook The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the template key. VOTES: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0488 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: MS:MS99-012 MSHTML.DLL in Internet Explorer allows a remote attacker to execute security scripts in a different security context, using malicious URLs. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:ie-mshtml-crossframe ================================= Candidate: CAN-1999-0489 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: MS:MS99-012 MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to read the contents of a user's clipboard, aka untrusted scripted paste. VOTES: REVIEWING(1) Frech COMMENTS: Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a Frech> clipboard in either. Frech> I cannot proceed on this one without further clarification. ================================= Candidate: CAN-1999-0490 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: MS:MS99-012 MSHTML.DLL in Internet Explorer allows a remote attacker to learn information about a local user's files. VOTES: MODIFY(1) Frech COMMENTS: Frech> XF:ie-scriplet-fileread
|
||||
