|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PROPOSAL] Cluster RECENT-36 - 15 candidates
The following cluster contains 15 candidates that were announced between July 25 and August 31, 2000. Note that the voting web site will not be updated with this cluster until late tonight. The candidates are listed in order of priority. Priority 1 and Priority 2 candidates both deal with varying levels of vendor confirmation, so they should be easy to review and it can be trusted that the problems are real. If you discover that any RECENT-XX cluster is incomplete with respect to the problems discovered during the associated time frame, please send that information to me so that candidates can be assigned. - Steve Summary of votes to use (in ascending order of "severity") ---------------------------------------------------------- ACCEPT - voter accepts the candidate as proposed NOOP - voter has no opinion on the candidate MODIFY - voter wants to change some MINOR detail (e.g. reference/description) REVIEWING - voter is reviewing/researching the candidate, or needs more info RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. 1) Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. 2) If you see any missing references, please mention them so that they can be included. References help greatly during mapping. 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2000-0812 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0812 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20000926 Category: SF/CF/MP/SA/AN/unknown Reference: SUN:00197 Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/197&type=0&nav=sec.sba Reference: MISC:http://www.securityfocus.com/templates/advisory.html?id=2542 The administration module in Sun Java web server allows remote attackers to execute arbitrary commands by uploading Java code to the module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet by requesting a URL that begins with a /servlet/ tag. Analysis ---------------- ED_PRI CAN-2000-0812 1 Vendor Acknowledgement: unknown ABSTRACTION: This appears to be the same as CAN-2000-0629. However, according to Casper Dik, CAN-2000-0629 was related to example code, but this one has more to do with a bug in the administration server itself. Thus this should remain separate from CAN-2000-0629. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0824 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0824 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20001015 Category: SF Reference: BUGTRAQ:19990917 A few bugs... Reference: URL:http://archives.neohapsis.com/archives/bugtraq/0992.html Reference: BUGTRAQ:20000831 glibc unsetenv bug Reference: URL:http://www.securityfocus.com/archive/1/79537 Reference: CALDERA:CSSA-2000-028.0 Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2000-028.0.txt Reference: DEBIAN:20000902 glibc: local root exploit Reference: URL:http://www.debian.org/security/2000/20000902 Reference: MANDRAKE:MDKSA-2000:040 Reference: URL:http://www.linux-mandrake.com/en/updates/MDKSA-2000-040.php3 Reference: MANDRAKE:MDKSA-2000:045 Reference: URL:http://www.linux-mandrake.com/en/updates/MDKSA-2000-045.php3 Reference: REDHAT:RHSA-2000:057-04 Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-057-04.html Reference: TURBO:TLSA2000020-1 Reference: URL:http://www.turbolinux.com/pipermail/tl-security-announce/2000-September/000020.html Reference: SUSE:20000924 glibc locale security problem Reference: URL:http://www.suse.de/de/support/security/adv5_draht_glibc_txt.txt Reference: BUGTRAQ:20000902 Conectiva Linux Security Announcement - glibc Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0436.html Reference: BUGTRAQ:20000905 Conectiva Linux Security Announcement - glibc Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0509.html Reference: BUGTRAQ:20000906 [slackware-security]: glibc 2.1.3 vulnerabilities patched Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0525.html Reference: BID:648 Reference: URL:http://www.securityfocus.com/bid/648 Reference: BID:1639 Reference: URL:http://www.securityfocus.com/bid/1639 The unsetenv function in glibc 2.1.1 does not properly unset an environmental variable if the variable is provided twice to a program, which could allow local users to execute arbitrary commands in setuid programs by specifying their own duplicate environmental variables such as LD_PRELOAD or LD_LIBRARY_PATH. Analysis ---------------- ED_PRI CAN-2000-0824 1 Vendor Acknowledgement: yes ABSTRACTION: This problem was initially discovered in September 1999, but it wasn't fully noticed and addressed until September 2000. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0862 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0862 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20001018 Category: Reference: ALLAIRE:ASB00-23 Reference: URL:http://archives.neohapsis.com/archives/vendor/2000-q3/0059.html Vulnerability in an administrative interface utility for Allaire Spectra 1.0.1 allows remote attackers to read and modify sensitive configuration information. Analysis ---------------- ED_PRI CAN-2000-0862 1 Vendor Acknowledgement: yes Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0864 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0864 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20001018 Category: Reference: FREEBSD:FreeBSD-SA-00:45 Reference: URL:http://archives.neohapsis.com/archives/freebsd/2000-08/0365.html Reference: BUGTRAQ:20000911 Patch for esound-0.2.19 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0095.html Reference: MANDRAKE:MDKSA-2000:051 Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-09/0328.htm Reference: BID:1659 Reference: URL:http://www.securityfocus.com/bid/1659 Reference: REDHAT:RHSA-2000:077-03 Race condition in the creation of a Unix domain socket in GNOME esound 0.2.19 and earlier allows a local user to change the permissions of arbitrary files and directories, and gain additional privileges, via a symlink attack. Analysis ---------------- ED_PRI CAN-2000-0864 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0804 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0804 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20000925 Category: SF/CF/MP/SA/AN/unknown Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#One-way_Connection Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass the directionality check via fragmented TCP connection requests or reopening closed TCP connection requests, aka "One-way Connection Enforcement Bypass." Analysis ---------------- ED_PRI CAN-2000-0804 2 Vendor Acknowledgement: yes advisory INCLUSION: In Check Point's advisory, they say that "The directionality check is an additional layer of security which VPN-1/FireWall-1 adds to these protocols. An attack which bypasses this check is not in itself a security risk, however this check would otherwise substantially minimize the effects of [other vulnerabilities]." As such, is this more of a bug fix (or design improvement) than an inherent vulnerability or exposure? Are there comparable products that have this sort of problem? A general question is: if something is "state-of-the-art," but limitations are found in that state-of-the-art, is that a vulnerability, an exposure, or neither? And is this functionality state-of-the-art? What if the technology doesn't become "state-of-the-art" anymore - does it then become "worthy" of inclusion in CVE? Similar candidates are CAN-1999-0598 through CAN-1999-0602, which describe fundamental problems in intrusion detection systems that were discovered and publicized by Ptacek and Newsham. Also consider CAN-2000-0093, in which Red Hat Linux would use "relatively weak" DES encryption instead of MD5. Problems related to weak encryption are covered by CD:DESIGN-WEAK-ENCRYPTION. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0805 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0805 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20000925 Category: SF/CF/MP/SA/AN/unknown Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#Retransmission_of Check Point VPN-1/FireWall-1 4.1 and earlier improperly retransmits encapsulated FWS packets, even if they do not come from a valid FWZ client, aka "Retransmission of Encapsulated Packets." Analysis ---------------- ED_PRI CAN-2000-0805 3 Vendor Acknowledgement: unknown INCLUSION: The Check Point advisory says: "NOTE: This is not a vulnerability in itself, although it may be used to facilitate an attack." In other words, this is an exposure, and thus should be included in CVE. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0806 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0806 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20000925 Category: SF/CF/MP/SA/AN/unknown Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#Inter-module_Communications The inter-module authentication mechanism (fwa1) in Check Point VPN-1/FireWall-1 4.1 and earlier may allow remote attackers to conduct a denial of service, aka "Inter-module Communications Bypass." Analysis ---------------- ED_PRI CAN-2000-0806 3 Vendor Acknowledgement: unknown INCLUSION: The Check Point advisory states that "This allowed theoretical denial of service attacks" and "There is no known risk to customers because of this issue." Its solution is apparently to "strengthen" their authentication mechanism. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0807 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0807 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20000925 Category: SF/CF/MP/SA/AN/unknown Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#OPSEC_Authentication The OPSEC communications authentication mechanism (fwn1) in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to spoof connections, aka the "OPSEC Authentication Vulnerability." Analysis ---------------- ED_PRI CAN-2000-0807 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0808 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0808 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20000925 Category: SF/CF/MP/SA/AN/unknown Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#One-time_Password The seed generation mecahnism in the inter-module S/Key authentication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to bypass authentication via a brute force attack, aka "One-time (s/key) Password Authentication." Analysis ---------------- ED_PRI CAN-2000-0808 3 Vendor Acknowledgement: unknown The advisory is vague about the cause of the problem, or how "brute force" the mechanism really is. An indicator that the problem is in generating the seed is as follows: "the S/Key seed generation mechanism has been strengthened in the new Service Packs." Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0809 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0809 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20000925 Category: SF/CF/MP/SA/AN/unknown Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#Getkey_Buffer Buffer overflow in Getkey in the protocol checker in the inter-module communication mechanism in Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to cause a denial of service. Analysis ---------------- ED_PRI CAN-2000-0809 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0813 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0813 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20000926 Category: SF/CF/MP/SA/AN/unknown Reference: CONFIRM:http://www.checkpoint.com/techsupport/alerts/list_vun.html#FTP_Connection Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers to redirect FTP connections to other servers ("FTP Bounce") via invalid FTP commands that are processed improperly by FireWall-1, aka "FTP Connection Enforcement Bypass." Analysis ---------------- ED_PRI CAN-2000-0813 3 Vendor Acknowledgement: unknown INCLUSION: This looks like it might be the same as CVE-2000-0150, however CVE-2000-0150 was announced on February 9. At the very least, the issues are closely related. CVE-2000-0150 was related to hiding PASV commands, whereas this one (a way of doing an FTP Bounce) is done with the PORT command. See ftp://ftp.cert.org/pub/tech_tips/FTP_PORT_attacks for a description of FTP bounce attacks. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0825 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0825 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20001015 Category: SF Reference: WIN2KSEC:20000817 Imail Web Service Remote DoS Attack v.2 Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0071.html Reference: MISC:http://www.ipswitch.com/support/patches-upgrades.html#IMail Ipswitch Imail 6.0 allows remote attackers to cause a denial of service via a large number of connections in which a long Host: header is sent, which causes a thread to crash. Analysis ---------------- ED_PRI CAN-2000-0825 3 Vendor Acknowledgement: unknown Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0832 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0832 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20001015 Category: SF Reference: BUGTRAQ:20000817 Htgrep CGI Arbitrary File Viewing Vulnerability Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0208.html Htgrep CGI program allows remote attackers to read arbitrary files by specifying the full pathname in the hdr parameter. Analysis ---------------- ED_PRI CAN-2000-0832 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0837 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0837 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20001015 Category: SF Reference: BUGTRAQ:20000804 FTP Serv-U 2.5e vulnerability. Reference: URL:http://www.securityfocus.com/archive/1/73843 Reference: BID:1543 Reference: URL:http://www.securityfocus.com/bid/1543 Reference: XF:servu-null-character-dos Reference: URL:http://xforce.iss.net/static/5029.php FTP Serv-U 2.5e allows remote attackers to cause a denial of service by sending a large number of null bytes. Analysis ---------------- ED_PRI CAN-2000-0837 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2000-0846 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0846 Final-Decision: Interim-Decision: Modified: Proposed: 20001018 Assigned: 20001018 Category: SF Reference: BUGTRAQ:20000821 Darxite daemon remote exploit/DoS problem Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-08/0256.html Reference: BID:1598 Reference: URL:http://www.securityfocus.com/bid/1598 Reference: XF:darxite-login-bo Reference: URL:http://xforce.iss.net/static/5134.php Buffer overflow in Darxite 0.4 and earlier allows a remote attacker to execute arbitrary commands via a long username or password. Analysis ---------------- ED_PRI CAN-2000-0846 3 Vendor Acknowledgement: Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS:
|
||||
