[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

INTERIM DECISION: ACCEPT 37 various candidates (Final 9/24)

I have made an Interim Decision to ACCEPT the following 37 candidates,
which have at least 3 non-MITRE votes.  I will make a Final Decision
on September 24.

The candidates come from the following clusters:

   7 CERT
   2 VEN-SUN
   2 VEN-HP
   2 VEN-BSD
   2 BUF
   2 ONEREF
   1 NOREFS
   6 MULT2
  12 DESIGN
   1 MORELOW


- Steve

=================================
Candidate: CAN-1999-0005
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990920-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.09.imapd
Reference: XF:imap-authenticate-bo
Reference: SUN:00177

Arbitrary command execution via IMAP buffer overflow in authentication
command.

Modifications:
  DESC Removed CERT reference from text

VOTES:
   ACCEPT(4) Hill, Shostack, Frech, Wall
   MODIFY(1) Christey
   REVIEWING(1) Northcutt

COMMENTS:
 Northcutt> there are multiple similar exploits which may imply
 Northcutt> multiple vulnerabilties
 Christey> It's difficult to distinguish between this vulnerability and another
 Christey> IMAP vulnerability via just the textual description.  (The other
 Christey> vulnerability is CVE-00042, not yet proposed as a candidate for some
 Christey> odd reason).  I had to reference the different CERT advisories to
 Christey> distinguish between this candidate and CVE-00042.  The X-Force
 Christey> database says that "[the CVE-00042 vulnerability is in] the IMAP LOGIN
 Christey> command whereas [CAN-1999-0005] affects the IMAP AUTHENTICATE
 Christey> command."  I propose modifying the description to say something to
 Christey> this effect, though the typical analyst may still need to rely on the
 Christey> references.


=================================
Candidate: CAN-1999-0012
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990920-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.04.Win32.WebServers
Reference: XF:nt-web8.3

Some web servers under Microsoft Windows allow remote attackers
to bypass access restrictions for files with long file names.

Modifications:
  ADDREF XF:XF:nt-web8.3

VOTES:
   ACCEPT(2) Wall, Ozancin
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-web8.3


=================================
Candidate: CAN-1999-0014
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990920-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9801-075
Reference: SUN:00185
Reference: CERT:CA-98.02.CDE

Unauthorized privileged access or denial of service via dtappgather
program in CDE.

Modifications:
  ADDREF HP:HPSBUX9801-075

VOTES:
   ACCEPT(2) Hill, Wall
   MODIFY(1) Frech
   NOOP(2) Northcutt, Christey
   REJECT(1) Shostack

COMMENTS:
 Shostack> we have insufficient data if a new CDE dtappgather bug
 Shostack> comes out to determine if its new or a re-invention.
 Frech> Reference: XF:cde-dtappgather
 Christey> ADDREF HP:HPSBUX9801-075


=================================
Candidate: CAN-1999-0017
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990920-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.27.FTP_bounce
Reference: XF:ftp-bounce
Reference: XF:ftp-privileged-port

FTP servers can allow an attacker to connect to arbitrary ports on
machines other than the FTP client, aka FTP bounce.

Modifications:
  DESC

VOTES:
   ACCEPT(3) Hill, Frech, Wall
   MODIFY(1) Northcutt
   NOOP(1) Shostack
   REVIEWING(1) Christey

COMMENTS:
 Northcutt> the primary vulnerability is in some FTP server implementations
 Northcutt> that allow this as opposed to the actual connecting to the ports
 Christey> I think Steve Northcutt makes a good point.  The description needs to
 Christey> be modified.


=================================
Candidate: CAN-1999-0035
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990621-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: XF:ftp-ftpd
Reference: CERT:CA-97.16.ftpd
Reference: AUSCERT:AA-97.03

Race condition in signal handling routine in ftpd, allowing read/write
arbitrary files.

Modifications:
  ADDREF XF:ftp-ftpd

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield


=================================
Candidate: CAN-1999-0052
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-98:08
Reference: XF:freebsd-ip-frag-dos

IP fragmentation denial of service in FreeBSD allows a remote attacker
to cause a crash.

Modifications:
  DESC specify nature of DoS
  ADDREF XF:freebsd-ip-frag-dos

VOTES:
   MODIFY(3) Northcutt, Shostack, Frech
   NOOP(2) Hill, Christey

COMMENTS:
 Northcutt> Do we want to treat each instantiation of common attacks
 Northcutt> separately for each OS?  Fragmentation and denial of service is
 Northcutt> not a freebsd specific issue, over the years we have seen:
 Northcutt>
 Northcutt> "Pathological" fragmentation where the second packet move the pointer
 Northcutt> negative and then we scribble on our stack, this is the teardrop
 Northcutt> approach if I remember the exploit name correctly and uses UDP.
 Northcutt>
 Northcutt> We also have the classic memory wasting frag attack where they
 Northcutt> send the first part and never finish, then send a new first
 Northcutt> part and so on.
 Northcutt>
 Northcutt> I think frag attack was in the cisco set, if not it should be
 Northcutt> there is a nice attack for IOS
 Northcutt>
 Northcutt> Then you have the how_do_you_handles such as Dug Song's
 Northcutt> frag router to evade IDS systems and whatever the heck
 Northcutt> this loki like thing that is all the rage for the last
 Northcutt> 90 days or so.
 Northcutt>
 Northcutt> Recommend: MODIFY 52 so that the text blurb at least hints
 Northcutt> why this is a unique case of mishandling frags OR create
 Northcutt> general frag vulnerabilities.
 Shostack> For denial of service attacks, we should distinguish between
 Shostack> host availability, service, and CPU absorbtion DOS attacks.
 Frech> Reference: XF:freebsd-ip-frag-dos
 Christey> The best we can do in this case is rely on the references to
 Christey> distinguish between this and other fragmentation problems, as
 Christey> otherwise we'd need to provide very specific details which
 Christey> would not help the general user to distinguish between
 Christey> entries.


=================================
Candidate: CAN-1999-0053
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-98:07

TCP RST denial of service in FreeBSD

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(1) Shostack
   REVIEWING(1) Frech

COMMENTS:
 Shostack> For denial of service attacks, we should distinguish between
 Shostack> host availability, service, and CPU absorbtion DOS attacks.


=================================
Candidate: CAN-1999-0055
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990921-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00172
Reference: AIXAPAR:IX80543
Reference: RSI:RSI.0005.05-14-98.SUN.LIBNSL
Reference: XF:sun-libnsl

Buffer overflows in Sun libnsl allow root access.

Modifications:
  ADDREF AIXAPAR:IX80543

VOTES:
   ACCEPT(2) Northcutt, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> This vulnerability also affects other OSes, i.e. AIX 4.3 that have
 Prosser> ported versions of Sun's libnsl.a
 Prosser> ref: IBM AIX RS6000 APAR number IX80543


=================================
Candidate: CAN-1999-0057
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: NAI:NAI-19
Reference: XF:vacation
Reference: HP:HPSBUX9811-087

Vacation program allows command execution by remote users through
a sendmail command.

Modifications:
  DELREF SNI:SNI-19
  ADDREF NAI:NAI-19
  COMMENT NAI-19 is the right one...  SNI-19 is different than NAI-19!

VOTES:
   ACCEPT(2) Frech, Hill
   MODIFY(1) Shostack
   NOOP(1) Northcutt

COMMENTS:
 Shostack> Problem 1: SNI-19 is SNI-19.BSD.lpd.vulnerabilities update according
 Shostack> to http://geek-girl.com/bugtraq/1997_4/0106.html
 Shostack>
 Shostack> Problem 2: Wording is unclear.  Is this a vacation problem, a
 Shostack> .vacation problem, or a sendmail problem?


=================================
Candidate: CAN-1999-0065
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990921-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00181
Reference: XF:hp-dtmail

Multiple buffer overflows in how dtmail handles attachments allows a
remote attacker to execute commands.

Modifications:
  DESC Clarify multiple overflows

VOTES:
   ACCEPT(2) Northcutt, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> This is a multiple buffer overflow vulnerability in Sun's CDE in how
 Prosser> dtmail handles attachments.


=================================
Candidate: CAN-1999-0074
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: XF:seqport

Listening TCP ports are sequentially allocated, allowing spoofing
attacks.

VOTES:
   ACCEPT(5) Wall, Northcutt, Baker, Ozancin, Frech


=================================
Candidate: CAN-1999-0077
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990921-01
Proposed: 19990721
Assigned: 19990607
Category: SF

Predictable TCP sequence numbers allow spoofing.

Modifications:
  DESC as recommended by Steve Northcutt

VOTES:
   ACCEPT(3) Wall, Baker, Ozancin
   MODIFY(1) Frech
   RECAST(1) Northcutt

COMMENTS:
 Northcutt> Predictable TCP sequence numbers allow spoofing - is how I would phrase this
 Frech> XF:tcp-seq-predict


=================================
Candidate: CAN-1999-0079
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ftp-pasv-dos
Reference: XF:ftp-pasvdos

Remote attackers can cause a denial of service in FTP by issuing
multiple PASV commands, causing the server to run out of available
ports.

VOTES:
   ACCEPT(3) Northcutt, Shostack, Frech


=================================
Candidate: CAN-1999-0103
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990921-01
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.01.UDP_service_denial
Reference: XF:echo
Reference: XF:chargen
Reference: XF:chargen-patch

Echo and chargen, or other combinations of UDP services, can be used
in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.

Modifications:
  ADDREF XF:echo
  ADDREF XF:mssql-nt-chargen
  ADDREF XF:chargen

VOTES:
   ACCEPT(4) Wall, Northcutt, Baker, Ozancin
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:echo
 Frech> XF:mssql-nt-chargen
 Frech> XF:chargen


=================================
Candidate: CAN-1999-0108
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990921-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:another day, another buffer overflow...
Reference: XF:printers-bo

The printers program in IRIX has a buffer overflow that gives root
access to local users.

Modifications:
  ADDREF BUGTRAQ:another day, another buffer overflow...
  ADDREF XF:printers-bo

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(2) Prosser, Frech
   NOOP(1) Christey

COMMENTS:
 Prosser> believe this is the IRIX netprint BO in /usr/sbin/printers,
 Prosser> ref'd in SGI Security Bulletin 19961203-02-PX and on Bugtraq "Another
 Prosser> day,another buffer overflow by David Hedley.  Can't be sure based on the
 Prosser> description and lack of ref here.
 Frech> XF:printers-bo
 Christey> The document that Mike Prosser references discusses "netprint"
 Christey> and was released in December 1996.  The Bugtraq article was
 Christey> posted May 27, 1999 and makes no reference to netprint.
 Christey> Therefore the two are different problems.


=================================
Candidate: CAN-1999-0111
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990921-01
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: XF:rip

RIP v1 is susceptible to spoofing

Modifications:
  ADDREF XF:rip

VOTES:
   ACCEPT(3) Northcutt, Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall

COMMENTS:
 Frech> XF:rip
 Frech> XF:decod-rip-addentry
 Frech> XF:decod-rip-timeout
 Frech> XF:decod-rip-metricchng


=================================
Candidate: CAN-1999-0113
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990921-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: CERT:CA-94.09.bin.login.vulnerability
Reference: XF:rlogin-froot

Some implementations of rlogin would allow root access if given a
-froot parameter.

Modifications:
  ADDREF XF:rlogin-froot

VOTES:
   ACCEPT(2) Northcutt, Shostack
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:rlogin-froot


=================================
Candidate: CAN-1999-0116
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990921-01
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.21.tcp_syn.flooding
Reference: SGI:19961202-01-PX
Reference: SUN:00136

Denial of service when an attacker sends many SYN packets to create
multiple connections without ever sending an ACK to complete the
connection, aka SYN flood.

Modifications:
  ADDREF XF:synflood
  DESC spell out a bit more per Baker's suggestion

VOTES:
   ACCEPT(3) Wall, Northcutt, Ozancin
   MODIFY(2) Baker, Frech

COMMENTS:
 Baker> We sort of explain most vulnerabilities, at least to a minimum degree.
 Baker> To remain consistent, we should have some detail of this one too.
 Baker> Something like -
 Baker> A destination system that fails to receive an ACK signal, after replying
 Baker> to a SYN packet with a SYN/ACK packet, has reserved memory for the TCP
 Baker> connection state until the connection times out.  Multiple rapid
 Baker> occurrences of these initial SYN packets that remain unacknowledged will
 Baker> result in a denial of service when the maximum number of TCP connections
 Baker> has been reached (SYN Flood).
 Frech> XF:synflood


=================================
Candidate: CAN-1999-0129
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.25.sendmail_groups

Sendmail allows local users to write to a file and gain group
permissions via a .forward or :include: file.

VOTES:
   ACCEPT(4) Northcutt, Hill, Shostack, Wall
   REVIEWING(1) Frech

COMMENTS:
 Frech> PENDING. NEEDS RESEARCH.


=================================
Candidate: CAN-1999-0166
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nfs-cd

NFS allowed users to use a "cd .." command to access other directories
besides the exported file system.

VOTES:
   ACCEPT(3) Northcutt, Shostack, Frech


=================================
Candidate: CAN-1999-0168
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: XF:nfs-portmap

The portmapper may act as a proxy and redirect service requests from
an attacker, making the request appear to come from the local host,
possibly bypassing authentication that would otherwise have taken
place.  For example, NFS file systems could be mounted through the
portmapper despite export restrictions.

VOTES:
   ACCEPT(4) Wall, Northcutt, Baker, Ozancin
   MODIFY(1) Frech

COMMENTS:
 Frech> Keep above reference, but also add these references:
 Frech> XF:decod-portmap-call


=================================
Candidate: CAN-1999-0170
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nfs-ultrix

Remote attackers can mount an NFS file system in Ultrix or OSF, even
if it is denied on the access list.

VOTES:
   ACCEPT(3) Northcutt, Shostack, Frech


=================================
Candidate: CAN-1999-0181
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: XF:walld

The wall daemon can be used for denial of service, social engineering
attacks, or to execute remote commands.

VOTES:
   ACCEPT(4) Northcutt, Baker, Ozancin, Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0184
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: XF:dns-updates

When compiled with the -DALLOW_UPDATES option, bind allows dynamic
updates to the DNS server, allowing for malicious modification of DNS
records.

VOTES:
   ACCEPT(4) Northcutt, Baker, Ozancin, Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0201
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ftp-home

A quote cwd command on FTP servers can reveal the full path of the
home directory of the "ftp" user.

VOTES:
   ACCEPT(3) Northcutt, Shostack, Frech


=================================
Candidate: CAN-1999-0207
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: XF:majordomo-exe
Reference: CERT:CA-94.11.majordomo.vulnerabilities

Remote attacker can execute commands through Majordomo using the
Reply-To field and a "lists" command.

VOTES:
   ACCEPT(4) Northcutt, Hill, Shostack, Wall
   REVIEWING(1) Frech

COMMENTS:
 Frech> PENDING. NEEDS RESEARCH.


=================================
Candidate: CAN-1999-0214
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990921-01
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: XF:icmp-unreachable

Denial of service by sending forged ICMP unreachable packets.

Modifications:
  ADDREF XF:icmp-unreachable

VOTES:
   ACCEPT(4) Wall, Northcutt, Baker, Ozancin
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:icmp-unreachable


=================================
Candidate: CAN-1999-0227
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990921-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: MSKB:Q154087
Reference: XF:nt-lsass-crash

Access violation in Lsass.exe (LSA/LSARPC) program in Windows NT
allows a denial of service.

Modifications:
  DESC Update per Wall's suggestions
  ADDREF MSKB:Q154087
  ADDREF XF:nt-lsass-crash

VOTES:
   ACCEPT(1) Shostack
   MODIFY(1) Wall
   NOOP(1) Northcutt
   RECAST(1) Frech

COMMENTS:
 Wall> Access violation in LSASS.EXE affecting the Local Security
 Wall> Authority (LSA)in Windows NT can cause denial of service.
 Wall> Source is Microsoft Knowledge Base Article Q 154057 - "Access Violation in
 Wall> LSASS.EXE Due to Incorrect Buffer Size"
 Frech> Ambiguous description; either:
 Frech> XF:nt-lsass-crash


=================================
Candidate: CAN-1999-0251
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:talkd-flash

Denial of service in talk program allows remote attackers to
disrupt a user's display.

VOTES:
   ACCEPT(3) Northcutt, Shostack, Frech


=================================
Candidate: CAN-1999-0321
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:sun-kcms-configure-bo

Buffer overflow in Solaris kcms_configure command allows local users
to gain root access.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Christey

COMMENTS:
 Prosser> source is CERT Advisory CERT CA-96.15, AusCERT Alert AL
 Prosser> 96-02
 Christey> This is different than CAN-1999-0136, which has the
 Christey> CERT/AusCERT references indicated by Mike.


=================================
Candidate: CAN-1999-0335
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:lpr-bsd-lprbo

Buffer overflow in BSD and linux lpr command allows local users to
execute commands as root through the classification option.

VOTES:
   ACCEPT(3) Northcutt, Shostack, Baker
   MODIFY(2) Prosser, Frech

COMMENTS:
 Prosser> reference:  AUSCERT Advisory AA-96.12
 Frech> Remove current reference, replace with
 Frech> XF: bsd-lprbo


=================================
Candidate: CAN-1999-0351
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: INFOWAR:01

FTP PASV "Pizza Thief" denial of service and unauthorized data
access.  Attackers can steal data by connecting to a port that was
intended for use by a client.

VOTES:
   ACCEPT(4) Wall, Northcutt, Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Christey

COMMENTS:
 Frech> XF:ftp-pasv-dos for the denial of service only.
 Frech> Possibly ftp-pasvcore, based on the data access aspect.
 Christey> Neither of Andre's suggestions match - this problem was
 Christey> announced Feb. 1999.  See
 Christey> http://www.infowar.com/iwftp/iw_sec/iw_sec.shtml for a
 Christey> description.


=================================
Candidate: CAN-1999-0373
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990905-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ISS:Buffer Overflow in "Super" package in Debian Linux
Reference: XF:linux-super-bo
Reference: XF:linux-super-logging-bo

Buffer overflow in the "Super" utility in Debian Linux and other
operating systems allows local users to execute commands as root.

Modifications:
  ADDREF XF:linux-super-bo
  ADDREF XF:linux-super-logging-bo

VOTES:
   ACCEPT(3) Northcutt, Hill, Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> Change ISS:Feb15,1999
 Frech> XF:linux-super-bo
 Frech> XF:linux-super-logging-bo


=================================
Candidate: CAN-1999-0377
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Feb22,1999

Process table attack in Unix systems allows a remote attacker to
perform a denial of service by filling a machine's process tables
through multiple connections to network services.

VOTES:
   ACCEPT(4) Wall, Northcutt, Baker, Ozancin
   REVIEWING(1) Frech

COMMENTS:
 Northcutt> Have we done the one about max connections to inetd over a
 Northcutt> finite time frame?


=================================
Candidate: CAN-1999-0414
Published:
Final-Decision:
Interim-Decision: 19990921
Modified: 19990921-01
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: NAI:Linux Blind TCP Spoofing
Reference: XF:linux-blind-spoof

In Linux before version 2.0.36, remote attackers can spoof a TCP
connection and pass data to the application layer before fully
establishing the connection.

Modifications:
  ADDREF XF:linux-blind-spoof

VOTES:
   ACCEPT(3) Northcutt, Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall

COMMENTS:
 Frech> XF:linux-blind-spoof


=================================
Candidate: CAN-1999-0513
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990607
Assigned: 19990607
Category: CF
Reference: CERT:CA-98.01.smurf
Reference: FreeBSD:FreeBSD-SA-98:06
Reference: XF:smurf

ICMP messages to broadcast addresses are allowed, allowing for a
Smurf attack that can cause a denial of service.

VOTES:
   ACCEPT(4) Hill, Shostack, Frech, Wall
   MODIFY(1) Northcutt
   REVIEWING(1) Christey

COMMENTS:
 Northcutt> If you put it this way then ping mapping becomes part of smurf.  I
 Northcutt> would consider calling the vulnerability ICMP to broadcast addresses
 Northcutt> and in the text state allowing for a Smurf denial or service or ICMP
 Northcutt> ping mapping to acquire intelligence data about a network.
 Christey> This one is an interesting case.  As Steve noted, this configuration
 Christey> problem could allow for ping mapping as well.  I think the distinction
 Christey> is that for Smurf, there's a forged source IP address, and that's
 Christey> generally not the case when you're doing ping mapping.  So do we have
 Christey> a single vulnerability (ICMP to broadcast) with 2 separate
 Christey> implications?  Or, do we have two separate vulnerabilities, where one
 Christey> accounts for the "design flaw" of spoofed IP addresses and another one
 Christey> is a vulnerability because it allows information gathering?


=================================
Candidate: CAN-1999-0551
Published:
Final-Decision:
Interim-Decision: 19990921
Modified:
Proposed: 19990617
Assigned: 19990607
Category: CF
Reference: HP:HPSBUX9804-078
Reference: XF:hp-openmail

HP OpenMail can be misconfigured to allow users to run arbitrary
commands using malicious print requests.

VOTES:
   ACCEPT(2) Frech, Hill
   NOOP(1) Northcutt
   REVIEWING(1) Shostack

COMMENTS:
 Shostack> Question: Is this run arbitrary commands as root...?
Page Last Updated or Reviewed: May 22, 2007