[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster 50 - UNIX-UNCONF (42 candidates)



This cluster contains various problems on the Unix platform, many of
which are in third party software.  They may not be confirmed by the
vendor.

Proposed: 12/21
Scheduled Proposed: 12/20
Scheduled Interim Decision: 1/3
Scheduled Final Decision: 1/7


- Steve


Summary of votes to use (in ascending order of "severity"):

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

=================================
Candidate: CAN-1999-0189
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19990607
Category: SF
Reference: SUN:00142

Solaris rpcbind listens on a high numbered UDP port, which may not be
filtered since the standard port number is 111.

VOTE:

=================================
Candidate: CAN-1999-0389
Published:
Final-Decision:
Interim-Decision:
Modified: 19991207-01
Proposed: 19991222
Assigned: 19990607
Category: SF
Reference: DEBIAN:19990104
Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows
Reference: BID:324

Buffer overflow in the bootp server in the Debian Linux netstd
package.

VOTE:

=================================
Candidate: CAN-1999-0390
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990104 Dosemu/S-Lang Overflow + sploit
Reference: BID:187

Buffer overflow in Dosemu Slang library in Linux.

VOTE:

=================================
Candidate: CAN-1999-0676
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: XF:sun-stdcm-convert
Reference: BID:575
Reference: BUGTRAQ:19990808 stdcm_convert

stdcm_convert in Solaris 2.6 allows a local user to overwrite
sensitive files via a symlink attack.

VOTE:

=================================
Candidate: CAN-1999-0678
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: CF
Reference: XF:apache-debian-usrdoc
Reference: BUGTRAQ: An issue with Apache on Debian

A default configuration of Apache on Debian Linux sets the ServerRoot
to /usr/doc, which allows remote users to read documentation files
for the entire server.

VOTE:

=================================
Candidate: CAN-1999-0697
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990908 SCO 5.0.5 /bin/doctor nightmare
Reference: BID:621

SCO Doctor allows local users to gain root privileges through a Tools
option.

VOTE:

=================================
Candidate: CAN-1999-0698
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF

Denial of service in IP protocol logger (ippl) on Red Hat and Debian
Linux.

VOTE:

=================================
Candidate: CAN-1999-0711
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ: *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed
Reference: XF:oracle-oratclsh

The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix
allows local users to execute Tcl commands as root.

VOTE:

=================================
Candidate: CAN-1999-0720
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:597
Reference: XF:linux-pt-chown

The pt_chown command in Linux allows local users to modify TTY
terminal devices that belong to other users.

VOTE:

=================================
Candidate: CAN-1999-0727
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF

A kernel leak in the OpenBSD kernel allows IPsec packets to be sent
unencrypted.

VOTE:

=================================
Candidate: CAN-1999-0733
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990626 VMWare Advisory - buffer overflows
Reference: XF:linux-vmware-buffer-overflows

Buffer overflow in VMWare 1.0.1 for Linux via a long HOME
environmental variable.

VOTE:

=================================
Candidate: CAN-1999-0740
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:594
Reference: XF:linux-telnetd-term
Reference: CALDERA:CSSA-1999:022
Reference: REDHAT:RHSA1999029_01

Remote attackers can cause a denial of service on Linux in.telnetd
telnet daemon through a malformed TERM environmental variable.

VOTE:

=================================
Candidate: CAN-1999-0746
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: CF
Reference: BUGTRAQ:19990814 DOS against SuSE's identd
Reference: BID:587
Reference: XF:suse-identd-dos

A default configuration of in.identd in SuSE Linux waits 120 seconds
between requests, allowing a remote attacker to conduct a denial of
service.

VOTE:

=================================
Candidate: CAN-1999-0747
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ: Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1
Reference: BID:589
Reference: XF:bsdi-smp-dos

Denial of service in BSDi Symmetric Multiprocessing (SMP) when an
fstat call is made when the system has a high CPU load.

VOTE:

=================================
Candidate: CAN-1999-0754
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: XF:inn-innconf-env
Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential

The INN inndstart program allows local users to gain privileges by
specifying an alternate configuration file using the INNCONF
environmental variable.

VOTE:

=================================
Candidate: CAN-1999-0773
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990511 Solaris2.6 and 2.7 lpset overflow
Reference: XF:sol-lpset-bo

Buffer overflow in Solaris lpset program allows local users to gain
root access.

VOTE:

=================================
Candidate: CAN-1999-0780
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)

KDE klock allows local users to kill arbitrary processes by specifying
an arbitrary PID in the .kss.pid file.

VOTE:

=================================
Candidate: CAN-1999-0781
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)

KDE allows local users to execute arbitrary commands by setting the
KDEDIR environmental variable to modify the search path that KDE uses
to locate its executables.

VOTE:

=================================
Candidate: CAN-1999-0782
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)

KDE kppp allows local users to create a directory in an arbitrary
location via the HOME environmental variable.

VOTE:

=================================
Candidate: CAN-1999-0785
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential
Reference: XF:inn-pathrun

The INN inndstart program allows local users to gain root privileges
via the "pathrun" parameter in the inn.conf file.

VOTE:

=================================
Candidate: CAN-1999-0786
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990922 LD_PROFILE local root exploit for solaris 2.6
Reference: BID:659

The dynamic linker in Solaris allows a local user to create arbitrary
files via the LD_PROFILE environmental variable and a symlink attack.

VOTE:

=================================
Candidate: CAN-1999-0787
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BID:660

The SSH authentication agent follows symlinks via a UNIX domain
socket.

VOTE:

=================================
Candidate: CAN-1999-0795
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: NAI:NAI-27

The NIS+ rpc.nisd server allows remote attackers to execute certain
RPC calls without authentication to obtain system information, disable
logging, or modify caches.

VOTE:

=================================
Candidate: CAN-1999-0797
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: CIAC:I-070

NIS finger allows an attacker to conduct a denial of service via a
large number of finger requests, resulting in a large number of NIS
queries.

VOTE:

=================================
Candidate: CAN-1999-0798
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19981204 bootpd remote vulnerability

Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via
a malformed header type.

VOTE:

=================================
Candidate: CAN-1999-0799
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19970725 Exploitable buffer overflow in bootpd (most unices)

Buffer overflow in bootpd 2.4.3 and earlier via a long boot file
location.

VOTE:

=================================
Candidate: CAN-1999-0803
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ: IBM eNetwork Firewall for AIX

The fwluser script in AIX eNetwork Firewall allows local users to
write to arbitrary files via a symlink attack.

VOTE:

=================================
Candidate: CAN-1999-0806
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: XF:cde-dtprintinfo

Buffer overflow in Solaris dtprintinfo program.

VOTE:

=================================
Candidate: CAN-1999-0813
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990810 Severe bug in cfingerd before 1.4.0

Cfingerd does not properly drop privileges when it executes a program
on behalf of the user being fingered, allowing local users to gain
root privileges.

VOTE:

=================================
Candidate: CAN-1999-0888
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990817 Security Bug in Oracle
Reference: BID:585

dbsnmp in Oracle Intelligent Agent allows local users to gain
privileges by setting the ORACLE_HOME environmental variable, which
dbsnmp uses to find the nmiconf.tcl script.

VOTE:

=================================
Candidate: CAN-1999-0893
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991011 SCO OpenServer 5.0.5 overwrite /etc/shadow

userOsa in SCO OpenServer allows local users to corrupt files via a
symlink attack.

VOTE:

=================================
Candidate: CAN-1999-0903
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991025 IBM AIX Packet Filter module
Reference: BUGTRAQ:19991027 Re: IBM AIX Packet Filter module (followup)

genfilt in the AIX Packet Filtering Module does not properly filter
traffic to destination ports greater than 32767.

VOTE:

=================================
Candidate: CAN-1999-0906
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990923 SuSE 6.2 sccw overflow exploit
Reference: BID:656

Buffer overflow in sccw allows local users to gain root access via the
HOME environmental variable.

VOTE:

=================================
Candidate: CAN-1999-0908
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990921 solaris DoS
Reference: BID:655

Denial of service in Solaris TCP streams driver via a malicious
connection that causes the server to panic as a result of recursive
calls to mutex_enter.

VOTE:

=================================
Candidate: CAN-1999-0912
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990921 FreeBSD-specific denial of service
Reference: BID:653

FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of
service by opening a large number of files.

VOTE:

=================================
Candidate: CAN-1999-0920
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990526 Remote vulnerability in pop2d

Buffer overflow in the pop-2d POP daemon in the IMAP package allows
remote attackers to gain privileges via the FOLD command.

VOTE:

=================================
Candidate: CAN-1999-0942
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991005 SCO UnixWare 7.1 local root exploit

UnixWare dos7utils allows a local user to gain root privileges by
using the STATICMERGE environmental variable to find a script which
it executes.

VOTE:

=================================
Candidate: CAN-1999-0952
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990126 Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat

Buffer overflow in Solaris lpstat via class argument allows local
users to gain root access.

VOTE:

=================================
Candidate: CAN-1999-0958
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19980112 Re: hole in sudo for MP-RAS.

sudo 1.5.x allows local users to execute arbitrary commands via a
... (dot dot) attack.

VOTE:

=================================
Candidate: CAN-1999-0961
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19960921 Vunerability in HP sysdiag ?

HPUX sysdiag allows local users to gain root privileges via a symlink
attack during log file creation.

VOTE:

=================================
Candidate: CAN-1999-0966
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: L0PHT:19970127 Solaris libc - getopt(3)

Buffer overflow in Solaris getopt in libc allows local users to gain
root privileges via a long argv[0].

VOTE:

=================================
Candidate: CAN-1999-0971
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19970722 Security hole in exim 1.62: local root exploit

Buffer overflow in Exim allows local users to gain root privileges via
a long :include: option in a .forward file.

VOTE:

 
Page Last Updated: May 22, 2007