[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[INTERIM] ACCEPT 23 candidates from CERT2 (Final 1/3/2000)



I have made an Interim Decision to ACCEPT the following 23 candidates
from the CERT2 cluster.  I will make a Final Decision on January 3,
2000.

Voters:
  Frech ACCEPT(1) MODIFY(22)
  Ozancin ACCEPT(23)
  Christey NOOP(1)
  Cole ACCEPT(12) MODIFY(11)
  Armstrong ACCEPT(21) NOOP(2)
  Prosser ACCEPT(17) MODIFY(6)
  Stracener ACCEPT(22) MODIFY(1)


- Steve


=================================
Candidate: CAN-1999-0687
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990913 Vulnerability in ttsession
Reference: SUN:00185
Reference: HP:HPSBUX9909-103
Reference: COMPAQ:SSRT0617U_TTSESSION
Reference: CIAC:K-001
Reference: CERT:CA-99-11
Reference: BID:637
Reference: XF:cde-ttsession-rpc-auth

The ToolTalk ttsession daemon uses weak RPC authentication, which
allows a remote attacker to execute commands.

Modifications:
  CHANGEREF CIAC:J-051 CIAC:K-001
  ADDREF XF:cde-ttsession-rpc-auth
  DESC correct capitalization in ToolTalk, add execute commands

INFERRED VOTE: CAN-1999-0687 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(3) Armstrong, Ozancin, Prosser
   MODIFY(3) Cole, Frech, Stracener

COMMENTS:
 Cole> I would add at the end that this vulnerability can be used to execute
 Cole> arbitrary programs.
 Frech> XF:cde-ttsession-rpc-auth
 Frech> MODREF:CIAC:K-001 (J-051 relates to Calendar Manager)
 Stracener> Remove  REF: CIAC: J-051 (Advisory not relevant to this CAN). It should
 Stracener> be "ToolTalk" rather than "Tooltalk"


=================================
Candidate: CAN-1999-0689
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990913 Vulnerability in dtspcd
Reference: SUN:00185
Reference: HP:HPSBUX9909-103
Reference: CERT:CA-99-11
Reference: XF:cde-dtspcd-file-auth
Reference: BID:636

The CDE dtspcd daemon allows local users to execute arbitrary commands
via a symlink attack.

Modifications:
  DESC Change impact
  DESC ADDREF XF:cde-dtspcd-file-auth

INFERRED VOTE: CAN-1999-0689 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
   MODIFY(2) Cole, Frech

COMMENTS:
 Cole> The attack indirectly allows users to gain privileges.  The main
 Cole> vulnerability of the attack is that users can execute commands as root.  I
 Cole> would update the exploit to reflect this.
 Frech> XF:cde-dtspcd-file-auth


=================================
Candidate: CAN-1999-0691
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990913 Vulnerability in dtaction
Reference: SUN:00185
Reference: HP:HPSBUX9909-103
Reference: COMPAQ:SSRTO615U_DTACTION
Reference: CERT:CA-99-11
Reference: XF:cde-dtaction-username-bo
Reference: BID:635

Buffer overflow in the AddSuLog function of the CDE dtaction utility
allows local users to gain root privileges via a long user name.

Modifications:
  DESC Add AddSuLog to description.
  ADDREF XF:cde-dtaction-username-bo

INFERRED VOTE: CAN-1999-0691 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Armstrong, Ozancin, Stracener
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> XF:cde-dtaction-username-bo
 Prosser> Overflow is in the AddSuLog function.  Might want to add this to the
 Prosser> description to differentiate from other CDE dtaction vulnerabilities


=================================
Candidate: CAN-1999-0692
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: CF
Reference: CERT:CA-99-09
Reference: CIAC:J-052
Reference: SGI:19990701-01-P
Reference: XF:sgi-arrayd

The default configuration of the Array Services daemon (arrayd)
disables authentication, allowing remote users to gain root
privileges.

Modifications:
  ADDREF XF:sgi-arrayd

INFERRED VOTE: CAN-1999-0692 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:sgi-arrayd


=================================
Candidate: CAN-1999-0693
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: CERT:CA-99-11
Reference: SUN:00185
Reference: HP:HPSBUX9909-103
Reference: BID:641
Reference: XF:cde-dtsession-env-bo

Buffer overflow in TT_SESSION environment variable in ToolTalk shared
library allows local users to gain root privileges.

Modifications:
  DESC Add impact
  ADDREF XF:cde-dtsession-env-bo

INFERRED VOTE: CAN-1999-0693 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
   MODIFY(2) Cole, Frech

COMMENTS:
 Cole> I would add that this allows users to execute commands as root.
 Frech> XF:cde-dtsession-env-bo


=================================
Candidate: CAN-1999-0704
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: REDHAT:RHSA-1999:032-01
Reference: CALDERA:CSSA-1999:024.0
Reference: FREEBSD:SA-99:06
Reference: DEBIAN:19991018
Reference: BID:614
Reference: CERT:CA-99-12
Reference: XF:amd-bo

Buffer overflow in Berkeley automounter daemon (amd) logging facility
provided in the Linux am-utils package and others.

INFERRED VOTE: CAN-1999-0704 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(6) Cole, Armstrong, Frech, Ozancin, Prosser, Stracener


=================================
Candidate: CAN-1999-0722
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: CF
Reference: XF:cobalt-raq2-default-config
Reference: CERT:CA-99-10

The default configuration of Cobalt RaQ2 servers allows remote
users to install arbitrary software packages.

Modifications:
  ADDREF XF:cobalt-raq2-default-config

INFERRED VOTE: CAN-1999-0722 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Armstrong, Ozancin, Stracener
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> XF:cobalt-raq2-default-config
 Prosser> Additional reference http://noram.cobaltnet.com/support/security/index.html


=================================
Candidate: CAN-1999-0833
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: BID:788
Reference: XF:bind-nxt-bo

Buffer overflow in BIND 8.2 via NXT records.

Modifications:
  ADDREF BID:788
  ADDREF XF:bind-nxt-bo

INFERRED VOTE: CAN-1999-0833 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(3) Armstrong, Ozancin, Stracener
   MODIFY(3) Cole, Frech, Prosser

COMMENTS:
 Cole> I would that a Buffer overflow in Bind 8.2 falis to validate NXT records,
 Cole> which would allow an attacker to execute arbitrary code.
 Frech> XF:bind-nxt-bo
 Prosser> additional reference:  BID 788


=================================
Candidate: CAN-1999-0835
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-sigrecord-dos
Reference: BID:788

Denial of service in BIND named via malformed SIG records.

Modifications:
  DESC Add "malformed"
  ADDREF XF:bind-sigrecord-dos
  ADDREF BID:788

INFERRED VOTE: CAN-1999-0835 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(3) Armstrong, Ozancin, Stracener
   MODIFY(3) Cole, Frech, Prosser

COMMENTS:
 Cole> I would change it to a Denial of service in BIND based on the failure
 Cole> to properly validate SIG records, which could result in crashing the
 Cole> named daemon.
 Frech> XF:bind-sigrecord-dos
 Prosser> additional reference:  BID 788


=================================
Candidate: CAN-1999-0837
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-solinger-dos
Reference: BID:788

Denial of service in BIND by improperly closing TCP sessions via
so_linger.

Modifications:
  ADDREF XF:bind-solinger-dos
  ADDREF BID:788

INFERRED VOTE: CAN-1999-0837 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Armstrong, Ozancin, Stracener
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> XF:bind-solinger-dos
 Prosser> additional reference:  BID 788


=================================
Candidate: CAN-1999-0848
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: BID:788
Reference: XF:bind-fdmax-dos

Denial of service in BIND named via consuming more than "fdmax" file
descriptors.

Modifications:
  ADDREF XF:bind-fdmax-dos
  ADDREF BID:788

INFERRED VOTE: CAN-1999-0848 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(3) Armstrong, Ozancin, Stracener
   MODIFY(3) Cole, Frech, Prosser

COMMENTS:
 Cole> I would add consuming more "fdmax file descriptors that BIND can properly
 Cole> manage.
 Cole> Just a general comment.  I do not know what the copyrights restritions are
 Cole> but CERT seems to do a pretty good job in coming up with the descriptions.
 Cole> Can we just use them because it seems like some of the above ones leaves out
 Cole> some detail that would be necessary to pinpoint a specific exploit.
 Frech> XF:bind-fdmax-dos
 Prosser> additional reference:  BID 788


=================================
Candidate: CAN-1999-0849
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-maxdname-bo

Denial of service in BIND named via maxdname.

Modifications:
  ADDREF XF:bind-maxdname-bo

INFERRED VOTE: CAN-1999-0849 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
   MODIFY(2) Cole, Frech

COMMENTS:
 Cole> I would add at the end that this is accomplshed by not properly handling the
 Cole> copying of data from the network.
 Frech> XF:bind-maxdname-bo


=================================
Candidate: CAN-1999-0851
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-naptr-dos

Denial of service in BIND named via naptr.

Modifications:
  ADDREF XF:bind-naptr-dos

INFERRED VOTE: CAN-1999-0851 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
   MODIFY(2) Cole, Frech

COMMENTS:
 Cole> I would add that this is done by failing to validate zone information loaded
 Cole> from disk files.
 Frech> XF:bind-naptr-dos


=================================
Candidate: CAN-1999-0868
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-97.08
Reference: XF:inn-ucbmail-shell-meta

ucbmail allows remote attackers to execute commands via shell
metacharacters that are passed to it from INN.

Modifications:
  ADDREF XF:inn-ucbmail-shell-meta

INFERRED VOTE: CAN-1999-0868 ACCEPT (5 accept, 0 review)

VOTES:
   ACCEPT(3) Ozancin, Prosser, Stracener
   MODIFY(2) Cole, Frech
   NOOP(2) Armstrong, Christey

COMMENTS:
 Cole> This is accomplished because INN does not remove certain shell
 Cole> metacharacters from the data in the control message.
 Cole> I am assuming that the other vulnerability in innd is covered by a different
 Cole> CVE number.  I just want to make sure we do not miss it.
 Frech> XF:inn-ucbmail-shell-meta
 Christey> The other INN problem is CVE-1999-0043.


=================================
Candidate: CAN-1999-0878
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: AUSCERT:AA-1999.01
Reference: CERT:CA-99-13
Reference: REDHAT:RHSA1999031_01
Reference: XF:wu-ftpd-dir-name
Reference: BID:599

Buffer overflow in WU-FTPD and related FTP servers allows remote
attackers to gain root privileges via MAPPING_CHDIR.

Modifications:
  ADDREF XF:wu-ftpd-dir-name
  ADDREF AUSCERT:AA-1999.01

INFERRED VOTE: CAN-1999-0878 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:wu-ftpd-dir-name


=================================
Candidate: CAN-1999-0879
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-99-13
Reference: XF:wuftp-message-file-root

Buffer overflow in WU-FTPD and related FTP servers allows remote
attackers to gain root privileges via macro variables in a message
file.

Modifications:
  ADDREF XF:wuftp-message-file-root

INFERRED VOTE: CAN-1999-0879 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
   MODIFY(2) Cole, Frech

COMMENTS:
 Cole> This is accomplished by overwriting the stack of the FTP daemon.
 Frech> XF:wuftp-message-file-root


=================================
Candidate: CAN-1999-0880
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-99-13
Reference: XF:wuftp-site-newer-dos

Denial of service in WU-FTPD via the SITE NEWER command, which does
not free memory properly.

Modifications:
  ADDREF XF:wuftp-site-newer-dos
  DESC change "memory leak" to "free memory"

INFERRED VOTE: CAN-1999-0880 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Armstrong, Ozancin, Prosser, Stracener
   MODIFY(2) Cole, Frech

COMMENTS:
 Cole> It is not really a memory leak, it is just that the program fails to free up
 Cole> memory under certain circumstances.
 Frech> XF:wuftp-site-newer-dos


=================================
Candidate: CAN-1999-0938
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:VN-99-03
Reference: XF:sdr-execute

MBone SDR Package allows remote attackers to execute commands via
shell metacharacters in Sesion Initiation Protocol (SIP) messages.

Modifications:
  ADDREF XF:sdr-execute

INFERRED VOTE: CAN-1999-0938 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:sdr-execute


=================================
Candidate: CAN-1999-0956
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-93.02a
Reference: XF:next-netinfo

The NeXT NetInfo _writers property allows local users to gain root
privileges or conduct a denial of service.

Modifications:
  ADDREF XF:next-netinfo

INFERRED VOTE: CAN-1999-0956 ACCEPT (5 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Ozancin, Prosser, Stracener
   MODIFY(1) Frech
   NOOP(1) Armstrong

COMMENTS:
 Frech> XF:next-netinfo


=================================
Candidate: CAN-1999-0960
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: AUSCERT:AA-96.11
Reference: SGI:19980301-01-PX
Reference: XF:irix-cdplayer-directory-create

IRIX cdplayer allows local users to create directories in arbitrary
locations via a command line option.

Modifications:
  ADDREF XF:irix-cdplayer-directory-create

INFERRED VOTE: CAN-1999-0960 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:irix-cdplayer-directory-create


=================================
Candidate: CAN-1999-0962
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: AUSCERT:AA-96.13
Reference: HP:HPSBUX9701-045
Reference: XF:hp-password-cmd-bo

Buffer overflow in HPUX passwd command allows local users to gain root
privileges via a command line option.

Modifications:
  ADDREF XF:hp-password-cmd-bo

INFERRED VOTE: CAN-1999-0962 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:hp-password-cmd-bo


=================================
Candidate: CAN-1999-0963
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19960316 BoS: SECURITY BUG in FreeBS
Reference: CERT:VB-96.06
Reference: XF:freebsd-mount-union-root

FreeBSD mount_union command allows local users to gain root privileges
via a symlink attack.

Modifications:
  ADDREF XF:freebsd-mount-union-root

INFERRED VOTE: CAN-1999-0963 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:freebsd-mount-union-root


=================================
Candidate: CAN-1999-0965
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-93.17
Reference: XF:xterm

Race condition in xterm allows local users to modify arbitrary files
via the logging option.

Modifications:
  ADDREF XF:xterm

INFERRED VOTE: CAN-1999-0965 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:xterm

 
Page Last Updated: May 22, 2007