[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[INTERIM] ACCEPT 17 candidates from various clusters (Final 1/3/2000)



I have made an Interim Decision to ACCEPT the following 17 candidates
from various clusters.  I will make a Final Decision on January 3,
2000.

The candidates come from the following older clusters:

 1 VEN-SUN
 2 BUF
 7 RESTLOW
 1 ONEREF
 1 DESIGN
 4 MORELOW
 1 CDEC

These candidates are being ACCEPTed now, instead of several months
ago, because either: (a) my new automatic vote counter spotted
candidates that had previously slipped through the cracks, (b) I was
able to dig up references in which a software vendor acknowledged the
problem (thus counting as a 3rd vote), or (c) both a and b.  The (b)
cases are identified with an "inferred vote" of ACCEPT_ACK, as listed
below.

Voters:
  Wall ACCEPT(3) MODIFY(1) NOOP(3)
  Shostack NOOP(1)
  Ozancin ACCEPT(6)
  Baker ACCEPT(2)
  Frech ACCEPT(7) MODIFY(10)
  Hill ACCEPT(9)
  Proctor ACCEPT(1)
  Northcutt ACCEPT(11) MODIFY(1)
  Christey NOOP(3)
  Balinsky ACCEPT(1)
  Prosser ACCEPT(1) MODIFY(4) NOOP(2)
  Blake ACCEPT(2)


=================================
Candidate: CAN-1999-0151
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.07a.REVISED.satan.vul
Reference: CERT:CA-95.06.satan.vul

The SATAN session key may be disclosed if the user points the web
browser to other sites, possibly allowing root access.

INFERRED VOTE: CAN-1999-0151 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Hill, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:satan-scan


=================================
Candidate: CAN-1999-0212
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00168
Reference: CIAC:I-048
Reference: XF:sun-mountd

Solaris rpc.mountd generates error messages that allow a remote
attacker to determine what files are on the server.

Modifications:
  DESC remove Linux
  ADDREF XF:sun-mountd
  ADDREF CIAC:I-048

INFERRED VOTE: CAN-1999-0212 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(1) Prosser
   MODIFY(2) Northcutt, Frech
   NOOP(1) Christey

COMMENTS:
 Northcutt> I am concerned that Linux is becoming too
 Northcutt> non descript a word, in the past two weeks I have run
 Northcutt> across 3 Linuxes I had never heard of before.  I think we need
 Northcutt> to start being specific when we mention Linux either by
 Northcutt> the kernal or vendor or something.
 Frech> Reference: XF:sun-mountd
 Christey> Does this affect more than Solaris mountd?


=================================
Candidate: CAN-1999-0275
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: XF:nt-dnscrash
Reference: XF:nt-dnsver
Reference: MS:Q169461

Denial of service in Windows NT DNS servers by flooding port 53 with
too many characters.

Modifications:
  CHANGEREF XF:nt-dns-crash XF:nt-dnscrash
  DESC slight change to mention port 53 specifically.
  ADDREF XF:nt-dnsver

INFERRED VOTE: CAN-1999-0275 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(1) Ozancin
   MODIFY(2) Wall, Frech
   NOOP(1) Christey

COMMENTS:
 Wall> Denial of service in Windows NT DNS servers by malicious telnet attack.
 Frech> Change XF:nt-dns-crash to XF:nt-dnscrash
 Frech> ADDREF XF:nt-dnsver
 Christey> The XF entry, and the corresponding Microsoft KB articles,
 Christey> indicate that there is more than one vulnerability related to
 Christey> the DNS server.  Other candidates need to be created for the
 Christey> other cases, including the telnet case that Mike mentions.


=================================
Candidate: CAN-1999-0280
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19990925-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: NTBUGTRAQ:19970317 Internet Explorer Bug #4
Reference: CIAC:H-38
Reference: XF:http-ie-lnkurl

Remote command execution in Microsoft Internet Explorer using .lnk and
..url files.

Modifications:
  ADDREF CIAC:H-38
  ADDREF XF:http-ie-lnkurl
  ADDREF NTBUGTRAQ:19970317 Internet Explorer Bug #4

INFERRED VOTE: CAN-1999-0280 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Hill, Wall, Northcutt, Proctor, Balinsky
   MODIFY(2) Frech, Prosser
   NOOP(1) Christey

COMMENTS:
 Frech> XF:http-ie-lnkurl
 Prosser> additional source
 Prosser> CIAC Bulletin H-38
 Prosser> http://www.ciac.org
 Prosser> Microsoft Internet Explorer Security Updates
 Prosser> "Internet Explorer 3.02 Includes All Security"
 Prosser> http://www.microsoft.com/windows/ie/security
 Christey> Mike's Microsoft reference is no longer listed there.
 Christey> This topic appears to have generated a long NTBugtraq thread.


=================================
Candidate: CAN-1999-0290
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19980221 WinGate DoS
Reference: BUGTRAQ:19980326 WinGate Intermediary Fix/Update
Reference: XF:wingate-dos

The WinGate telnet proxy allows remote attackers to cause a denial of
service via a large number of connections to localhost.

Modifications:
  ADDREF BUGTRAQ:19980221 WinGate DoS
  ADDREF BUGTRAQ:19980326 WinGate Intermediary Fix/Update
  ADDREF XF:wingate-dos
  DESC Add localhost info

INFERRED VOTE: CAN-1999-0290 ACCEPT (4 accept, 0 review)

VOTES:
   ACCEPT(3) Hill, Blake, Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> XF:wingate-dos
 Prosser> additional source
 Prosser> Hrvoje Crvelin
 Prosser> Security Bugware
 Prosser> http://161.53.42.3/~crv/security/bugs/NT/wingate2.html


=================================
Candidate: CAN-1999-0291
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990630
Assigned: 19990607
Category: unknown
Reference: XF:wingate-unpassworded

The WinGate proxy is installed without a password, which allows
remote attackers to redirect connections without authentication.

Modifications:
  ADDREF XF:wingate-unpassworded

INFERRED VOTE: CAN-1999-0291 ACCEPT (5 accept, 0 review)

VOTES:
   ACCEPT(4) Hill, Blake, Northcutt, Ozancin
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> Description needs more info or references on how this redirection takes
 Frech> place. Is it by password access" If so, consider these two references:
 Frech> XF:wingate-unpassworded
 Frech> XF:wingate-registry-passwords
 Prosser> believe this is the "WinGate Bounce" described in
 Prosser> Hrvoje Crvelin's
 Prosser> Security Bugware
 Prosser> http://161.53.42.3/~crv/security/bugs/NT/wingate.htm


=================================
Candidate: CAN-1999-0297
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991216-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: NAI:NAI-3
Reference: AUSCERT:AA-96.21
Reference: CIAC:H-17
Reference: XF:vixie-cron

Buffer overflow in Vixie Cron library up to version 3.0 allows local
users to obtain root access via a long environmental variable.

Modifications:
  ADDREF AUSCERT:AA-96.21
  ADDREF CIAC:H-17
  ADDREF XF:vixie-cron
  DESC identify the environmental variable, modify version

INFERRED VOTE: CAN-1999-0297 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(2) Prosser, Frech

COMMENTS:
 Prosser> This appears to be the same as the Cron BO reported in CIAC
 Prosser> H-17 which affects versions of the vixie cron package up to and including
 Prosser> 3.0
 Frech> XF:vixie-cron


=================================
Candidate: CAN-1999-0304
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: XF:bsd-mmap
Reference: FreeBSD:FreeBSD-SA-98:02

mmap function in BSD allows local attackers in the kmem group to
modify memory through devices.

INFERRED VOTE: CAN-1999-0304 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(3) Hill, Frech, Northcutt


=================================
Candidate: CAN-1999-0318
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991216-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19961125 Security Problems in XMCD
Reference: BUGTRAQ:19961125 XMCD v2.1 released (was: Security Problems in XMCD)
Reference: XF:xmcd-envbo

Buffer overflow in xmcd 2.0p12 allows local users to gain access
through an environmental variable.

Modifications:
  ADDREF BUGTRAQ:19961125 Security Problems in XMCD
  ADDREF BUGTRAQ:19961125 XMCD v2.1 released (was: Security Problems in XMCD)

INFERRED VOTE: CAN-1999-0318 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(3) Northcutt, Hill, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0322
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-97:05
Reference: XF:freebsd-open

The open() function in FreeBSD allows local attackers to write
to arbitrary files.

INFERRED VOTE: CAN-1999-0322 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(3) Hill, Frech, Northcutt


=================================
Candidate: CAN-1999-0343
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19981002 Announcements from The Palace (fwd)
Reference: XF:palace-malicious-servers-vuln

A malicious Palace server can force a client to execute arbitrary
programs.

Modifications:
  ADDREF BUGTRAQ:19981002 Announcements from The Palace (fwd)
  CHANGEREF XF:palace-execute XF:palace-malicious-servers-vuln

INFERRED VOTE: CAN-1999-0343 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Northcutt, Baker
   MODIFY(1) Frech
   NOOP(2) Shostack, Prosser

COMMENTS:
 Shostack> The description worries me.  Can force any client?  Can force an
 Shostack> overly trusting client?
 Frech> XF reference above is obsolete; replace with
 Frech> XF:palace-malicious-servers-vuln


=================================
Candidate: CAN-1999-0408
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990225 Cobalt root exploit
Reference: XF:cobalt-raq-history-exposure
Reference: BID:337

Files created from interactive shell sessions in Cobalt RaQ
microservers (e.g. .bash_history) are world readable, and thus are
accessible from the web server.

Modifications:
  CHANGEREF BUGTRAQ add title

INFERRED VOTE: CAN-1999-0408 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Ozancin, Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0409
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990304 Linux /usr/bin/gnuplot overflow
Reference: XF:gnuplot-home-overflow
Reference: BID:319

Buffer overflow in gnuplot in Linux version 3.5 allows local users to
obtain root access.

INFERRED VOTE: CAN-1999-0409 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Ozancin, Frech
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0421
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: ISS:Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations
Reference: XF:linux-slackware-install
Reference: BID:338

During a reboot after an installation of Linux Slackware 3.6, a remote
attacker can obtain root access by logging in to the root account
without a password.

Modifications:
  ADDREF BID:338
  ADDREF XF:linux-slackware-install

INFERRED VOTE: CAN-1999-0421 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Hill, Northcutt
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:linux-slackware-install


=================================
Candidate: CAN-1999-0428
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990322 OpenSSL/SSLeay Security Alert
Reference: XF:ssl-session-reuse

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and
bypass access controls.

Modifications:
  CHANGEREF BUGTRAQ [add title]
  DESC add "bypass access controls"

INFERRED VOTE: CAN-1999-0428 ACCEPT_ACK (2 accept, 1 ack, 0 review)

VOTES:
   ACCEPT(2) Wall, Frech


=================================
Candidate: CAN-1999-0439
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991207-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990405 Re: [SECURITY] new version of procmail with security fixes
Reference: DEBIAN:19990422
Reference: CALDERA:CSSA-1999:007
Reference: XF:procmail-overflow

Buffer overflow in procmail before version 3.12 allows remote or local
attackers to execute commands via expansions in the procmailrc
configuration file.

Modifications:
  DESC reword

INFERRED VOTE: CAN-1999-0439 ACCEPT_ACK (2 accept, 2 ack, 0 review)

VOTES:
   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall

COMMENTS:
 Frech> Poorly summarized.  See procmail-overflow.


=================================
Candidate: CAN-1999-0470
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19990721
Assigned: 19990607
Category: SF
Reference: XF:netware-remotenlm-passwords
Reference: BUGTRAQ:19990409 New Novell Remote.NLM Password Decryption Algorithm with Exploit

A weak encryption algorithm is used for passwords in Novell
Remote.NLM, allowing them to be easily decrypted.

Modifications:
  CHANGEREF BUGTRAQ [add title]

INFERRED VOTE: CAN-1999-0470 ACCEPT (4 accept, 0 review)

VOTES:
   ACCEPT(5) Wall, Northcutt, Baker, Ozancin, Frech

Page Last Updated or Reviewed: May 22, 2007