|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [VOTES] Vote details for older clusters related to content decisions
This OLD-CD meta-cluster includes voting details for all the older clusters which were used to illustrate content decisions, back in July and August 1999. Not surprisingly, these clusters have a large number of candidates that are still active and being held back by unresolved content decisions. These will be revisited in the coming months. SA-OTHER SA-LITTLE SA-ATTACK SA-HIST NT-REGISTRY DATA CFMISC NOVULN PRIVACY NETCONF CDEC DESIGN NTCONFIG PASS MULT2 MULT - Steve --------------------- CLUSTER SA-OTHER --------------------- SA-OTHER (8 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/29 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Other SA candidates Voters: Wall ACCEPT(5) NOOP(3) Northcutt REJECT(8) <PROPOSED> --> 8 REJECT --> 8 ================================= Candidate: CAN-1999-0640 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The Gopher service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0640 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0644 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The NNTP news service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0644 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0648 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The X25 service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0648 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0649 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The FSP service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0649 REJECT (1 reject, 0 accept, 0 review) HAS_CDS Current Votes: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0650 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The netstat service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0650 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0652 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A database service is running, e.g. a SQL server, Oracle, or mySQL. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0652 REJECT (1 reject, 0 accept, 0 review) HAS_CDS Current Votes: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0656 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The ugidd service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0656 REJECT (1 reject, 0 accept, 0 review) HAS_CDS Current Votes: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0658 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA DCOM is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0658 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt --------------------- CLUSTER SA-LITTLE --------------------- SA-LITTLE (5 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/29 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Presence of "little" services that are rarely necessary Voters: Wall ACCEPT(3) NOOP(2) Northcutt ACCEPT(1) REJECT(4) <PROPOSED> --> 5 ACCEPT --> 1 REJECT --> 4 ================================= Candidate: CAN-1999-0635 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The echo service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0635 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(2) Wall, Northcutt Comments: Northcutt> The method to my madness is echo is the common denom in the dos attack ================================= Candidate: CAN-1999-0636 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The discard service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0636 REJECT (1 reject, 0 accept, 0 review) HAS_CDS Current Votes: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0637 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The systat service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0637 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0638 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The daytime service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0638 REJECT (1 reject, 0 accept, 0 review) HAS_CDS Current Votes: NOOP(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0639 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The chargen service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0639 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt --------------------- CLUSTER SA-ATTACK --------------------- SA-ATTACK (10 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/29 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Presence of services that are common attack points Voters: Wall ACCEPT(9) REJECT(1) Northcutt REJECT(10) <PROPOSED> --> 10 REJECT --> 10 ================================= Candidate: CAN-1999-0615 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The SNMP service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0615 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0620 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to NIS is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0620 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0630 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The NT Alerter and Messenger services are running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0630 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0633 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The HTTP/WWW service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0633 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0641 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The UUCP service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0641 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0645 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The IRC service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0645 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0646 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The LDAP service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0646 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0651 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The rsh/rlogin service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0651 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0653 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to NIS+ is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0653 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0659 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0659 REJECT (2 reject, 0 accept, 0 review) HAS_CDS Current Votes: REJECT(2) Wall, Northcutt Comments: Wall> Don't consider this a service or a problem. --------------------- CLUSTER SA-HIST --------------------- SA-HIST (13 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/29 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Presence of services with a history of problems Voters: Wall ACCEPT(12) NOOP(1) Northcutt REJECT(13) <PROPOSED> --> 13 REJECT --> 13 ================================= Candidate: CAN-1999-0614 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The FTP service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0614 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0616 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The TFTP service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0616 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0617 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The SMTP service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0617 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0619 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The Telnet service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0619 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0621 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to NETBIOS is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0621 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0622 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A component service related to DNS service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0622 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0623 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The X Windows service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0623 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0631 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The NFS service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0631 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0632 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The RPC portmapper service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0632 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0634 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The SSH service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0634 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0642 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA A POP service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0642 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0643 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA The IMAP service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0643 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt ================================= Candidate: CAN-1999-0657 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990804 Assigned: 19990607 Category: SA WinGate is being used. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0657 REJECT (1 reject, 0 accept, 0 review) HAS_CDS Current Votes: NOOP(1) Wall REJECT(1) Northcutt --------------------- CLUSTER NT-REGISTRY --------------------- NT-REGISTRY (6 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/28 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 CF problems related to NT registry settings Voters: Wall ACCEPT(6) Northcutt RECAST(6) <PROPOSED> --> 6 RECAST --> 6 ================================= Candidate: CAN-1999-0580 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0580 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0581 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0581 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0589 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Windows NT registry key has inappropriate permissions. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0589 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0611 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Windows NT registry key has an inappropriate value. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0611 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0664 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990803 Category: CF An application-critical Windows NT registry key has inappropriate permissions. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0664 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. ================================= Candidate: CAN-1999-0665 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990803 Category: CF An application-critical Windows NT registry key has an inappropriate value. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0665 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf Northcutt> and see if you can't see a way to phrase specific keys in a way that Northcutt> defines inappropriate. --------------------- CLUSTER DATA --------------------- DATA (10 candidates) -------------------- Proposed: 8/3 Scheduled Proposed: 7/28 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 CF problems related to data access Voters: Wall ACCEPT(10) Northcutt ACCEPT(3) RECAST(6) REJECT(1) <MODIFIED> --> 1 <PROPOSED> --> 9 ACCEPT --> 3 RECAST --> 6 REJECT --> 1 ================================= Candidate: CAN-1999-0509 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF Perl, sh, csh, or other shell interpreters are accessible on a WWW site. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0509 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0520 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical NETBIOS/SMB share has inappropriate access control. CONTENT-DECISIONS: CF-DATA INFERRED ACTION: CAN-1999-0520 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> I think we need to enumerate the shares and or the access control ================================= Candidate: CAN-1999-0522 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF Reference: CERT:CA-96.10 The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate. CONTENT-DECISIONS: CF-DATA INFERRED ACTION: CAN-1999-0522 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> Why not say world readable, this is what you do further down in the Northcutt> file (world exportable in CAN-1999-0554) ================================= Candidate: CAN-1999-0527 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten. CONTENT-DECISIONS: CF-DATA INFERRED ACTION: CAN-1999-0527 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(2) Wall, Northcutt Comments: Northcutt> That that starts to get specific :) ================================= Candidate: CAN-1999-0554 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF NFS exports system-critical data to the world, e.g. / or a password file. CONTENT-DECISIONS: CF-DATA INFERRED ACTION: CAN-1999-0554 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0559 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Unix file or directory has inappropriate permissions. CONTENT-DECISIONS: CF-DATA,LOA INFERRED ACTION: CAN-1999-0559 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> Writable other than by root/bin/wheelgroup? ================================= Candidate: CAN-1999-0560 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A system-critical Windows NT file or directory has inappropriate permissions. CONTENT-DECISIONS: CF-DATA INFERRED ACTION: CAN-1999-0560 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> I think we should specify these ================================= Candidate: CAN-1999-0569 Published: Final-Decision: Interim-Decision: Modified: 19991130-01 Proposed: 19990803 Assigned: 19990607 Category: CF A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file. Modifications: Mention missing index.html CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0569 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt Comments: Northcutt> I do this intentionally somethings in high content directories ================================= Candidate: CAN-1999-0587 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data. CONTENT-DECISIONS: CF-DATA INFERRED ACTION: CAN-1999-0587 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> While I would accept this for Unix, I am not sure this applies to NT, Northcutt> VMS, palm pilots, or commodore 64 ================================= Candidate: CAN-1999-0591 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990803 Assigned: 19990607 Category: CF An event log in Windows NT has inappropriate access permissions. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0591 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Northcutt Comments: Northcutt> splain Lucy, splain --------------------- CLUSTER CFMISC --------------------- CFMISC (18 candidates) -------------------- Proposed: 7/28 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Miscellaneous CF problems Voters: Shostack ACCEPT(5) RECAST(6) REJECT(6) Northcutt ACCEPT(6) NOOP(3) REJECT(8) <PROPOSED> --> 17 ACCEPT --> 3 RECAST --> 4 REJECT --> 10 ================================= Candidate: CAN-1999-0497 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Anonymous FTP is enabled CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0497 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Shostack REJECT(1) Northcutt ================================= Candidate: CAN-1999-0512 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Mail relay is enabled, allowing abuse by spammers. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0512 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(2) Northcutt, Shostack ================================= Candidate: CAN-1999-0515 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0515 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt REJECT(1) Shostack Comments: Shostack> Overly broad ================================= Candidate: CAN-1999-0530 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A system is operating in "promiscuous" mode which allows it to perform packet sniffing. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0530 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt REJECT(1) Shostack ================================= Candidate: CAN-1999-0531 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0531 REJECT (1 reject, 0 accept, 0 review) HAS_CDS Current Votes: RECAST(1) Shostack REJECT(1) Northcutt Comments: Shostack> I think expn != vrfy, help, esmtp. ================================= Candidate: CAN-1999-0539 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A trust relationship exists between two Unix hosts. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0539 REJECT (2 reject, 0 accept, 0 review) HAS_CDS Current Votes: REJECT(2) Northcutt, Shostack Comments: Northcutt> Too non specific ================================= Candidate: CAN-1999-0547 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An SSH server allows authentication through the .rhosts file. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0547 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(1) Shostack NOOP(1) Northcutt ================================= Candidate: CAN-1999-0548 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A superfluous NFS server is running, but it is not importing or exporting any file systems. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0548 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Shostack REJECT(1) Northcutt ================================= Candidate: CAN-1999-0555 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Unix account with a name other than "root" has UID 0, i.e. root privileges. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0555 REJECT (2 reject, 0 accept, 0 review) HAS_CDS Current Votes: REJECT(2) Northcutt, Shostack Comments: Northcutt> This is very bogus ================================= Candidate: CAN-1999-0556 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Two or more Unix accounts have the same UID. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0556 REJECT (2 reject, 0 accept, 0 review) HAS_CDS Current Votes: REJECT(2) Northcutt, Shostack ================================= Candidate: CAN-1999-0561 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF IIS has the #exec function enabled for Server Side Include (SSI) files. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0561 RECAST (1 recast, 0 accept, 0 review) HAS_CDS Current Votes: NOOP(1) Northcutt RECAST(1) Shostack ================================= Candidate: CAN-1999-0564 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0564 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(1) Shostack NOOP(1) Northcutt ================================= Candidate: CAN-1999-0565 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Sendmail alias allows input to be piped to a program. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0565 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt RECAST(1) Shostack Comments: Shostack> Is this a default alias? Is my .procmailrc an instance of this? ================================= Candidate: CAN-1999-0568 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF rpc.admind in Solaris is not running in a secure mode. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0568 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt RECAST(1) Shostack Comments: Shostack> are there secure modes? ================================= Candidate: CAN-1999-0583 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF There is a one-way or two-way trust relationship between Windows NT domains. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0583 REJECT (2 reject, 0 accept, 0 review) HAS_CDS Current Votes: REJECT(2) Northcutt, Shostack ================================= Candidate: CAN-1999-0586 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A network service is running on a nonstandard port. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0586 REJECT (1 reject, 0 accept, 0 review) HAS_CDS Current Votes: RECAST(1) Shostack REJECT(1) Northcutt Comments: Shostack> Might be acceptable if clearer; is that a standard service on a Shostack> non-standard port, or any service on an unassigned port? ================================= Candidate: CAN-1999-0590 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A system does not present an appropriate legal message or warning to a user who is accessing it. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0590 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt RECAST(1) Shostack --------------------- CLUSTER NOVULN --------------------- NOVULN (19 candidates) -------------------- Proposed: 7/28 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Problems that may be regarded as "not a vulnerability" Voters: Wall ACCEPT(5) NOOP(5) REJECT(9) Northcutt ACCEPT(6) NOOP(6) REJECT(7) <PROPOSED> --> 19 ACCEPT --> 3 NOOP --> 3 REJECT --> 13 ================================= Candidate: CAN-1999-0119 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Windows NT 4.0 beta allows users to read and delete shares. INFERRED ACTION: CAN-1999-0119 REJECT (1 reject, 0 accept, 0 review) Current Votes: NOOP(1) Northcutt REJECT(1) Wall Comments: Wall> Reject based on beta copy. ================================= Candidate: CAN-1999-0361 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Jan29,1999 NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging. INFERRED ACTION: CAN-1999-0361 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0364 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb04,1999 Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data. INFERRED ACTION: CAN-1999-0364 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0397 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: L0PHT:Jan21,1999 Reference: BUGTRAQ:Jan21,1999 The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext. INFERRED ACTION: CAN-1999-0397 REJECT (1 reject, 1 accept, 0 review) Current Votes: ACCEPT(1) Northcutt REJECT(1) Wall Comments: Wall> Reject based on beta copy. ================================= Candidate: CAN-1999-0403 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb4,1999 Reference: XF:cyrix-hang A bug in Cyrix CPU's on Linux allows local users to perform a denial of service. INFERRED ACTION: CAN-1999-0403 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Northcutt NOOP(1) Wall ================================= Candidate: CAN-1999-0453 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Dicsovery Protocol (CDP). INFERRED ACTION: CAN-1999-0453 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0454 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso. INFERRED ACTION: CAN-1999-0454 REJECT (1 reject, 0 accept, 0 review) Current Votes: NOOP(1) Wall REJECT(1) Northcutt Comments: Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced Northcutt> ways to accomplish this. To pursue making the world signature free Northcutt> is as much a vulnerability as having signatures, nay more. ================================= Candidate: CAN-1999-0459 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: XF:linux-milo-halt Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot. INFERRED ACTION: CAN-1999-0459 REJECT (1 reject, 0 accept, 0 review) Current Votes: NOOP(1) Northcutt REJECT(1) Wall Comments: Wall> Reject based on beta copy. ================================= Candidate: CAN-1999-0465 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: XF:http-img-overflow Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter. INFERRED ACTION: CAN-1999-0465 REJECT (1 reject, 1 accept, 0 review) Current Votes: ACCEPT(1) Northcutt REJECT(1) Wall Comments: Wall> Reject based on client-side DoS ================================= Candidate: CAN-1999-0570 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Windows NT is not using a password filter utility, e.g. PASSFILT.DLL. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0570 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt REJECT(1) Wall Comments: Northcutt> Here we are crossing into the best practices arena again. However since Northcutt> passfilt does establish a measurable standard and since we aren't the Northcutt> ones defining the stanard, simply saying it should be employed I will Northcutt> vote for this. ================================= Candidate: CAN-1999-0584 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT file system is not NTFS. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0584 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(2) Wall, Northcutt Comments: Wall> NTFS partition provides the security. This could be re-worded Wall> to "A Windows NT file system is FAT" since it is either NTFS or FAT Wall> and FAT is less secure. ================================= Candidate: CAN-1999-0592 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF The Logon box of a Windows NT system displays the name of the last user who logged in. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0592 REJECT (2 reject, 0 accept, 0 review) HAS_CDS Current Votes: REJECT(2) Wall, Northcutt Comments: Wall> Information gathering, not vulnerability Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing Northcutt> not just vulnerability ================================= Candidate: CAN-1999-0593 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A user is allowed to shut down a Windows NT system without logging in. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0593 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt Comments: Wall> Still a denial of service. Northcutt> May well be appropriate ================================= Candidate: CAN-1999-0594 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0594 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt Comments: Wall> Perhaps it can be re-worded to "removable media drives Wall> such as a floppy disk drive or CDROM drive can be accessed (shared) in a Wall> Windows NT system." Northcutt> - what good is my NT w/o its floppy ================================= Candidate: CAN-1999-0595 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: MSKB:Q182086 A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0595 MOREVOTES (1 accept, 1 ack, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall NOOP(1) Northcutt ================================= Candidate: CAN-1999-0596 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT log file has an inappropriate maximum size or retention period. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0596 REJECT (2 reject, 0 accept, 0 review) HAS_CDS Current Votes: REJECT(2) Wall, Northcutt Comments: Northcutt> define appropriate ================================= Candidate: CAN-1999-0597 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0597 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt REJECT(1) Wall ================================= Candidate: CAN-1999-0603 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0603 REJECT (2 reject, 0 accept, 0 review) HAS_CDS Current Votes: REJECT(2) Wall, Northcutt ================================= Candidate: CAN-1999-0654 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SA The OS/2 or POSIX subsystem in NT is enabled. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0654 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall REJECT(1) Northcutt Comments: Wall> These subsystems could still allow a process to persist across logins. --------------------- CLUSTER PRIVACY --------------------- PRIVACY (9 candidates) -------------------- Proposed: 7/28 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Problems related to privacy Voters: Wall ACCEPT(2) NOOP(7) Christey REJECT(1) Northcutt NOOP(9) <PROPOSED> --> 9 ACCEPT --> 1 NOOP --> 7 REJECT --> 1 ================================= Candidate: CAN-1999-0031 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: CERT:CA-97.20.javascript JavaScript allows remote attackers to monitor a user's web activities. INFERRED ACTION: CAN-1999-0031 MOREVOTES (1 accept, 1 ack, 0 review) Current Votes: ACCEPT(1) Wall NOOP(1) Northcutt ================================= Candidate: CAN-1999-0469 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990409 IE 5.0 security vulnerabilities - %01 bug again Reference: XF:ie-window-spoof Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client. INFERRED ACTION: CAN-1999-0469 SMC_REJECT (1 reject, 1 accept, 0 review) Current Votes: ACCEPT(1) Wall NOOP(1) Northcutt REJECT(1) Christey Comments: Wall> Reference: Microsoft Security Bulletin MS99-012 Christey> DUPE CAN-1999-0488 ================================= Candidate: CAN-1999-0604 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information. INFERRED ACTION: CAN-1999-0604 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0605 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information. INFERRED ACTION: CAN-1999-0605 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0606 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data An incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information. INFERRED ACTION: CAN-1999-0606 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0607 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data An incorrect configuration of the QuikStore shopping cart CGI program "quikstore.cgi" could disclose private information. INFERRED ACTION: CAN-1999-0607 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0608 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data An incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information. INFERRED ACTION: CAN-1999-0608 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0609 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information. INFERRED ACTION: CAN-1999-0609 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0610 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data An incorrect configuration of the Webcart CGI program could disclose private information. INFERRED ACTION: CAN-1999-0610 MOREVOTES (0 accept, 0 ack, 0 review) Current Votes: NOOP(2) Wall, Northcutt --------------------- CLUSTER NETCONF --------------------- NETCONF (12 candidates) -------------------- Proposed: 7/26 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Network configuration problems Voters: Frech MODIFY(8) REVIEWING(4) Northcutt ACCEPT(3) NOOP(1) RECAST(1) REJECT(7) <PROPOSED> --> 12 MODIFY --> 2 RECAST --> 1 REJECT --> 7 REVIEWING --> 2 ================================= Candidate: CAN-1999-0510 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall allows source routed packets from arbitrary hosts. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0510 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech Comments: Frech> XF:source-routing ================================= Candidate: CAN-1999-0511 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF IP forwarding is enabled on a machine which is not a router or firewall. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0511 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech Comments: Frech> XF:ip-forwarding ================================= Candidate: CAN-1999-0523 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF ICMP echo (ping) is allowed from arbitrary hosts. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0523 REJECT (1 reject, 0 accept, 1 review) HAS_CDS Current Votes: REJECT(1) Northcutt REVIEWING(1) Frech Comments: Northcutt> (Though I sympathize with this one :) ================================= Candidate: CAN-1999-0524 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF ICMP information such as netmask and timestamp is allowed from arbitrary hosts. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0524 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech REJECT(1) Northcutt Comments: Frech> XF:icmp-timestamp Frech> XF:icmp-netmask ================================= Candidate: CAN-1999-0525 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF IP traceroute is allowed from arbitrary hosts. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0525 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech REJECT(1) Northcutt Comments: Frech> XF:traceroute ================================= Candidate: CAN-1999-0528 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0528 MOREVOTES (1 accept, 0 ack, 1 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt REVIEWING(1) Frech Comments: Frech> possibly XF:nisd-dns-fwd-check ================================= Candidate: CAN-1999-0529 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0529 REJECT (1 reject, 0 accept, 1 review) HAS_CDS Current Votes: REJECT(1) Northcutt REVIEWING(1) Frech Comments: Northcutt> I have seen ISPs "assign" private addresses within their domain ================================= Candidate: CAN-1999-0532 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A DNS server allows zone transfers. CONTENT-DECISIONS: CF-DATA INFERRED ACTION: CAN-1999-0532 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech REJECT(1) Northcutt Comments: Northcutt> (With split DNS implementations this is quite appropriate) Frech> XF:dns-zonexfer ================================= Candidate: CAN-1999-0533 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A DNS server allows inverse queries. CONTENT-DECISIONS: CF-DATA INFERRED ACTION: CAN-1999-0533 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech REJECT(1) Northcutt Comments: Northcutt> (rule of thumb) Frech> XF:dns-iquery ================================= Candidate: CAN-1999-0550 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router's routing tables can be obtained from arbitrary hosts. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0550 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech RECAST(1) Northcutt Comments: Northcutt> Don't you mean obtained by arbitrary hosts Frech> XF:routed Frech> XF:decod-rip-entry Frech> XF:rip ================================= Candidate: CAN-1999-0571 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Feb5,1999 A router allows arbitrary hosts to connect to its configuration service, or related services such as telnet. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0571 MOREVOTES (0 accept, 0 ack, 1 review) HAS_CDS Current Votes: NOOP(1) Northcutt REVIEWING(1) Frech ================================= Candidate: CAN-1999-0588 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A filter in a router or firewall allows unusual fragmented packets. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0588 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech REJECT(1) Northcutt Comments: Northcutt> I want to vote to accept this one, but unusual is a shade broad. Frech> XF:nt-rras Frech> XF:cisco-fragmented-attacks Frech> XF:ip-frag --------------------- CLUSTER CDEC --------------------- CDEC (15 candidates) -------------------- Proposed: 7/26 Scheduled Interim Decision: 8/23 Scheduled Final Decision: 8/27 Candidates affected by current content decision debates Voters: Frech ACCEPT(2) MODIFY(6) RECAST(1) REJECT(1) Wall ACCEPT(5) MODIFY(1) NOOP(4) Christey REVIEWING(5) <FINAL> --> 5 <PROPOSED> --> 10 ACCEPT --> 1 MODIFY --> 2 RECAST --> 1 REJECT --> 1 REVIEWING --> 5 ================================= Candidate: CAN-1999-0015 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: CERT:CA-97.28.Teardrop_Land Reference: XF:teardrop Teardrop IP denial of service. CONTENT-DECISIONS: LOA INFERRED ACTION: CAN-1999-0015 SMC_REVIEW (2 accept, 1 review) HAS_CDS Current Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) Christey Comments: Frech> XF: teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. Christey> See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258 ================================= Candidate: CAN-1999-0098 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: XF:smtp-helo-bo Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities. INFERRED ACTION: CAN-1999-0098 SMC_REVIEW (1 accept, 1 review) Current Votes: MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) Christey Comments: Frech> (Accept XF reference.) Frech> Our references do not mention hiding activities. This issue can crash the Frech> SMTP server or execute arbitrary byte-code. Is there another reference Frech> available? Christey> Should this be merged with CAN-1999-0284, which is Sendmail Christey> with SMTP HELO? ================================= Candidate: CAN-1999-0104 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: CERT:CA-97.28.Teardrop_Land Reference: XF:teardrop-mod A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2 INFERRED ACTION: CAN-1999-0104 SMC_REVIEW (2 accept, 1 review) Current Votes: ACCEPT(2) Wall, Frech REVIEWING(1) Christey Comments: Wall> Another reference is Microsoft Knowledge Base Q179129. Christey> Not sure how many separate "instances" of Teardrop there are. Christey> See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258 ================================= Candidate: CAN-1999-0186 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: SUN:00178 Reference: XF:snmp-backdoor-access In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0186 MOREVOTES (1 accept, 1 ack, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech NOOP(1) Wall Comments: Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr Frech> Add ISS:Hidden Community String in SNMP Implementation ================================= Candidate: CAN-1999-0254 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: ISS:Hidden SNMP community in HP OpenView Reference: XF:hpov-hidden-snmp-comm A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0254 MOREVOTES (1 accept, 2 ack, 0 review) HAS_CDS Current Votes: ACCEPT(1) Frech NOOP(1) Wall ================================= Candidate: CAN-1999-0257 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Nestea variation of teardrop IP fragmentation denial of service. INFERRED ACTION: CAN-1999-0257 SMC_REVIEW (2 accept, 1 review) Current Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) Christey Comments: Frech> XF:nestea-linux-dos Christey> Not sure how many separate "instances" of Teardrop Christey> and its ilk. Also see comments on CAN-1999-0001. Christey> Christey> See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258 Christey> Christey> Is CAN-1999-0001 the same as CVE-1999-0052? That one is related Christey> to nestea (CAN-1999-0257) and probably the one described in Christey> BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release Christey> The patch for nestea is in ip_input.c around line 750. Christey> The patches for CAN-1999-0001 are in lines 388&446. So, Christey> CAN-1999-0001 is different from CAN-1999-0257 and CVE-1999-0052. Christey> The FreeBSD patch for CVE-1999-0052 is in line 750. Christey> So, CAN-1999-0257 and CVE-1999-0052 may be the same, though Christey> CVE-1999-0052 should be RECAST since this bug affects Linux Christey> and other OSes besides FreeBSD. Christey> Christey> Also see BUGTRAQ:19990909 CISCO and nestea. Christey> Christey> Finally, note that there is no fundamental difference between Christey> nestea and nestea2/nestea-v2; they are different ports that Christey> exploit the same problem. ================================= Candidate: CAN-1999-0258 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Bonk variation of teardrop IP fragmentation denial of service. INFERRED ACTION: CAN-1999-0258 SMC_REVIEW (2 accept, 1 review) Current Votes: MODIFY(2) Wall, Frech REVIEWING(1) Christey Comments: Wall> Reference Q179129 Frech> XF:teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. Christey> See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258 ================================= Candidate: CAN-1999-0411 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF Reference: BUGTRAQ:Feb19,1999 Reference: XF:sco-startup-scripts Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access. CONTENT-DECISIONS: SF-EXEC INFERRED ACTION: CAN-1999-0411 MOREVOTES (1 accept, 0 ack, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech NOOP(1) Wall Comments: Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not Frech> 19 February) does not mention gaining root access... it says a local user Frech> could Frech> "delete or overwrite arbitrary files on the system." ================================= Candidate: CAN-1999-0452 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: SF A service or application has a backdoor password that was placed there by the developer. INFERRED ACTION: CAN-1999-0452 REJECT (1 reject, 1 accept, 0 review) Current Votes: ACCEPT(1) Wall REJECT(1) Frech Comments: Frech> Much too broad. Also may be HIGHCARD (or will be in the future). ================================= Candidate: CAN-1999-0537 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0537 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Wall RECAST(1) Frech Comments: Frech> Good candidate for dot notation. Frech> XF:nav-java-enabled Frech> XF:nav-javascript-enabled Frech> XF:ie-active-content Frech> XF:ie-active-download Frech> XF:ie-active-scripting Frech> XF:ie-activex-execution Frech> XF:ie-java-enabled Frech> XF:netscape-javascript Frech> XF:netscape-java Frech> XF:zone-active-scripting Frech> XF:zone-activex-execution Frech> XF:zone-desktop-install Frech> XF:zone-low-channel Frech> XF:zone-file-download Frech> XF:zone-file-launch Frech> XF:zone-java-scripting Frech> XF:zone-low-java Frech> XF:zone-safe-scripting Frech> XF:zone-unsafe-scripting --------------------- CLUSTER DESIGN --------------------- DESIGN (27 candidates) -------------------- Proposed: 7/20 Scheduled Proposed: 7/13 Scheduled Interim Decision: 8/2 Scheduled Final Decision: 8/6 Services or protocols with inherent design problems Voters: Wall ACCEPT(2) NOOP(8) Frech ACCEPT(3) MODIFY(6) REVIEWING(2) Ozancin ACCEPT(8) RECAST(2) Northcutt ACCEPT(4) NOOP(3) REJECT(3) Meunier NOOP(1) Baker ACCEPT(10) <FINAL> --> 17 <INTERIM> --> 1 <MODIFIED> --> 1 <PROPOSED> --> 8 ACCEPT --> 1 MODIFY --> 4 RECAST --> 2 REJECT --> 3 REVIEWING --> 1 ================================= Candidate: CAN-1999-0352 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: XF:controlit-passwd-encrypt ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption. CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION,SF-EXEC INFERRED ACTION: CAN-1999-0352 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(2) Baker, Frech NOOP(2) Wall, Northcutt RECAST(1) Ozancin Comments: Ozancin> Can we combine this with CAN-1999-0356 - ControlIT(tm) 4.5 and earlier uses Ozancin> weak encryption. ================================= Candidate: CAN-1999-0356 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software Reference: XF:controlit-bookfile-access ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book. CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION,SF-EXEC INFERRED ACTION: CAN-1999-0356 RECAST (1 recast, 1 accept, 0 review) HAS_CDS Current Votes: ACCEPT(2) Baker, Frech NOOP(2) Wall, Northcutt RECAST(1) Ozancin ================================= Candidate: CAN-1999-0476 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client Reference: XF:sco-termvision-password A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user. Modifications: ADDREF BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client CONTENT-DECISIONS: DESIGN-WEAK-ENCRYPTION INFERRED ACTION: CAN-1999-0476 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(3) Baker, Ozancin, Frech NOOP(2) Wall, Northcutt ================================= Candidate: CAN-1999-0613 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SA The rpc.sprayd service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0613 REJECT (1 reject, 2 accept, 0 review) HAS_CDS Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall REJECT(1) Northcutt Comments: Frech> XF:sprayd ================================= Candidate: CAN-1999-0618 Published: Final-Decision: Interim-Decision: Modified: 19990921-01 Proposed: 19990721 Assigned: 19990607 Category: SA Reference: XF:rexec The rexec service is running. Modifications: ADDREF XF:rexec CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0618 ACCEPT (4 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Wall, Northcutt, Baker, Ozancin MODIFY(1) Frech Comments: Frech> XF:decod-rexec Frech> XF:rexec ================================= Candidate: CAN-1999-0624 Published: Final-Decision: Interim-Decision: 19990925 Modified: 19990924-01 Proposed: 19990721 Assigned: 19990607 Category: SA Reference: XF:rstat-out Reference: XF:rstatd The rstat/rstatd service is running. Modifications: ADDREF XF:rstat-out ADDREF XF:rstatd CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0624 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(3) Northcutt, Baker, Ozancin MODIFY(1) Frech NOOP(2) Wall, Meunier Comments: Frech> XF:rstat-out Frech> XF:rstatd ================================= Candidate: CAN-1999-0625 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SA The rpc.rquotad service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0625 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(3) Northcutt, Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall Comments: Frech> XF:rquotad ================================= Candidate: CAN-1999-0629 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SA The ident/identd service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0629 REJECT (1 reject, 1 accept, 1 review) HAS_CDS Current Votes: ACCEPT(2) Baker, Ozancin NOOP(1) Wall REJECT(1) Northcutt REVIEWING(1) Frech Comments: Frech> possibly XF:identd? ================================= Candidate: CAN-1999-0647 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SA The bootparam (bootparamd) service is running. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0647 REJECT (1 reject, 2 accept, 0 review) HAS_CDS Current Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall REJECT(1) Northcutt Comments: Frech> XF:bootp ================================= Candidate: CAN-1999-0655 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: SA A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities. CONTENT-DECISIONS: SA INFERRED ACTION: CAN-1999-0655 ACCEPT_REV (3 accept, 0 ack, 1 review) HAS_CDS Current Votes: ACCEPT(4) Wall, Northcutt, Baker, Ozancin REVIEWING(1) Frech --------------------- CLUSTER NTCONFIG --------------------- NTCONFIG (13 candidates) -------------------- Proposed: 7/20 Scheduled Proposed: 7/6 Scheduled Interim Decision: 8/2 Scheduled Final Decision: 8/6 Configuration problems related to NT Voters: Frech MODIFY(11) REVIEWING(2) Shostack ACCEPT(12) REJECT(1) Wall ACCEPT(12) REVIEWING(1) Ozancin ACCEPT(9) MODIFY(3) RECAST(1) Christey ACCEPT(2) Northcutt ACCEPT(2) MODIFY(1) NOOP(1) RECAST(3) REJECT(6) Baker ACCEPT(8) MODIFY(2) REJECT(1) REVIEWING(2) <PROPOSED> --> 13 MODIFY --> 4 RECAST --> 3 REJECT --> 6 ================================= Candidate: CAN-1999-0499 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF NETBIOS share information may be published through SNMP registry keys in NT. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0499 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin MODIFY(1) Frech Comments: Frech> Change wording to 'Windows NT.' Frech> XF:snmp-netbios ================================= Candidate: CAN-1999-0534 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input. CONTENT-DECISIONS: CF-PRIVS INFERRED ACTION: CAN-1999-0534 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(5) Wall, Baker, Shostack, Ozancin, Christey MODIFY(2) Northcutt, Frech Comments: Northcutt> If we are going to write a laundry list put access to the scheduler in it. Christey> The list of privileges is very useful for lookup. Frech> XF:nt-create-token Frech> XF:nt-replace-token Frech> XF:nt-lock-memory Frech> XF:nt-increase-quota Frech> XF:nt-unsol-input Frech> XF:nt-act-system Frech> XF:nt-create-object Frech> XF:nt-sec-audit Frech> XF:nt-add-workstation Frech> XF:nt-manage-log Frech> XF:nt-take-owner Frech> XF:nt-load-driver Frech> XF:nt-profile-system Frech> XF:nt-system-time Frech> XF:nt-single-process Frech> XF:nt-increase-priority Frech> XF:nt-create-pagefile Frech> XF:nt-backup Frech> XF:nt-restore Frech> XF:nt-debug Frech> XF:nt-system-env Frech> XF:nt-remote-shutdown ================================= Candidate: CAN-1999-0535 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness. CONTENT-DECISIONS: CF-POLICY INFERRED ACTION: CAN-1999-0535 RECAST (2 recast, 3 accept, 0 review) HAS_CDS Current Votes: ACCEPT(2) Wall, Shostack MODIFY(2) Baker, Frech RECAST(2) Northcutt, Ozancin Comments: Northcutt> inappropriate implies there is appropriate. As a guy who has been Northcutt> monitoring Northcutt> networks for years I have deep reservations about justiying the existance Northcutt> of any fixed cleartext password. For appropriate to exist, some "we" would Northcutt> have to establish some criteria for appropriate passwords. Baker> Perhaps this could be re-worded a bit. The CVE CAN-1999-00582 Baker> specifies "...settings for lockouts". To remain consistent with the Baker> other, maybe it should specify "...settings for passwords" I think Baker> most people would agree that passwords should be at least 8 Baker> characters; contain letters (upper and lowercase), numbers and at Baker> least one non-alphanumeric; should only be good a limited time 30-90 Baker> days; and should not contain character combinations from user's prior Baker> 2 or 3 passwords. Baker> Suggested rewrite - Baker> A Windows NT account policy does not enforce reasonable minimum Baker> security-critical settings for passwords, e.g. passwords of sufficient Baker> length, periodic required password changes, or new password uniqueness Ozancin> What is appropriate? Frech> XF:nt-autologonpwd Frech> XF:nt-pwlen Frech> XF:nt-maxage Frech> XF:nt-minage Frech> XF:nt-pw-history Frech> XF:nt-user-pwnoexpire Frech> XF:nt-unknown-pwdfilter Frech> XF:nt-pwd-never-expire Frech> XF:nt-pwd-nochange Frech> XF:nt-pwdcache-enable Frech> XF:nt-guest-change-passwords ================================= Candidate: CAN-1999-0546 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF The Windows NT guest account is enabled. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0546 ACCEPT (5 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(5) Wall, Northcutt, Baker, Shostack, Ozancin MODIFY(1) Frech Comments: Frech> XF:nt-guest-account ================================= Candidate: CAN-1999-0562 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF The registry in Windows NT can be accessed remotely by users who are not administrators. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0562 RECAST (1 recast, 4 accept, 0 review) HAS_CDS Current Votes: ACCEPT(4) Wall, Baker, Shostack, Ozancin MODIFY(1) Frech RECAST(1) Northcutt Comments: Northcutt> This isn't all or nothing, users may be allowed to access part of the Northcutt> registry. Frech> XF:nt-winreg-all Frech> XF:nt-winreg-net ================================= Candidate: CAN-1999-0572 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF .reg files are associated with the Windows NT registry editor, making the registry susceptible to Trojan Horse attacks. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0572 ACCEPT (4 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Wall, Baker, Shostack, Ozancin MODIFY(1) Frech NOOP(1) Northcutt Comments: Northcutt> I don't quite get what this means, sorry Frech> XF:nt-regfile ================================= Candidate: CAN-1999-0575 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0575 RECAST (1 recast, 4 accept, 1 review) HAS_CDS Current Votes: ACCEPT(4) Wall, Shostack, Ozancin, Christey MODIFY(1) Frech RECAST(1) Northcutt REVIEWING(1) Baker Comments: Northcutt> It isn't a great truth that you should enable all or the above, if you Northcutt> do you potentially introduce a vulnerbility of filling up the file Northcutt> system with stuff you will never look at. Ozancin> It is far less interesting what a user does successfully that what they Ozancin> attempt and fail at. Christey> The list of event types is very useful for lookup. Frech> XF:nt-system-audit Frech> XF:nt-logon-audit Frech> XF:nt-object-audit Frech> XF:nt-privil-audit Frech> XF:nt-process-audit Frech> XF:nt-policy-audit Frech> XF:nt-account-audit ================================= Candidate: CAN-1999-0576 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0576 REJECT (1 reject, 4 accept, 0 review) HAS_CDS Current Votes: ACCEPT(3) Wall, Baker, Shostack MODIFY(2) Ozancin, Frech REJECT(1) Northcutt Comments: Northcutt> 1.) Too general are we ready to state what the security-critical files Northcutt> and directories are Northcutt> 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability Ozancin> Some files and directories are clearly understood to be critical. Others are Ozancin> unclear. We need to clarify that critical is. Frech> XF:nt-object-audit ================================= Candidate: CAN-1999-0577 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0577 REJECT (1 reject, 4 accept, 1 review) HAS_CDS Current Votes: ACCEPT(2) Wall, Shostack MODIFY(2) Ozancin, Frech REJECT(1) Northcutt REVIEWING(1) Baker Comments: Ozancin> It is far less interesting what a user does successfully that what they Ozancin> attempt and fail at. Ozancin> Perhaps only failure should be logged. Frech> XF:nt-object-audit ================================= Candidate: CAN-1999-0578 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0578 REJECT (1 reject, 3 accept, 1 review) HAS_CDS Current Votes: ACCEPT(4) Wall, Baker, Shostack, Ozancin REJECT(1) Northcutt REVIEWING(1) Frech Comments: Ozancin> with reservation Ozancin> Again what is defined as critical ================================= Candidate: CAN-1999-0579 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0579 REJECT (1 reject, 3 accept, 1 review) HAS_CDS Current Votes: ACCEPT(3) Wall, Baker, Shostack MODIFY(1) Ozancin REJECT(1) Northcutt REVIEWING(1) Frech Comments: Ozancin> Again only failure may be of interest. It would be impractical to wad Ozancin> through the incredibly large amount of logging that this would generate. It Ozancin> could overwhelm log entries that you might find interesting. ================================= Candidate: CAN-1999-0582 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0582 REJECT (1 reject, 4 accept, 0 review) HAS_CDS Current Votes: ACCEPT(3) Wall, Shostack, Ozancin MODIFY(2) Baker, Frech REJECT(1) Northcutt Comments: Northcutt> The definition is? Baker> Maybe a rewording of this one too. I think most people would agree on Baker> some "minimum" policies like 3-5 bad attempts lockout for an hour or Baker> until the administrator unlocks the account. Baker> Suggested rewrite - Baker> A Windows NT account policy does not enforce reasonable minimum Baker> security-critical settings for lockouts, e.g. lockout duration, Baker> lockout after bad logon attempts, etc. Ozancin> with reservations Ozancin> What is appropriate? Frech> XF:nt-thres-lockout Frech> XF:nt-lock-duration Frech> XF:nt-lock-window Frech> XF:nt-perm-lockout Frech> XF:lockout-disabled ================================= Candidate: CAN-1999-0585 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990721 Assigned: 19990607 Category: CF A Windows NT administrator account has the default name of Administrator. CONTENT-DECISIONS: CF INFERRED ACTION: CAN-1999-0585 REJECT (3 reject, 2 accept, 1 review) HAS_CDS Current Votes: ACCEPT(1) Ozancin MODIFY(1) Frech REJECT(3) Northcutt, Baker, Shostack REVIEWING(1) Wall Comments: Wall> Some sources say this is not a vulnerability, but a warning. It just Wall> slows down the search for the admin account (SID = 500) which can Wall> always be found. Northcutt> I change this on all NT systems I am responsible for, but is Northcutt> root a vulnerability? Baker> There are ways to identify the administrator account anyway, so this Baker> is only a minor delay to someone that is knowledgeable. This, in and Baker> of itself, doesn't really strike me as a vulnerability, anymore than Baker> the root account on a Unix box. Shostack> (there is no way to hide the account name today) Frech> XF:nt-adminexists --------------------- CLUSTER PASS --------------------- PASS (14 candidates) -------------------- Proposed: 7/14 Scheduled Proposed: 7/6 Scheduled Interim Decision: 7/26 Scheduled Final Decision: 7/30 Configuration problems related to passwords Voters: Shostack ACCEPT(14) Northcutt ACCEPT(14) Baker ACCEPT(14) Meunier ACCEPT(14) <PROPOSED> --> 14 ACCEPT --> 14 ================================= Candidate: CAN-1999-0501 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Unix account has a guessable password. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0501 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0502 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Unix account has a default, null, blank, or missing password. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0502 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0503 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Windows NT local user or administrator account has a guessable password. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0503 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0504 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Windows NT local user or administrator account has a default, null, blank, or missing password. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0504 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0505 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Windows NT domain user or administrator account has a guessable password. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0505 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0506 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A Windows NT domain user or administrator account has a default, null, blank, or missing password. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0506 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0507 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF An account on a router, firewall, or other network device has a guessable password. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0507 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0508 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF An account on a router, firewall, or other network device has a default, null, blank, or missing password. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0508 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0516 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF An SNMP community name is guessable. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0516 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0517 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF An SNMP community name is the default (e.g. public), null, or missing. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0517 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0518 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A NETBIOS/SMB share password is guessable. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0518 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0519 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A NETBIOS/SMB share password is the default, null, or missing. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0519 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0521 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF An NIS domain name is easily guessable. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0521 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker ================================= Candidate: CAN-1999-0541 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: CF A password for accessing a WWW URL is guessable. CONTENT-DECISIONS: CF-PASS INFERRED ACTION: CAN-1999-0541 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(4) Northcutt, Shostack, Meunier, Baker --------------------- CLUSTER MULT2 --------------------- MULT2 (14 candidates) -------------------- Proposed: 7/13 Scheduled Interim Decision: 7/26 Scheduled Final Decision: 7/30 other vuln's with multiple executables/LOA content decision Voters: Frech ACCEPT(2) REVIEWING(2) Shostack ACCEPT(1) NOOP(1) REJECT(2) Christey REVIEWING(1) Northcutt ACCEPT(4) <FINAL> --> 10 <PROPOSED> --> 4 REJECT --> 2 REVIEWING --> 2 ================================= Candidate: CAN-1999-0169 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:nfs-uid NFS allows attackers to read and write any file on the system by specifying a false UID. INFERRED ACTION: CAN-1999-0169 REJECT (1 reject, 2 accept, 0 review) Current Votes: ACCEPT(2) Northcutt, Frech REJECT(1) Shostack Comments: Shostack> this is not a vulnerability but a design feature. ================================= Candidate: CAN-1999-0171 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: XF:syslog-flood Denial of service in syslog by sending it a large number of superfluous messages. INFERRED ACTION: CAN-1999-0171 REJECT (1 reject, 2 accept, 1 review) Current Votes: ACCEPT(2) Northcutt, Frech REJECT(1) Shostack REVIEWING(1) Christey Comments: Shostack> design issue, not a vulnerability. Alternately, add: Shostack> DOS on server by opening a large number of telnet sessions.. Christey> Duplicate of CVE-1999-0566? ================================= Candidate: CAN-1999-0193 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option. INFERRED ACTION: CAN-1999-0193 MOREVOTES (2 accept, 0 ack, 1 review) Current Votes: ACCEPT(2) Northcutt, Shostack REVIEWING(1) Frech Comments: Frech> possibly XF:ascend-kill Frech> I can't find a reference that lists both routers in the same reference. ================================= Candidate: CAN-1999-0298 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990714 Assigned: 19990607 Category: SF Reference: NAI:NAI-6 ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files. INFERRED ACTION: CAN-1999-0298 MOREVOTES (1 accept, 1 ack, 1 review) Current Votes: ACCEPT(1) Northcutt NOOP(1) Shostack REVIEWING(1) Frech --------------------- CLUSTER MULT --------------------- MULT (35 candidates) -------------------- Proposed: 6/23 Scheduled Interim Decision: 7/5 Scheduled Final Decision: 7/9 Multiple executables split into Voters: Wall ACCEPT(2) MODIFY(2) Levy ACCEPT(3) MODIFY(1) Ozancin ACCEPT(1) MODIFY(1) REVIEWING(1) Landfield ACCEPT(3) MODIFY(1) NOOP(1) Frech ACCEPT(4) MODIFY(11) RECAST(2) REVIEWING(2) Christey NOOP(3) RECAST(1) REJECT(1) REVIEWING(2) Northcutt ACCEPT(1) NOOP(3) Balinsky NOOP(1) Prosser ACCEPT(3) MODIFY(1) RECAST(2) Blake ACCEPT(2) <FINAL> --> 15 <INTERIM> --> 1 <MODIFIED> --> 7 <PROPOSED> --> 11 ACCEPT --> 3 MODIFY --> 8 RECAST --> 4 REJECT --> 1 REVIEWING --> 3 ================================= Candidate: CAN-1999-0030 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-97.21.sgi_buffer_overflow Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul Reference: XF:sgi-xlockbo Reference: SGI:19970508-02-PX root privileges via buffer overflow in xlock command on SGI IRIX systems. INFERRED ACTION: CAN-1999-0030 SMC_REJECT (1 reject, 3 accept, 0 review) Current Votes: ACCEPT(3) Prosser, Levy, Ozancin RECAST(1) Frech REJECT(1) Christey Comments: Frech> XF:xlock-bo (also add) Frech> As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and Frech> several Linii. Frech> Also, don't you mean to cite SGI:19970502-02-PX? The one you list is Frech> login/scheme. Levy> Notice that this xlock overflow is the same as in Levy> CA-97.13. CA-97.21 simply is a reminder. Christey> As pointed out by Elias, CA-97.21 states: "For more Christey> information about vulnerabilities in xlock... see CA-97.13" Christey> CA-97.13 = CVE-1999-0038. Christey> This may also be a duplicate with CAN-1999-0306. ================================= Candidate: CAN-1999-0076 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:ftp-args Buffer overflow in wu-ftp from PASV command causes a core dump. Modifications: DESC make more explicit to distinguish from CAN-1999-0075 INFERRED ACTION: CAN-1999-0076 MOREVOTES (1 accept, 0 ack, 0 review) Current Votes: ACCEPT(1) Frech NOOP(1) Balinsky Comments: Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability? ================================= Candidate: CAN-1999-0092 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1997:006.1 Various vulnerabilities in the AIX portmir command allows local users to obtain root access. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0092 MOREVOTES (1 accept, 1 ack, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech Comments: Frech> XF:ibm-portmir ================================= Candidate: CAN-1999-0101 Published: Final-Decision: Interim-Decision: 20000111 Modified: 20000105-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ERS:ERS-SVA-E01-1997:001.1 Reference: ERS:ERS-SVA-E01-1996:007.1 Reference: SUN:00137a Reference: CIAC:H-13 Reference: NAI:NAI-1 Reference: XF:ghbn-bo Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names. Modifications: ADDREF CIAC:H-13 CHANGEREF SUN:00137 SUN:00137a ADDREF XF:ghbn-bo CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0101 ACCEPT_ACK (2 accept, 3 ack, 0 review) HAS_CDS Current Votes: ACCEPT(1) Prosser MODIFY(1) Frech NOOP(1) Christey Comments: Frech> XF:ghbn-bo Frech> in addition to ERS:1997:001.1, also include 1996:007.1 Frech> Sun's bulletin is 137a, not 137. Prosser> concur wtih Andre, sun bul is 137a Christey> The NAI advisory discusses a problem with programs trusting Christey> the length field that is returned from gethostbyname(). Christey> The ERS and SUN advisories implicitly refer to Christey> BUGTRAQ:19961118 Serious hole in Solaris 2.5[.1] Christey> gethostbyname() (exploit included) Christey> which allows local users to gain access by providing Christey> arguments *to* gethostbyname(). Christey> As both Andre and Mike's comments relate to the advisories, Christey> NAI-1 will be deleted as a reference for this candidate, and Christey> a new candidate will be proposed later on. ================================= Candidate: CAN-1999-0124 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability Reference: XF:gopher-vuln Vulnerabilities in UMN gopher and gopher+ allow an intruder to read any files that can be accessed by the gopher daemon. INFERRED ACTION: CAN-1999-0124 MOREVOTES (1 accept, 1 ack, 0 review) Current Votes: ACCEPT(1) Frech ================================= Candidate: CAN-1999-0127 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-96.27.hp_sw_install Reference: AUSCERT:AA-96.04 Reference: XF:hpux-swinstall swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access. CONTENT-DECISIONS: SF-EXEC INFERRED ACTION: CAN-1999-0127 ACCEPT_ACK (2 accept, 2 ack, 0 review) HAS_CDS Current Votes: ACCEPT(1) Prosser MODIFY(1) Frech NOOP(1) Christey Comments: Frech> (keep current XF: reference, and add) Frech> XF:hpux-sqwmodify Christey> Perhaps this should be split, per SF-LOC. ================================= Candidate: CAN-1999-0231 Published: Final-Decision: Interim-Decision: Modified: 19991207-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access. Modifications: ADDREF BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also CONTENT-DECISIONS: SF-CODEBASE INFERRED ACTION: CAN-1999-0231 RECAST (1 recast, 1 accept, 1 review) HAS_CDS Current Votes: ACCEPT(1) Levy NOOP(2) Northcutt, Landfield RECAST(1) Frech REVIEWING(1) Ozancin Comments: Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) Frech> XF:smtp-vrfy-bo (many mail packages) Northcutt> (There is no way I will have access to these systems) ================================= Candidate: CAN-1999-0261 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: BUGTRAQ:19980504 Netmanage Holes Reference: INSECURE:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html Netmanager Chameleon SMTPd has several buffer overflows that cause a crash. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0261 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: MODIFY(2) Frech, Landfield NOOP(1) Northcutt Comments: Frech> XF:chamelion-smtp-dos Landfield> - Specify what "a crash" means. ================================= Candidate: CAN-1999-0282 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: CERT:CA-95.12.sun.loadmodule.vul Vulnerabilities in loadmodule and modload programs in SunOS and OpenWindows INFERRED ACTION: CAN-1999-0282 RECAST (1 recast, 1 accept, 0 review) Current Votes: MODIFY(1) Frech RECAST(1) Prosser Comments: Frech> XF:sun-loadmodule Frech> XF:sun-modload (CERT CA-93.18 very old!) Prosser> Believe the reference given, 95-12, is referencing a later Prosser> loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an Prosser> earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories Prosser> for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the Prosser> same as the HP patches are 100448-02 for the 93 loadmodule/modload Prosser> vulnerability and 100448-03 for the 95 loadmodule vulnerability which Prosser> normally indicated a patch update. Looks like the original patch either Prosser> didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell Prosser> much beyond that and this is my opinion only as have no way to check it. Prosser> Which one is this CVE referencing? I accept both. ================================= Candidate: CAN-1999-0284 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: XF:smtp-helo-bo Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command. CONTENT-DECISIONS: SF-CODEBASE/DUPE CAN-1999-0098 INFERRED ACTION: CAN-1999-0284 SMC_REVIEW (5 accept, 1 review) HAS_CDS Current Votes: ACCEPT(2) Blake, Northcutt MODIFY(3) Frech, Levy, Ozancin REVIEWING(1) Christey Comments: Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification) Frech> XF:mdaemon-helo-bo Frech> XF:lotus-notes-helo-crash Frech> XF:slmail-helo-overflow Frech> XF:smtp-helo-bo (mentions several products) Frech> XF:smtp-exchangedos Levy> - Need one per software. Each one should be its own Levy> vulnerability. Ozancin> => Windows NT is correct Christey> These are probably multiple codebases, so we'll need to use Christey> dot notation. Also need to see if this should be merged Christey> with CAN-1999-0098 (Sendmail SMTP HELO). ================================= Candidate: CAN-1999-0333 Published: Final-Decision: Interim-Decision: Modified: 19990925-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK Reference: HP:HPSBUX9810-085 Reference: XF:omniback-remote HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack. Modifications: ADDREF HP:HPSBUX9810-085 CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0333 RECAST (1 recast, 2 accept, 0 review) HAS_CDS Current Votes: ACCEPT(1) Frech MODIFY(1) Prosser RECAST(1) Christey Comments: Prosser> additional source Prosser> HP Security Bulletin 85 Prosser> http://us-support.external.hp.com Prosser> http://europe-support.external.hp.com Christey> Two separate bugs, so SF-LOC says this candidate should be Christey> split ================================= Candidate: CAN-1999-0354 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: NTBUGTRAQ:Jan27,1999 Reference: MS:MS99-002 Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message. CONTENT-DECISIONS: SF-EXEC, SF-LOC INFERRED ACTION: CAN-1999-0354 MOREVOTES (1 accept, 1 ack, 1 review) HAS_CDS Current Votes: ACCEPT(1) Wall REVIEWING(1) Frech ================================= Candidate: CAN-1999-0415 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers The Clickstart web server in Cisco 700 series routers allows remote attackers to execute commands on the router, or perform information gathering, without authentication. INFERRED ACTION: CAN-1999-0415 MOREVOTES (1 accept, 1 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> Reference: ISS:March11,1999 (consistent with cluster 1, CAN-1999-0008) Frech> XF:cisco-router-commands Frech> XF:cisco-web-config ================================= Candidate: CAN-1999-0416 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: ISS:Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers The Clickstart web server in Cisco 700 series routers allows remote attackers to perform a denial of service. INFERRED ACTION: CAN-1999-0416 MOREVOTES (1 accept, 1 ack, 0 review) Current Votes: MODIFY(1) Frech Comments: Frech> Reference: ISS:March11,1999 Frech> XF:cisco-web-crash ================================= Candidate: CAN-1999-0435 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990623 Assigned: 19990607 Category: SF Reference: HP:HPSBUX9903-096 MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM. CONTENT-DECISIONS: SF-EXEC INFERRED ACTION: CAN-1999-0435 MOREVOTES (1 accept, 1 ack, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech Comments: Frech> XF:hp-servicegaurd ================================= Candidate: CAN-1999-0467 Published: Final-Decision: Interim-Decision: Modified: 20000106-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Reference: XF:http-cgi-webcom-guestbook The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter. Modifications: ADDREF NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers DESC Add "read file via templates." CONTENT-DECISIONS: SF-EXEC INFERRED ACTION: CAN-1999-0467 ACCEPT (3 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(3) Frech, Landfield, Blake NOOP(2) Northcutt, Christey Comments: Christey> CAN-1999-0287 is probably a duplicate of CAN-1999-0467. In Christey> NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Christey> Mnemonix says that he had previously reported on a similar Christey> problem. Let's refer to the NTBugtraq posting as Christey> CAN-1999-0467. We will refer to the "previous report" as Christey> CAN-1999-0287, which can be found at: Christey> http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html Christey> Christey> 0287 describes an exploit via the "template" hidden variable. Christey> The exploit describes manually editing the HTML form to Christey> change the filename to read from the template variable. Christey> Christey> The exploit as described in 0467 encodes the template variable Christey> directly into the URL. However, hidden variables are also Christey> encoded into the URL, which would have looked the same to Christey> the web server regardless of the exploit. Therefore 0287 Christey> and 0467 are the same. ================================= Candidate: CAN-1999-0488 Published: Final-Decision: Interim-Decision: Modified: 19991205-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: MS:MS99-012 Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the "cross frame" vulnerability. Modifications: DESC added cross-frame and version details CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0488 ACCEPT (3 accept, 1 ack, 0 review) HAS_CDS Current Votes: ACCEPT(1) Landfield MODIFY(2) Frech, Wall Comments: Frech> XF:ie-mshtml-crossframe Wall> (source: MSKB:Q168485) ================================= Candidate: CAN-1999-0489 Published: Final-Decision: Interim-Decision: Modified: 19991205-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: MS:MS99-015 MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013. Modifications: DESC modified to discriminate more from "untrusted scripted paste" as described in MS:MS98-013. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0489 RECAST (1 recast, 2 accept, 1 review) HAS_CDS Current Votes: ACCEPT(1) Levy MODIFY(1) Wall RECAST(1) Prosser REVIEWING(1) Frech Comments: Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a Frech> clipboard in either. Frech> I cannot proceed on this one without further clarification. Wall> (source: MS:MS99-012) Prosser> agree with Andre here. The Untrusted Scripted paste Prosser> vulnerability was originally addressed in MS98-015 and it is in the file Prosser> upload intrinsic control in which an attacker can paste the name of a file Prosser> on the target's drive in the control and a form submission would then send Prosser> that file from the attacked machine to the remote web site. This one has Prosser> nothing to do with the clipboard. What the advisory mentioned here, Prosser> MS99-012, does is replace the MSHTML parsing engine which is supposed to fix Prosser> the original Untrusted Scripted Paste issue and a variant, as well as the Prosser> two Cross-Frame variants and a privacy issue in IMG SRC. Prosser> The vulnerability that allowed reading of a user's clipboard is the Forms Prosser> 2.0 Active X control vulnerability discussed in MS99-01 ================================= Candidate: CAN-1999-0490 Published: Final-Decision: Interim-Decision: Modified: 19991205-01 Proposed: 19990623 Assigned: 19990607 Category: SF Reference: MS:MS99-012 MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag. Modifications: DESC added "IMG SRC" details. CONTENT-DECISIONS: SF-LOC INFERRED ACTION: CAN-1999-0490 SMC_REVIEW (3 accept, 1 review) HAS_CDS Current Votes: ACCEPT(2) Wall, Landfield MODIFY(1) Frech REVIEWING(1) Christey Comments: Frech> XF:ie-scriplet-fileread Christey> Duplicate of CAN-1999-0347?
|
||||
