|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] INTERIM DECISION: ACCEPT 37 various candidates (Final 9/24)
I have made an Interim Decision to ACCEPT the following 37 candidates, which have at least 3 non-MITRE votes. I will make a Final Decision on September 24. The candidates come from the following clusters: 7 CERT 2 VEN-SUN 2 VEN-HP 2 VEN-BSD 2 BUF 2 ONEREF 1 NOREFS 6 MULT2 12 DESIGN 1 MORELOW - Steve ================================= Candidate: CAN-1999-0005 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990920-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-98.09.imapd Reference: XF:imap-authenticate-bo Reference: SUN:00177 Arbitrary command execution via IMAP buffer overflow in authentication command. Modifications: DESC Removed CERT reference from text VOTES: ACCEPT(4) Hill, Shostack, Frech, Wall MODIFY(1) Christey REVIEWING(1) Northcutt COMMENTS: Northcutt> there are multiple similar exploits which may imply Northcutt> multiple vulnerabilties Christey> It's difficult to distinguish between this vulnerability and another Christey> IMAP vulnerability via just the textual description. (The other Christey> vulnerability is CVE-00042, not yet proposed as a candidate for some Christey> odd reason). I had to reference the different CERT advisories to Christey> distinguish between this candidate and CVE-00042. The X-Force Christey> database says that "[the CVE-00042 vulnerability is in] the IMAP LOGIN Christey> command whereas [CAN-1999-0005] affects the IMAP AUTHENTICATE Christey> command." I propose modifying the description to say something to Christey> this effect, though the typical analyst may still need to rely on the Christey> references. ================================= Candidate: CAN-1999-0012 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990920-01 Proposed: 19990726 Assigned: 19990607 Category: SF Reference: CERT:CA-98.04.Win32.WebServers Reference: XF:nt-web8.3 Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names. Modifications: ADDREF XF:XF:nt-web8.3 VOTES: ACCEPT(2) Wall, Ozancin MODIFY(1) Frech COMMENTS: Frech> XF:nt-web8.3 ================================= Candidate: CAN-1999-0014 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990920-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: HP:HPSBUX9801-075 Reference: SUN:00185 Reference: CERT:CA-98.02.CDE Unauthorized privileged access or denial of service via dtappgather program in CDE. Modifications: ADDREF HP:HPSBUX9801-075 VOTES: ACCEPT(2) Hill, Wall MODIFY(1) Frech NOOP(2) Northcutt, Christey REJECT(1) Shostack COMMENTS: Shostack> we have insufficient data if a new CDE dtappgather bug Shostack> comes out to determine if its new or a re-invention. Frech> Reference: XF:cde-dtappgather Christey> ADDREF HP:HPSBUX9801-075 ================================= Candidate: CAN-1999-0017 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990920-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-97.27.FTP_bounce Reference: XF:ftp-bounce Reference: XF:ftp-privileged-port FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce. Modifications: DESC VOTES: ACCEPT(3) Hill, Frech, Wall MODIFY(1) Northcutt NOOP(1) Shostack REVIEWING(1) Christey COMMENTS: Northcutt> the primary vulnerability is in some FTP server implementations Northcutt> that allow this as opposed to the actual connecting to the ports Christey> I think Steve Northcutt makes a good point. The description needs to Christey> be modified. ================================= Candidate: CAN-1999-0035 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990621-01 Proposed: 19990607 Assigned: 19990607 Category: SF Reference: XF:ftp-ftpd Reference: CERT:CA-97.16.ftpd Reference: AUSCERT:AA-97.03 Race condition in signal handling routine in ftpd, allowing read/write arbitrary files. Modifications: ADDREF XF:ftp-ftpd VOTES: ACCEPT(4) Frech, Shostack, Northcutt, Landfield ================================= Candidate: CAN-1999-0052 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990821-01 Proposed: 19990617 Assigned: 19990607 Category: SF Reference: FreeBSD:FreeBSD-SA-98:08 Reference: XF:freebsd-ip-frag-dos IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash. Modifications: DESC specify nature of DoS ADDREF XF:freebsd-ip-frag-dos VOTES: MODIFY(3) Northcutt, Shostack, Frech NOOP(2) Hill, Christey COMMENTS: Northcutt> Do we want to treat each instantiation of common attacks Northcutt> separately for each OS? Fragmentation and denial of service is Northcutt> not a freebsd specific issue, over the years we have seen: Northcutt> Northcutt> "Pathological" fragmentation where the second packet move the pointer Northcutt> negative and then we scribble on our stack, this is the teardrop Northcutt> approach if I remember the exploit name correctly and uses UDP. Northcutt> Northcutt> We also have the classic memory wasting frag attack where they Northcutt> send the first part and never finish, then send a new first Northcutt> part and so on. Northcutt> Northcutt> I think frag attack was in the cisco set, if not it should be Northcutt> there is a nice attack for IOS Northcutt> Northcutt> Then you have the how_do_you_handles such as Dug Song's Northcutt> frag router to evade IDS systems and whatever the heck Northcutt> this loki like thing that is all the rage for the last Northcutt> 90 days or so. Northcutt> Northcutt> Recommend: MODIFY 52 so that the text blurb at least hints Northcutt> why this is a unique case of mishandling frags OR create Northcutt> general frag vulnerabilities. Shostack> For denial of service attacks, we should distinguish between Shostack> host availability, service, and CPU absorbtion DOS attacks. Frech> Reference: XF:freebsd-ip-frag-dos Christey> The best we can do in this case is rely on the references to Christey> distinguish between this and other fragmentation problems, as Christey> otherwise we'd need to provide very specific details which Christey> would not help the general user to distinguish between Christey> entries. ================================= Candidate: CAN-1999-0053 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990617 Assigned: 19990607 Category: SF Reference: FreeBSD:FreeBSD-SA-98:07 TCP RST denial of service in FreeBSD VOTES: ACCEPT(2) Northcutt, Hill MODIFY(1) Shostack REVIEWING(1) Frech COMMENTS: Shostack> For denial of service attacks, we should distinguish between Shostack> host availability, service, and CPU absorbtion DOS attacks. ================================= Candidate: CAN-1999-0055 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990921-01 Proposed: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00172 Reference: AIXAPAR:IX80543 Reference: RSI:RSI.0005.05-14-98.SUN.LIBNSL Reference: XF:sun-libnsl Buffer overflows in Sun libnsl allow root access. Modifications: ADDREF AIXAPAR:IX80543 VOTES: ACCEPT(2) Northcutt, Frech MODIFY(1) Prosser COMMENTS: Prosser> This vulnerability also affects other OSes, i.e. AIX 4.3 that have Prosser> ported versions of Sun's libnsl.a Prosser> ref: IBM AIX RS6000 APAR number IX80543 ================================= Candidate: CAN-1999-0057 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990821-01 Proposed: 19990617 Assigned: 19990607 Category: SF Reference: NAI:NAI-19 Reference: XF:vacation Reference: HP:HPSBUX9811-087 Vacation program allows command execution by remote users through a sendmail command. Modifications: DELREF SNI:SNI-19 ADDREF NAI:NAI-19 COMMENT NAI-19 is the right one... SNI-19 is different than NAI-19! VOTES: ACCEPT(2) Frech, Hill MODIFY(1) Shostack NOOP(1) Northcutt COMMENTS: Shostack> Problem 1: SNI-19 is SNI-19.BSD.lpd.vulnerabilities update according Shostack> to http://geek-girl.com/bugtraq/1997_4/0106.html Shostack> Shostack> Problem 2: Wording is unclear. Is this a vacation problem, a Shostack> .vacation problem, or a sendmail problem? ================================= Candidate: CAN-1999-0065 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990921-01 Proposed: 19990617 Assigned: 19990607 Category: SF Reference: SUN:00181 Reference: XF:hp-dtmail Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands. Modifications: DESC Clarify multiple overflows VOTES: ACCEPT(2) Northcutt, Frech MODIFY(1) Prosser COMMENTS: Prosser> This is a multiple buffer overflow vulnerability in Sun's CDE in how Prosser> dtmail handles attachments. ================================= Candidate: CAN-1999-0074 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: XF:seqport Listening TCP ports are sequentially allocated, allowing spoofing attacks. VOTES: ACCEPT(5) Wall, Northcutt, Baker, Ozancin, Frech ================================= Candidate: CAN-1999-0077 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990921-01 Proposed: 19990721 Assigned: 19990607 Category: SF Predictable TCP sequence numbers allow spoofing. Modifications: DESC as recommended by Steve Northcutt VOTES: ACCEPT(3) Wall, Baker, Ozancin MODIFY(1) Frech RECAST(1) Northcutt COMMENTS: Northcutt> Predictable TCP sequence numbers allow spoofing - is how I would phrase this Frech> XF:tcp-seq-predict ================================= Candidate: CAN-1999-0079 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:ftp-pasv-dos Reference: XF:ftp-pasvdos Remote attackers can cause a denial of service in FTP by issuing multiple PASV commands, causing the server to run out of available ports. VOTES: ACCEPT(3) Northcutt, Shostack, Frech ================================= Candidate: CAN-1999-0103 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990921-01 Proposed: 19990721 Assigned: 19990607 Category: SF Reference: CERT:CA-96.01.UDP_service_denial Reference: XF:echo Reference: XF:chargen Reference: XF:chargen-patch Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm. Modifications: ADDREF XF:echo ADDREF XF:mssql-nt-chargen ADDREF XF:chargen VOTES: ACCEPT(4) Wall, Northcutt, Baker, Ozancin MODIFY(1) Frech COMMENTS: Frech> XF:echo Frech> XF:mssql-nt-chargen Frech> XF:chargen ================================= Candidate: CAN-1999-0108 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990921-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:another day, another buffer overflow... Reference: XF:printers-bo The printers program in IRIX has a buffer overflow that gives root access to local users. Modifications: ADDREF BUGTRAQ:another day, another buffer overflow... ADDREF XF:printers-bo VOTES: ACCEPT(2) Northcutt, Hill MODIFY(2) Prosser, Frech NOOP(1) Christey COMMENTS: Prosser> believe this is the IRIX netprint BO in /usr/sbin/printers, Prosser> ref'd in SGI Security Bulletin 19961203-02-PX and on Bugtraq "Another Prosser> day,another buffer overflow by David Hedley. Can't be sure based on the Prosser> description and lack of ref here. Frech> XF:printers-bo Christey> The document that Mike Prosser references discusses "netprint" Christey> and was released in December 1996. The Bugtraq article was Christey> posted May 27, 1999 and makes no reference to netprint. Christey> Therefore the two are different problems. ================================= Candidate: CAN-1999-0111 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990921-01 Proposed: 19990721 Assigned: 19990607 Category: SF Reference: XF:rip RIP v1 is susceptible to spoofing Modifications: ADDREF XF:rip VOTES: ACCEPT(3) Northcutt, Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall COMMENTS: Frech> XF:rip Frech> XF:decod-rip-addentry Frech> XF:decod-rip-timeout Frech> XF:decod-rip-metricchng ================================= Candidate: CAN-1999-0113 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990921-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: CERT:CA-94.09.bin.login.vulnerability Reference: XF:rlogin-froot Some implementations of rlogin would allow root access if given a -froot parameter. Modifications: ADDREF XF:rlogin-froot VOTES: ACCEPT(2) Northcutt, Shostack MODIFY(1) Frech COMMENTS: Frech> XF:rlogin-froot ================================= Candidate: CAN-1999-0116 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990921-01 Proposed: 19990721 Assigned: 19990607 Category: SF Reference: CERT:CA-96.21.tcp_syn.flooding Reference: SGI:19961202-01-PX Reference: SUN:00136 Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. Modifications: ADDREF XF:synflood DESC spell out a bit more per Baker's suggestion VOTES: ACCEPT(3) Wall, Northcutt, Ozancin MODIFY(2) Baker, Frech COMMENTS: Baker> We sort of explain most vulnerabilities, at least to a minimum degree. Baker> To remain consistent, we should have some detail of this one too. Baker> Something like - Baker> A destination system that fails to receive an ACK signal, after replying Baker> to a SYN packet with a SYN/ACK packet, has reserved memory for the TCP Baker> connection state until the connection times out. Multiple rapid Baker> occurrences of these initial SYN packets that remain unacknowledged will Baker> result in a denial of service when the maximum number of TCP connections Baker> has been reached (SYN Flood). Frech> XF:synflood ================================= Candidate: CAN-1999-0129 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990607 Assigned: 19990607 Category: SF Reference: CERT:CA-96.25.sendmail_groups Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file. VOTES: ACCEPT(4) Northcutt, Hill, Shostack, Wall REVIEWING(1) Frech COMMENTS: Frech> PENDING. NEEDS RESEARCH. ================================= Candidate: CAN-1999-0166 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:nfs-cd NFS allowed users to use a "cd .." command to access other directories besides the exported file system. VOTES: ACCEPT(3) Northcutt, Shostack, Frech ================================= Candidate: CAN-1999-0168 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: XF:nfs-portmap The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions. VOTES: ACCEPT(4) Wall, Northcutt, Baker, Ozancin MODIFY(1) Frech COMMENTS: Frech> Keep above reference, but also add these references: Frech> XF:decod-portmap-call ================================= Candidate: CAN-1999-0170 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:nfs-ultrix Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list. VOTES: ACCEPT(3) Northcutt, Shostack, Frech ================================= Candidate: CAN-1999-0181 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: XF:walld The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands. VOTES: ACCEPT(4) Northcutt, Baker, Ozancin, Frech NOOP(1) Wall ================================= Candidate: CAN-1999-0184 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: XF:dns-updates When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. VOTES: ACCEPT(4) Northcutt, Baker, Ozancin, Frech NOOP(1) Wall ================================= Candidate: CAN-1999-0201 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:ftp-home A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user. VOTES: ACCEPT(3) Northcutt, Shostack, Frech ================================= Candidate: CAN-1999-0207 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990607 Assigned: 19990607 Category: SF Reference: XF:majordomo-exe Reference: CERT:CA-94.11.majordomo.vulnerabilities Remote attacker can execute commands through Majordomo using the Reply-To field and a "lists" command. VOTES: ACCEPT(4) Northcutt, Hill, Shostack, Wall REVIEWING(1) Frech COMMENTS: Frech> PENDING. NEEDS RESEARCH. ================================= Candidate: CAN-1999-0214 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990921-01 Proposed: 19990721 Assigned: 19990607 Category: SF Reference: XF:icmp-unreachable Denial of service by sending forged ICMP unreachable packets. Modifications: ADDREF XF:icmp-unreachable VOTES: ACCEPT(4) Wall, Northcutt, Baker, Ozancin MODIFY(1) Frech COMMENTS: Frech> XF:icmp-unreachable ================================= Candidate: CAN-1999-0227 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990921-01 Proposed: 19990714 Assigned: 19990607 Category: SF Reference: MSKB:Q154087 Reference: XF:nt-lsass-crash Access violation in Lsass.exe (LSA/LSARPC) program in Windows NT allows a denial of service. Modifications: DESC Update per Wall's suggestions ADDREF MSKB:Q154087 ADDREF XF:nt-lsass-crash VOTES: ACCEPT(1) Shostack MODIFY(1) Wall NOOP(1) Northcutt RECAST(1) Frech COMMENTS: Wall> Access violation in LSASS.EXE affecting the Local Security Wall> Authority (LSA)in Windows NT can cause denial of service. Wall> Source is Microsoft Knowledge Base Article Q 154057 - "Access Violation in Wall> LSASS.EXE Due to Incorrect Buffer Size" Frech> Ambiguous description; either: Frech> XF:nt-lsass-crash ================================= Candidate: CAN-1999-0251 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:talkd-flash Denial of service in talk program allows remote attackers to disrupt a user's display. VOTES: ACCEPT(3) Northcutt, Shostack, Frech ================================= Candidate: CAN-1999-0321 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:sun-kcms-configure-bo Buffer overflow in Solaris kcms_configure command allows local users to gain root access. VOTES: ACCEPT(4) Northcutt, Shostack, Baker, Frech MODIFY(1) Prosser NOOP(1) Christey COMMENTS: Prosser> source is CERT Advisory CERT CA-96.15, AusCERT Alert AL Prosser> 96-02 Christey> This is different than CAN-1999-0136, which has the Christey> CERT/AusCERT references indicated by Mike. ================================= Candidate: CAN-1999-0335 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:lpr-bsd-lprbo Buffer overflow in BSD and linux lpr command allows local users to execute commands as root through the classification option. VOTES: ACCEPT(3) Northcutt, Shostack, Baker MODIFY(2) Prosser, Frech COMMENTS: Prosser> reference: AUSCERT Advisory AA-96.12 Frech> Remove current reference, replace with Frech> XF: bsd-lprbo ================================= Candidate: CAN-1999-0351 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: INFOWAR:01 FTP PASV "Pizza Thief" denial of service and unauthorized data access. Attackers can steal data by connecting to a port that was intended for use by a client. VOTES: ACCEPT(4) Wall, Northcutt, Baker, Ozancin MODIFY(1) Frech NOOP(1) Christey COMMENTS: Frech> XF:ftp-pasv-dos for the denial of service only. Frech> Possibly ftp-pasvcore, based on the data access aspect. Christey> Neither of Andre's suggestions match - this problem was Christey> announced Feb. 1999. See Christey> http://www.infowar.com/iwftp/iw_sec/iw_sec.shtml for a Christey> description. ================================= Candidate: CAN-1999-0373 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990905-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ISS:Buffer Overflow in "Super" package in Debian Linux Reference: XF:linux-super-bo Reference: XF:linux-super-logging-bo Buffer overflow in the "Super" utility in Debian Linux and other operating systems allows local users to execute commands as root. Modifications: ADDREF XF:linux-super-bo ADDREF XF:linux-super-logging-bo VOTES: ACCEPT(3) Northcutt, Hill, Prosser MODIFY(1) Frech COMMENTS: Frech> Change ISS:Feb15,1999 Frech> XF:linux-super-bo Frech> XF:linux-super-logging-bo ================================= Candidate: CAN-1999-0377 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb22,1999 Process table attack in Unix systems allows a remote attacker to perform a denial of service by filling a machine's process tables through multiple connections to network services. VOTES: ACCEPT(4) Wall, Northcutt, Baker, Ozancin REVIEWING(1) Frech COMMENTS: Northcutt> Have we done the one about max connections to inetd over a Northcutt> finite time frame? ================================= Candidate: CAN-1999-0414 Published: Final-Decision: Interim-Decision: 19990921 Modified: 19990921-01 Proposed: 19990721 Assigned: 19990607 Category: SF Reference: NAI:Linux Blind TCP Spoofing Reference: XF:linux-blind-spoof In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection. Modifications: ADDREF XF:linux-blind-spoof VOTES: ACCEPT(3) Northcutt, Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall COMMENTS: Frech> XF:linux-blind-spoof ================================= Candidate: CAN-1999-0513 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990607 Assigned: 19990607 Category: CF Reference: CERT:CA-98.01.smurf Reference: FreeBSD:FreeBSD-SA-98:06 Reference: XF:smurf ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service. VOTES: ACCEPT(4) Hill, Shostack, Frech, Wall MODIFY(1) Northcutt REVIEWING(1) Christey COMMENTS: Northcutt> If you put it this way then ping mapping becomes part of smurf. I Northcutt> would consider calling the vulnerability ICMP to broadcast addresses Northcutt> and in the text state allowing for a Smurf denial or service or ICMP Northcutt> ping mapping to acquire intelligence data about a network. Christey> This one is an interesting case. As Steve noted, this configuration Christey> problem could allow for ping mapping as well. I think the distinction Christey> is that for Smurf, there's a forged source IP address, and that's Christey> generally not the case when you're doing ping mapping. So do we have Christey> a single vulnerability (ICMP to broadcast) with 2 separate Christey> implications? Or, do we have two separate vulnerabilities, where one Christey> accounts for the "design flaw" of spoofed IP addresses and another one Christey> is a vulnerability because it allows information gathering? ================================= Candidate: CAN-1999-0551 Published: Final-Decision: Interim-Decision: 19990921 Modified: Proposed: 19990617 Assigned: 19990607 Category: CF Reference: HP:HPSBUX9804-078 Reference: XF:hp-openmail HP OpenMail can be misconfigured to allow users to run arbitrary commands using malicious print requests. VOTES: ACCEPT(2) Frech, Hill NOOP(1) Northcutt REVIEWING(1) Shostack COMMENTS: Shostack> Question: Is this run arbitrary commands as root...?
|
||||
