[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[INTERIM] ACCEPT 30 candidates from various clusters (Final 1/18)



I have made an Interim Decision to ACCEPT the following candidates
from various clusters.  I will make a Final Decision on January 18.

This decision includes a mixture of legacy and new issues, which will
be just enough to allow us to barely exceed 500 entries on the 18th,
when candidate numbering is expected to go live.  A few candidates
were accepted with the minimum number of votes.

The candidates come from the following clusters:
   1 MULT
   2 CGI
   1 FINGER
   2 MS
   1 CERT2
   4 RECENT-01
   5 LINUX
   1 UNIX-VEN
   2 WEB
   6 NET-01
   5 RECENT-03


Voters:
  Shostack ACCEPT(1)
  Wall ACCEPT(4) MODIFY(1) NOOP(2)
  Ozancin ACCEPT(1) NOOP(2)
  Cole ACCEPT(14) MODIFY(6) NOOP(6)
  Stracener ACCEPT(22) MODIFY(4)
  Frech MODIFY(11) REVIEWING(1)
  Christey MODIFY(1) NOOP(10)
  Northcutt ACCEPT(2) NOOP(1)
  Armstrong ACCEPT(5)
  Prosser ACCEPT(9) MODIFY(1) NOOP(1)
  Blake ACCEPT(8)


- Steve



=================================
Candidate: CAN-1999-0101
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000105-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:001.1
Reference: ERS:ERS-SVA-E01-1996:007.1
Reference: SUN:00137a
Reference: CIAC:H-13
Reference: NAI:NAI-1

Buffer overflow in AIX and Solaris "gethostbyname" library call allows
root access through corrupt DNS host names.

Modifications:
  ADDREF CIAC:H-13

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0101 ACCEPT_ACK (2 accept, 3 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(1) Prosser
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> XF:ghbn-bo
 Frech> in addition to ERS:1997:001.1, also include 1996:007.1
 Frech> Sun's bulletin is 137a, not 137.
 Prosser> concur wtih Andre, sun bul is 137a
 Christey> The NAI advisory discusses a problem with programs trusting
 Christey> the length field that is returned from gethostbyname().
 Christey> The ERS and SUN advisories implicitly refer to
 Christey> BUGTRAQ:19961118 Serious hole in Solaris 2.5[.1]
 Christey> gethostbyname() (exploit included)
 Christey> which allows local users to gain access by providing
 Christey> arguments *to* gethostbyname().
 Christey> As both Andre and Mike's comments relate to the advisories,
 Christey> NAI-1 will be deleted as a reference for this candidate, and
 Christey> a new candidate will be proposed later on.


=================================
Candidate: CAN-1999-0233
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: MSKB:Q148188
Reference: XF:http-iis-cmd

IIS allows users to execute arbitrary commands using .bat or .cmd
files.

Modifications:
  ADDREF MSKB:Q148188
  DESC Remove WebSite reference.

INFERRED ACTION: CAN-1999-0233 ACCEPT_ACK_REV (2 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Northcutt, Prosser
   NOOP(1) Christey
   REVIEWING(1) Frech

Comments:
 Frech> XF reference is correct, but cannot find supporting reference for WebSite
 Frech> vulnerability.
 Frech> No further action to be taken unless more information forthcoming.
 Christey> Can't find the WebSite mention now, so I will remove it.


=================================
Candidate: CAN-1999-0259
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000106-01
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19970523 cfingerd vulnerability
Reference: XF:cfinger-user-enumeration

cfingerd lists all users on a system via search.**@target.

Modifications:
  ADDREF BUGTRAQ:19970523 cfingerd vulnerability
  ADDREF XF:cfinger-user-enumeration

INFERRED ACTION: CAN-1999-0259 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Shostack
   MODIFY(1) Frech
   NOOP(1) Northcutt

Comments:
 Frech> XF:cfinger-user-enumeration


=================================
Candidate: CAN-1999-0270
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CIAC:I-041
Reference: XF:sgi-pfdispaly

pfdispaly CGI program for SGI's Performer API Search Tool allows read
access to files.

Modifications:
  ADDREF CIAC:I-041
  ADDREF XF:sgi-pfdispaly

INFERRED ACTION: CAN-1999-0270 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Northcutt, Prosser
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Prosser> additional source
 Prosser> CIAC Security Bulletin I-041
 Prosser> http://www.ciac.org
 Frech> XF:sgi-pfdispaly
 Frech> XF:sgi-dispaly-patch-vuln
 Christey> There are two bugs here, as described in Bugtraq.  The first one
 Christey> allowed read access to files outside of a document root (a dot dot
 Christey> problem).  The second one was a shell metacharacter problem.
 Christey> Reference: BUGTRAQ:19980407: perfomer_tools again
 Christey> CAN-1999-0270 refers to the first problem only.


=================================
Candidate: CAN-1999-0683
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: XF:gauntlet-dos
Reference: BUGTRAQ:19990729 Remotely Lock Up Gauntlet 5.0
Reference: BID:556

Denial of service in Gauntlet Firewall via a malformed ICMP packet.

INFERRED ACTION: CAN-1999-0683 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Cole

Comments:
 Cole> The BUGTRAQ number is 19990730 and the BID is 556.  This also occurs when an
 Cole> ICMP Protocol Problem packet's (ICMP_PARAMPROB) encapsulated IP packet has a
 Cole> random protocol field and certain IP options set.


=================================
Candidate: CAN-1999-0694
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: CIAC:J-055
Reference: IBM:ERS-SVA-E01-1999:002.1
Reference: XF:aix-ptrace-halt

Denial of service in AIX ptrace system call allows local users to
crash the system.

Modifications:
  ADDREF XF:aix-ptrace-halt
  DELREF BUGTRAQ:19990713

INFERRED ACTION: CAN-1999-0694 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Blake, Stracener, Prosser
   MODIFY(1) Frech
   NOOP(2) Cole, Christey

Comments:
 Frech> XF:aix-ptrace-halt
 Frech> Please add title to the BugTraq reference, since it was not evident to which
 Frech> message you were referring.
 Christey> I couldn't find the Bugtraq reference either, which is
 Christey> especially odd because the IBM advisory says that the
 Christey> problem was discussed in Bugtraq.  Bugtraq reference deleted.


=================================
Candidate: CAN-1999-0708
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000106-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow
Reference: BID:651

Buffer overflow in cfingerd allows local users to gain root privileges
via a long GECOS field.

Modifications:
  DELREF DEBIAN:19990806
  CHANGEREF BUGTRAQ BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow
  DESC Add GECOS qualifier

INFERRED ACTION: CAN-1999-0708 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole
   NOOP(1) Christey

Comments:
 Cole> This is to general.  I would add:  By setting a carefully designed GECOS
 Cole> field it is possible to execute arbitrary code with root (or nobody )
 Cole> privileges
 Christey> There is no associated DEBIAN reference here, as
 Christey> DEBIAN:19990806 refers to an older remote-only buffer overflow
 Christey> in the username, not GECOS.  (BID:512 also discusses that
 Christey> remote problem, though it may not be exploitable).


=================================
Candidate: CAN-1999-0734
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991125
Category: CF
Reference: CISCO: CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability
Reference: XF:ciscosecure-read-write

A default configuration of CiscoSecure Access Control Server (ACS)
allows remote users to modify the server database without
authentication.

INFERRED ACTION: CAN-1999-0734 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener


=================================
Candidate: CAN-1999-0742
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: DEBIAN:19990623
Reference: BID:480

The Debian mailman package uses weak authentication, which allows
attackers to gain privileges.

Modifications:
  ADDREF BID:480

INFERRED ACTION: CAN-1999-0742 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Stracener
   NOOP(1) Cole


=================================
Candidate: CAN-1999-0743
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: XF:trn-symlinks
Reference: DEBIAN:19990823c
Reference: SUSE:19990824 Security hole in trn

Trn allows local users to overwrite other users' files via symlinks.

Modifications:
  ADDREF SUSE:19990824 Security hole in trn

INFERRED ACTION: CAN-1999-0743 ACCEPT_ACK (2 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(1) Blake
   MODIFY(1) Stracener
   NOOP(1) Cole

Comments:
 Stracener> Add Ref: SUSE: Security hole in trn 24.08.99


=================================
Candidate: CAN-1999-0753
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: unknown
Reference: BUGTRAQ:19990817 Stupid bug in W3-msql
Reference: XF:mini-sql-w3-msql-cgi
Reference: BID:591

The w3-msql CGI script provided with Mini SQL allows remote attackers
to view restricted directories.

Modifications:
  ADDREF XF:mini-sql-w3-msql-cgi

INFERRED ACTION: CAN-1999-0753 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(3) Cole, Blake, Stracener
   NOOP(1) Christey

Comments:
 Christey> May be a configuration error and not a software flaw.  See
 Christey> BUGTRAQ:19990820 Re: Stupid bug in W3-msql (David J. Hughes)


=================================
Candidate: CAN-1999-0768
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BID:602
Reference: REDHAT:RHSA-1999:030-02
Reference: SUSE:19990829 Security hole in cron

Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO
environmental variable.

INFERRED ACTION: CAN-1999-0768 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(1) Blake
   MODIFY(3) Cole, Christey, Stracener

Comments:
 Cole> I would be a little clear, By utilizing the MAILTO environment variable, a
 Cole> buffer can be overflown in the cron_popen() function, allowing an attacker
 Cole> to execute arbitrary code.
 Christey> Although the descriptions don't reflect it, CAN-1999-0872 and
 Christey> CAN-1999-0768 are different.  One has to do with a buffer
 Christey> overflow; the other deals with a user supplying their own
 Christey> Sendmail config file.  BID:602 and BID:611 show this.
 Stracener> Add Ref: SUSE: Security hole in cron  29.08.1999:


=================================
Candidate: CAN-1999-0770
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990729 Simple DOS attack on FW-1
Reference: BID:549
Reference: CHECKPOINT:ACK DOS ATTACK

Firewall-1 sets a long timeout for connections that begin with ACK or
other packets except SYN, allowing an attacker to conduct a denial of
service via a large number of connection attempts to unresponsive
systems.

INFERRED ACTION: CAN-1999-0770 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener


=================================
Candidate: CAN-1999-0775
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: CISCO:19990610 Cisco IOS Software established Access List Keyword Error
Reference: XF:cisco-gigaswitch

Cisco Gigabit Switch routers running IOS allow remote attackers to
forward unauthorized packets due to improper handling of the
"established" keyword in an access list.

Modifications:
  ADDREF XF:cisco-gigaswitch

INFERRED ACTION: CAN-1999-0775 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener


=================================
Candidate: CAN-1999-0811
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes
Reference: REDHAT:RHSA-1999:022-02
Reference: CALDERA:CSSA-1999:018.0
Reference: SUSE:19990816 Security hole in Samba
Reference: DEBIAN:19990731 Samba
Reference: XF:samba-message-bo
Reference: BID:536

Buffer overflow in Samba smbd program via a malformed message
command.

Modifications:
  DESC add details
  ADDREF CALDERA:CSSA-1999:018.0
  ADDREF SUSE:19990816 Security hole in Samba
  ADDREF DEBIAN:19990731 Samba
  ADDREF XF:samba-message-bo
  ADDREF BID:536

INFERRED ACTION: CAN-1999-0811 ACCEPT_ACK (2 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(1) Blake
   MODIFY(1) Stracener
   NOOP(1) Cole

Comments:
 Stracener> Add Ref: CALDERA: CSSA-1999:018.0
 Stracener> Add Ref: DEBIAN: Samba [31-Jul-1999]
 Stracener> Add Ref: SUSE: Security hole in Samba 16.08.1999


=================================
Candidate: CAN-1999-0831
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CALDERA:CSSA-1999-035.0
Reference: REDHAT:RHSA1999055-01
Reference: SUSE:19991118 syslogd-1.3.33 (a1)
Reference: BUGTRAQ:19991130 [david@slackware.com: New Patches for Slackware 4.0 Available]
Reference: BID:809
Reference: XF:slackware-syslogd-dos

Denial of service in Linux syslogd via a large number of connections.

Modifications:
  ADDREF CALDERA:CSSA-1999-035.0
  ADDREF REDHAT:RHSA1999055-01
  ADDREF SUSE:19991118 syslogd-1.3.33 (a1)
  DESC Change description to apply to all Linux
  ADDREF XF:slackware-syslogd-dos
  ADDREF BID:809

INFERRED ACTION: CAN-1999-0831 ACCEPT (5 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Prosser
   MODIFY(2) Stracener, Frech
   NOOP(1) Christey

Comments:
 Christey> ADDREF CALDERA:CSSA-1999-035.0
 Christey> ADDREF REDHAT:RHSA1999055-01
 Christey> ADDREF SUSE:19991118 syslogd-1.3.33 (a1)
 Christey> Change description to apply to all Linux
 Stracener> Given that this issue is not slackware-specific, the description should
 Stracener> be made more generic, possibly: "Denial of service in syslogd via a
 Stracener> large number of connections"
 Stracener> Add Ref: CSSA-1999-035.0
 Stracener> Add Ref: RHSA1999055-01
 Stracener> Add Ref: SuSE Security Announcement - syslogd (a1)
 Stracener> Add Ref: Cobalt Networks -- Security Advisory -- 11.20.1999 (syslog)
 Frech> XF:slackware-syslogd-dos


=================================
Candidate: CAN-1999-0834
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991201 Security Advisory: Buffer overflow in RSAREF2
Reference: BUGTRAQ:19991202 OpenBSD sslUSA26 advisory (Re: CORE-SDI: Buffer overflow in RSAREF2)
Reference: CERT:CA-99-15
Reference: BID:843
Reference: XF:rsaref-bo

Buffer overflow in RSAREF2 via the encryption and decryption functions
in the RSAREF library.

Modifications:
  ADDREF XF:rsaref-bo

INFERRED ACTION: CAN-1999-0834 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Cole, Stracener
   MODIFY(2) Prosser, Frech

Comments:
 Prosser> Ref:  CERT Ca-99-15, Buffer Overflows in SSH Daemon and RSAREF2 Library
 Prosser> SecuriTeam.com, SSH1.2.27 is vulnerable to a remote buffer overflow (RSAREF)
 Frech> XF:rsaref-bo


=================================
Candidate: CAN-1999-0847
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BUGTRAQ:19991129 FICS buffer overflow
Reference: XF:fics-board-bo

Buffer overflow in free internet chess server (FICS) program, xboard.

Modifications:
  ADDREF XF:fics-board-bo

INFERRED ACTION: CAN-1999-0847 ACCEPT (3 accept, 0 ack, 0 review)

Current Votes:
   ACCEPT(2) Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(2) Cole, Prosser

Comments:
 Frech> XF:fics-board-bo


=================================
Candidate: CAN-1999-0853
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: BID:847
Reference: ISS:19991201 Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure
Reference: XF:netscape-fasttrack-auth-bo

Buffer overflow in Netscape Enterprise Server and Netscape
FastTrack Server allows remote attackers to gain privileges via the
HTTP Basic Authentication procedure.

Modifications:
  ADDREF XF:netscape-fasttrack-auth-bo

INFERRED ACTION: CAN-1999-0853 ACCEPT (5 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(3) Armstrong, Stracener, Prosser
   MODIFY(2) Cole, Frech

Comments:
 Cole> I would add that this is a remote buffer overflow...
 Frech> XF:netscape-fasttrack-auth-bo


=================================
Candidate: CAN-1999-0875
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991208
Category: CF
Reference: L0PHT:19990811
Reference: MSKB:Q216141
Reference: BID:578
Reference: XF:irdp-gateway-spoof

DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow
remote attackers to modify their default routes.

Modifications:
  ADDREF XF:irdp-gateway-spoof

INFERRED ACTION: CAN-1999-0875 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener


=================================
Candidate: CAN-1999-0881
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991025 Falcon Web Server
Reference: BINDVIEW:Falcon Web Server
Reference: BID:743
Reference: XF:falcon-path-parsing

Falcon web server allows remote attackers to read arbitrary files via
a .. (dot dot) attack.

Modifications:
  ADDREF XF:falcon-path-parsing
  ADDREF BID:743

INFERRED ACTION: CAN-1999-0881 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Stracener
   NOOP(1) Cole


=================================
Candidate: CAN-1999-0898
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649
Reference: XF:nt-printer-spooler-bo
Reference: BID:768

Buffer overflows in Windows NT 4.0 print spooler allow remote
attackers to gain privileges or cause a denial of service via a
malformed spooler request.

Modifications:
  ADDREF XF:nt-printer-spooler-bo
  ADDREF BID:768

INFERRED ACTION: CAN-1999-0898 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Wall, Prosser, Stracener
   MODIFY(1) Frech
   NOOP(2) Ozancin, Christey

Comments:
 Frech> XF:nt-printer-spooler-bo
 Prosser> (Modify)
 Prosser> This maybe should be seperated into two entries.  One for the DoS which is
 Prosser> just done with random data and one for the more experienced attack of
 Prosser> gaining privileges on the host.
 Christey> While the advisory is not entirely explicit, the difference
 Christey> between the DoS and the command execution is only in effect,
 Christey> and appears to be in the same line of code, so the SF-LOC
 Christey> content decision applies here.


=================================
Candidate: CAN-1999-0899
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649
Reference: BID:769
Reference: XF:nt-printer-spooler-bo

The Windows NT 4.0 print spooler allows a local user to execute
arbitrary commands due to inappropriate permissions that allow the
user to specify an alternate print provider.

Modifications:
  ADDREF XF:nt-printer-spooler-bo
  ADDREF BID:769

INFERRED ACTION: CAN-1999-0899 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Wall, Prosser, Stracener
   MODIFY(1) Frech
   NOOP(2) Ozancin, Christey

Comments:
 Frech> XF:nt-printer-spooler-bo
 Cole>
 Cole> [Originally rejected; vote changed to ACCEPT based on feedback]
 Cole> This should be combined with the previous one to state it can cause
 Cole> a denial of service
 Cole> or allow commands to ve executed.  Just because a vulnerability can
 Cole> be exploited in different ways
 Cole> does not mean there should be separate entries since the underlying
 Cole> exploit is the same.
 Christey> This is different than CAN-1999-0898 because 898 is a buffer
 Christey> overflow, while this one is incorrect permissions.  They
 Christey> are different bugs, so should have separate entries.  Note
 Christey> that MS99-047 also discriminates between these two candidates,
 Christey> i.e. it contains the phrase "A second vulnerability exists..."
 Christey> and goes on to describe CAN-1999-0899.


=================================
Candidate: CAN-1999-0905
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19991020 Remote DoS in Axent's Raptor 6.0
Reference: BID:736
Reference: XF:raptor-ipoptions-dos

Denial of service in Axent Raptor firewall via malformed zero-length
IP options.

Modifications:
  ADDREF BID:736
  ADDREF XF:raptor-ipoptions-dos

INFERRED ACTION: CAN-1999-0905 ACCEPT_ACK (2 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Cole

Comments:
 Cole> This occurs when the SECURITY and TIMESTAMP IP options length is set to 0


=================================
Candidate: CAN-1999-0955
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-94.08
Reference: CIAC:E-17
Reference: XF:ftp-exec

Race condition in wu-ftpd and BSDI ftpd allows remote attackers gain
root access via the SITE EXEC command.

Modifications:
  ADDREF XF:ftp-exec

INFERRED ACTION: CAN-1999-0955 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
   MODIFY(1) Frech

Comments:
 Cole> There are actually two vulnerabilities listed in this CERT.  I am assuming
 Cole> that the other one is listed in a different CVE.
 Frech> XF:ftp-exec


=================================
Candidate: CAN-1999-0992
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: HP:HPSBUX9912-107

HP VirtualVault with the PHSS_17692 patch allows unprivileged
processes to bypass access restrictions via the Trusted Gateway Proxy
(TGP).

INFERRED ACTION: CAN-1999-0992 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   NOOP(1) Wall


=================================
Candidate: CAN-1999-0994
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: BINDVIEW:19991216 Windows NT's SYSKEY feature
Reference: MS:MS99-056
Reference: MSKB:Q248183
Reference: BID:873

Windows NT with SYSKEY reuses the keystream that is used for
encrypting SAM password hashes, allowing an attacker to crack
passwords.

INFERRED ACTION: CAN-1999-0994 ACCEPT (3 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Stracener


=================================
Candidate: CAN-1999-0995
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: NAI:19991216 Windows NT LSA Remote Denial of Service
Reference: MS:MS99-057
Reference: MSKB:Q248185
Reference: BID:875

Windows NT Local Security Authority (LSA) allows remote attackers to
cause a denial of service via malformed arguments to the LsaLookupSids
function which looks up the SID, aka "Malformed Security Identifier
Request."

Modifications:
  ADDREF BID:875

INFERRED ACTION: CAN-1999-0995 ACCEPT (3 accept, 4 ack, 0 review)

Current Votes:
   ACCEPT(3) Wall, Cole, Stracener


=================================
Candidate: CAN-1999-0999
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: MS:MS99-059
Reference: MSKB:Q248749
Reference: BID:817

Microsoft SQL 7.0 server allows a remote attacker to cause a denial of
service via a malformed TDS packet.

Modifications:
  DESC Add version
  ADDREF BID:817

INFERRED ACTION: CAN-1999-0999 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   MODIFY(1) Wall

Comments:
 Wall> Microsoft SQL 7.0 server allows a remote attacker to cause a denial of
 Wall> service via a malformed TDS packet.


=================================
Candidate: CAN-1999-1001
Published:
Final-Decision:
Interim-Decision: 20000111
Modified:
Proposed: 19991222
Assigned: 19991221
Category: SF
Reference: CISCO:19991216 Cisco Cache Engine Authentication Vulnerabilities
Reference: BUGTRAQ:19991216 Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities

Cisco Cache Engine allows a remote attacker to gain access via a null
username and password.

INFERRED ACTION: CAN-1999-1001 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Stracener
   MODIFY(1) Cole
   NOOP(2) Wall, Christey

Comments:
 Cole> The references are not that clear.
 Christey> While vendor-supplied advisories sometimes aren't clear, they
 Christey> have acknowledged the problem and provided enough information
 Christey> to attach a CVE name to them.

 
Page Last Updated: May 22, 2007