|
|
CVE Candidates as of 20120208Name: CVE-1999-0001
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Northcutt, Wall REVIEWING(1) ChristeyVoter Comments: Christey> A Bugtraq posting indicates that the bug has to do with "short packets with certain options set," so the description should be modified accordingly. But is this the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Frech> XF:teardrop(338) This assignment was based solely on references to the CERT advisory. Christey> The description for BID:190, which links to CVE-1999-0052 (a FreeBSD advisory), notes that the patches provided by FreeBSD in CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without further analysis. Name: CVE-1999-0004
Description:
Status: Candidate Votes: ACCEPT(8) Baker, Cole, Collins, Dik, Landfield, Magdych, Northcutt, Wall MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) ShostackVoter Comments: Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject this suggestion, I will not be devastated.) :-) Christey> This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Christey> CVE-2000-0415 may be a later rediscovery of this problem for Outlook. Dik> Sun bug 4163471, Christey> ADDREF BID:125 Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2 Name: CVE-1999-0015
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> XF: teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q154174 MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104) indicate that CVE-1999-0015 was fixed in NT SP3, but CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the problems keep separate candidates because one problem appears in a different version than the other. Christey> BID:124 http://www.securityfocus.com/bid/124 Consider MSKB:Q154174 http://support.microsoft.com/support/kb/articles/q154/1/74.asp Consider BUGTRAQ:19971113 Linux IP fragment overlap bug http://www.securityfocus.com/archive/1/8014 Name: CVE-1999-0020
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(4) Levy, Northcutt, Shostack, Wall REJECT(2) Baker, ChristeyVoter Comments: Frech> XF:lpr-bo Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo Name: CVE-1999-0030
Description:
Status: Candidate Votes: ACCEPT(3) Levy, Ozancin, Prosser NOOP(1) Baker RECAST(1) Frech REJECT(1) ChristeyVoter Comments: Frech> XF:xlock-bo (also add) As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and several Linii. Also, don't you mean to cite SGI:19970502-02-PX? The one you list is login/scheme. Levy> Notice that this xlock overflow is the same as in CA-97.13. CA-97.21 simply is a reminder. Christey> As pointed out by Elias, CA-97.21 states: "For more information about vulnerabilities in xlock... see CA-97.13" CA-97.13 = CVE-1999-0038. This may also be a duplicate with CVE-1999-0306. See exploits at: http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2 http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2 Sun also has this problem, at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba Name: CVE-1999-0033
Description:
Status: Candidate Votes: ACCEPT(8) Baker, Cole, Collins, Dik, Hill, Northcutt, Shostack, Wall NOOP(1) Christey RECAST(1) FrechVoter Comments: Frech> This vulnerability also manifests itself for the following platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light, please add the following: Reference: XF:at-bo Dik> Sun bug 1265200, 4063161 Christey> ADDREF SGI:19971102-01-PX ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX SCO:SB.97:01 ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a Christey> CIAC:F-15 http://ciac.llnl.gov/ciac/bulletins/f-15.shtml HP:HPSBUX9502-023 Christey> Add period to the end of the description. Name: CVE-1999-0061
Description:
Status: Candidate Votes: ACCEPT(3) Frech, Hill, Northcutt RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Christey> This should be split into three separate problems based on the SNI advisory. But there's newer information to further complicate things. What do we do about this one? in 1997 or so, SNI did an advisory on this problem. In early 2000, it was still discovered to be present in some Linux systems. So an SF-DISCOVERY content decision might say that this is a long enough time between the two, so this should be recorded separately. But they're the same codebase... so if we keep them in the same entry, how do we make sure that this entry reflects that some new information has been discovered? The use of dot notation may help in this regard, to use one dot for the original problem as discovered in 1997, and another dot for the resurgence of the problem in 2000. Baker> We should merge these. Christey> Perhaps this should be NAI-19 instead of NAI-20? The original Bugtraq post for the SNI advisory suggests SNI-19: BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability URL:SNI-19:BSD lpd vulnerability Also add: BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE) URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2 However, archives of "NAI-0020" point to the lpd vuln. If I recall correctly, some of the NAI advisory numbers got switched when NAI acquired SNI. Name: CVE-1999-0076
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Frech, Ozancin NOOP(1) Balinsky REVIEWING(1) ChristeyVoter Comments: Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability? Christey> Need to add more references and details. Name: CVE-1999-0078
Description:
Status: Candidate Votes: ACCEPT(5) Collins, Frech, Landfield, Northcutt, Shostack NOOP(1) Baker RECAST(1) ChristeyVoter Comments: Christey> This candidate should be SPLIT, since there are two separate software flaws. One is a symlink race and the other is a shell metacharacter problem. Christey> The permissions part of this vulnerability appears to overlap with CVE-1999-0353 Christey> SGI:20020802-01-I Name: CVE-1999-0086
Description:
Status: Candidate Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Frech, Prosser NOOP(1) Baker REJECT(1) ChristeyVoter Comments: Frech> Reference: XF:ibm-routed Prosser> This vulnerability allows debug mode to be turned on which is the problem. Should this be more specific in the description? This one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which is in the SGI cluster, shouldn't these be cross-referenced as the same vuln affects multiple OSes. Christey> This appears to be subsumed by CVE-1999-0215 Name: CVE-1999-0088
Description:
Status: Candidate Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Frech, Prosser RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> ERS (and other references, BTW) explicitly stipulate 'local and remote'. Reference: XF:irix-autofsd Prosser> Include the SGI Alert as well since it is mentioned in the description. SGI Security Advisory 19981005-01-PX Christey> DUPE CVE-1999-0210? Christey> ADDREF CIAC:J-014 Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry Name: CVE-1999-0089
Description:
Status: Candidate Votes: ACCEPT(2) Northcutt, Shostack MODIFY(2) Frech, Prosser RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> Reference: XF:ibm-libDtSvc Prosser> The overflow is in the dtaction utility. Also affects dtaction in the CDE on versions of SunOS (SUN 164). Probably should be specific. Christey> Same Codebase as CVE-1999-0121, so the two entries should be merged. Name: CVE-1999-0092
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Bollinger MODIFY(1) Frech NOOP(1) OzancinVoter Comments: Frech> XF:ibm-portmir Name: CVE-1999-0098
Description:
Status: Candidate Votes: MODIFY(2) Baker, Frech NOOP(1) Wall REVIEWING(1) ChristeyVoter Comments: Frech> (Accept XF reference.) Our references do not mention hiding activities. This issue can crash the SMTP server or execute arbitrary byte-code. Is there another reference available? Christey> Should this be merged with CVE-1999-0284, which is Sendmail with SMTP HELO? Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2 BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2 Baker> Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference. Name: CVE-1999-0104
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Wall REVIEWING(1) ChristeyVoter Comments: Wall> Another reference is Microsoft Knowledge Base Q179129. Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Christey> MSKB:Q179129 http://support.microsoft.com/support/kb/articles/q179/1/29.asp Note that the hotfix name is teardrop2, but the keywords included in the KB article specifically name bonk (CVE-1999-0258) and boink. Since teardrop2 was fixed in a slightly different version (at least in a separate patch) than Teardrop, CD:SF-LOC suggests keeping them separate. Christey> Add period to the end of the description. Name: CVE-1999-0105
Description:
Status: Candidate Votes: MODIFY(3) Baker, Frech, Shostack NOOP(1) Christey REJECT(1) NorthcuttVoter Comments: Shostack> fingerD Frech> XF:finger-bomb Christey> aka redirection or forwarding requests? (but then might overlap CVE-1999-0106) Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS. Name: CVE-1999-0106
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt MODIFY(2) Frech, Shostack RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Shostack> fingerd allows redirection This is a larger modification, since there are two applications of the vulnerability, one that I can finger anonymously, and the other that I can finger bomb anonymously. Frech> XF:finger-bomb Christey> need more refs Baker> This should be merged with 1999-0105 Name: CVE-1999-0107
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall REVIEWING(1) Levy REVOTE(1) ChristeyVoter Comments: Wall> - Although this is probably the phf hack. Frech> XF:apache-dos Christey> This sounds like the incident reported in: NTBUGTRAQ:20000810 Apache Distributed Denial of Service Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service. BUGTRAQ: http://www.securityfocus.com/archive/1/10228 BUGTRAQ: http://www.securityfocus.com/archive/1/10516 Name: CVE-1999-0110
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(4) Levy, Northcutt, Shostack, Wall REJECT(3) Baker, Christey, DikVoter Comments: Frech> XF:fdformat-bo Christey> Duplicate of CVE-1999-0315 Dik> dup Name: CVE-1999-0114
Description:
Status: Candidate Votes: ACCEPT(7) Armstrong, Bishop, Blake, Cole, Landfield, Shostack, Wall MODIFY(2) Baker, Frech NOOP(3) Christey, Northcutt, Ozancin REVIEWING(1) LevyVoter Comments: Frech> XF:elm-filter2 CHANGE> [Wall changed vote from NOOP to ACCEPT] Landfield> with Frech modifications Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm Need to make sure that this CERT advisory describes the right problem, especially since the CERT advisory is dated December 18, 1995 and the original Bugtraq post was December 26, 1995. Christey> BID:1802 URL:http://www.securityfocus.com/bid/1802 BID:1802 doesn't include the 1999 posting - does Security Focus think that the 1999 post describes a different vulnerability? Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ? Its references point to the December 26, 1995 BUgtraq post. Also consider CIAC:G-36 and CERT:VB-95:10 Frech> DELREF:XF:elm-filter2(711) ADDREF:XF:elm-filter(402) Name: CVE-1999-0119
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Baker, Northcutt REJECT(1) WallVoter Comments: Wall> Reject based on beta copy. Frech> XF:nt-beta(11) Reconsider reject, because this beta was in widespread use. Name: CVE-1999-0121
Description:
Status: Candidate Votes: ACCEPT(2) Dik, Northcutt MODIFY(3) Baker, Frech, Prosser REVIEWING(1) ChristeyVoter Comments: Frech> Reference: XF:dtaction-bo Reference: XF:sun-dtaction Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a library in AIX 4.x, but reference for this Sun vulnerability should only reflect the Sun Bulletin or the CIAC I-032 version of the Sun Bulletin Christey> This is the Same Codebase as CVE-1999-0089, so the two entries should be merged. Frech> Replace sun-dtaction(732) with dtaction-bo(879) Baker> Merge with 1999-0089 Name: CVE-1999-0123
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Frech, Ozancin NOOP(1) Wall Name: CVE-1999-0127
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Prosser MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> (keep current XF: reference, and add) XF:hpux-sqwmodify Christey> Perhaps this should be split, per SF-LOC. Christey> CIAC:H-81 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml HP:HPSBUX9707-064 references CERT:CA-96.27 http://ciac.llnl.gov/ciac/bulletins/h-81.shtml The original AUSCERT advisory says that the programs "create files in an insecure manner" and "Exploit details involving this vulnerability have been made publicly available." which leads one to assume that the following original Bugtraq post provides the details for a standard symlink problem: BUGTRAQ:19961005 swinst,bug http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2 Name: CVE-1999-0140
Description:
Status: Candidate Votes: ACCEPT(1) Hill MODIFY(2) Frech, Meunier NOOP(1) Baker REJECT(1) ChristeyVoter Comments: Meunier> Add "pptp invalid packet length in header" to distinguish from other vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be discovered in the future. Frech> XF:nt-ras-bo ONLY IF reference is to MS:MS99-016 Christey> According to my mappings, this is not the MS:MS99-016 problem referred to by Andre. However, I have yet to dig up a source. CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> This is too general to know which problem is being discussed. More precise candidates should be created. Christey> Consider adding BID:2111 Name: CVE-1999-0144
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Frech, Hill, Meunier REVIEWING(1) ChristeyVoter Comments: Christey> DUPE CVE-1999-0418 and CVE-1999-0250? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> http://cr.yp.to/qmail/venema.html Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema. His page states this is not a qmail problem, rather it is a UNIX problem that many apps can consume all available memory, and that the administrator is responsible to set limits in the OS, rather than expect applications to individually prevent memory exhaustion. CAN 1999-0250 does appear to be a duplicate of this entry, based on the research I have done so far. There were two different bugtraq postings, but the second one references the first, stating that the new exploit uses perl instead of shell scripting to accomplish the same attack/exploit. Baker> http://www.securityfocus.com/archive/1/6970 http://www.securityfocus.com/archive/1/6969 http://cr.yp.to/qmail/venema.html Should probably reject CVE-1999-0250, and add these references to this Candidate. Baker> http://www.securityfocus.com/bid/2237 CHANGE> [Baker changed vote from REVIEWING to ACCEPT] Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. NOTE: the ufo.org domain was purchased by another party in 2003, so the current owner is not associated with any statements by "super@ufo.org" that were made before 2003. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BID:2237 ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd) Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." Name: CVE-1999-0154
Description:
Status: Candidate Votes: ACCEPT(4) Foat, Frech, Stracener, Wall NOOP(3) Baker, Christey, ColeVoter Comments: Christey> This is the precursor to the problem that is identified in CVE-1999-0253. Christey> CIAC:H-48 URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml CHANGE> [Foat changed vote from NOOP to ACCEPT] Name: CVE-1999-0156
Description:
Status: Candidate Votes: ACCEPT(2) Northcutt, Shostack NOOP(1) Baker RECAST(1) Frech REVIEWING(2) Christey, ProsserVoter Comments: Prosser> but so far can find no reference to this one Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie, also affects IIS FTP server). Christey> The references for XF:ftp-pwless are not specific enough, e.g. in terms of version numbers. Perhaps this candidate should be rejected due to insufficient information. Name: CVE-1999-0163
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Prosser NOOP(2) Baker, Christey RECAST(1) ShostackVoter Comments: Shostack> there was a 'To: |' and a 'From: |' attack, which I think are seperate. Prosser> older vulnerability, but one additional reference is- The Ultimate Sendmail Hole List by Markus Hübner @ bau2.uibk.ac.at/matic/buglist.htm '|PROGRAM ' Christey> Description needs to be more specific to distinguish between this and CVE-1999-0203, as alluded to by Adam Shostack Name: CVE-1999-0165
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Frech, Northcutt MODIFY(1) Shostack NOOP(1) Prosser REVIEWING(1) ChristeyVoter Comments: Shostack> need more data Christey> need more refs Christey> Add period to the end of the description. Name: CVE-1999-0169
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Northcutt MODIFY(1) Baker REJECT(1) ShostackVoter Comments: Shostack> this is not a vulnerability but a design feature. Baker> Maybe we should reword it so that it is clear that this was a problem to something like: "A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID." Name: CVE-1999-0171
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Northcutt NOOP(1) Baker REJECT(2) Christey, ShostackVoter Comments: Shostack> design issue, not a vulnerability. Alternately, add: DOS on server by opening a large number of telnet sessions.. Christey> Duplicate of CVE-1999-0566 Name: CVE-1999-0186
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Dik MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) ChristeyVoter Comments: Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr Add ISS:Hidden Community String in SNMP Implementation Christey> What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. Christey> ADDREF BID:177 Christey> ISS:19981102 Hidden community string in SNMP implementation http://xforce.iss.net/alerts/advise11.php Change description to include "hidden" Christey> XF:snmp-backdoor-access is missing. Name: CVE-1999-0187
Description:
Status: Candidate Votes: ACCEPT(2) Hill, Northcutt RECAST(3) Baker, Frech, Prosser REJECT(1) Dik REVIEWING(1) ChristeyVoter Comments: Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr() (ref CERT 97-23) and various vendor bulletins. However both of these rdist BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX, FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content decision Frech> XF:rdist-bo (error msg formation) XF:rdist-bo2 (execute code) XF:rdist-bo3 (execute user-created code) XF:rdist-sept97 (root from local) Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist), but as Mike and Andre noted, there are multiple flaws here, so a RECAST may be necessary. Dik> As currently phrasedm thissa duplicate of CVE-1999-0022 Baker> Based on our new philosophy, this should be recast/merged or re-described. Name: CVE-1999-0193
Description:
Status: Candidate Votes: ACCEPT(5) Bishop, Cole, Northcutt, Ozancin, Shostack MODIFY(2) Baker, Blake NOOP(4) Armstrong, Frech, Landfield, Wall REVIEWING(2) Christey, LevyVoter Comments: Frech> possibly XF:ascend-kill I can't find a reference that lists both routers in the same reference. Wall> Comment: There is a reference about the zero length TCP option in BugTraq on Feb 5, 1999 and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038 mentions vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052 mentions 3Com vulnerabilities, but not TCP. Too confusing withour better references. Landfield> What are the references for this ? I cannot find a means to check it out. CHANGE> [Frech changed vote from REVIEWING to NOOP] Frech> Cannot reconcile to our database without further references. Blake> I'm with Andre. I only remember and can find reference to the Ascend issue. Do we have a refernce to the 3Coms? If not, that should be removed from the description. Baker> http://xforce.iss.net/static/614.php Misc Defensive Info http://www.securityfocus.com/archive/1/5682 Misc Offensive Info http://www.securityfocus.com/archive/1/5647 Misc Defensive Info http://www.securityfocus.com/archive/1/5640 Misc Defensive Info CHANGE> [Armstrong changed vote from REVIEWING to NOOP] Name: CVE-1999-0195
Description:
Status: Candidate Votes: ACCEPT(2) Balinsky, Shostack MODIFY(1) Frech NOOP(3) Baker, Northcutt, Wall REVIEWING(2) Christey, LevyVoter Comments: Frech> XF:rpcbind-spoof Christey> CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0461, make sure it gets XF:pmap-sset Name: CVE-1999-0197
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) NorthcuttVoter Comments: Shostack> fingerd may respond to 'finger 0@host' with account info Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002 Finger 0@host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check) http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host feature) Name: CVE-1999-0198
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack REJECT(1) NorthcuttVoter Comments: Shostack> as above Frech> Need more reference to establish this 'exposure'. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:finger-unused-accounts(8378) We're entering it into our database solely to track competition. The only references seem to be product listings: http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004 Finger .@target-host check) http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host check ) http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host feature) Name: CVE-1999-0200
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, Shostack NOOP(2) Northcutt, Wall REJECT(1) Christey REVIEWING(1) LevyVoter Comments: Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another? Frech> Other have mentioned this before, but it may be WU-FTP. POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root access without anon FTP or a regular account? POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a non-anon FTP account and gain root privs. Christey> added MSKB reference CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> The MSKB article may have confused things even more. There were reports of problems in a Windows-based FTP server called WFTP (http://www.wftpd.com/) that is not a Microsft FTP server. It's best to just kill this candidate where it stands and start fresh. Name: CVE-1999-0205
Description:
Status: Candidate Votes: ACCEPT(2) Hill, Northcutt MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(2) Christey, OzancinVoter Comments: Frech> XF:sendmail-alias-dos Prosser> additional source Bugtraq "Re: SM 8.6.12" http://www.securityfocus.com Christey> The Bugtraq thread does not provide any proof, including a comment by Eric Allman that he hadn't been provided any details either. See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu for the thread. Christey> Change Bugtraq reference date to 19950708. Name: CVE-1999-0213
Description:
Status: Candidate Votes: ACCEPT(6) Blake, Cole, Dik, Hill, Landfield, Ozancin MODIFY(3) Baker, Frech, Levy NOOP(4) Armstrong, Bishop, Meunier, Wall REVIEWING(1) ChristeyVoter Comments: Frech> XF:sun-libnsl Dik> Sun bug #4305859 Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info http://www.securityfocus.com/archive/1/9749 Misc Defensive Info Christey> I don't think this is the bug that everyone thinks it is. This candidate came from CyberCop Scanner 2.4/2.5, which only reports this as a DoS problem. If SUN:00172 is an advisory for this, then it may be a duplicate of CVE-1999-0055. There appears to be overlap with other references as well. HOWEVER, this particular one deals with a DoS in rpcbind - which isn't mentioned in the sources for CVE-1999-0055. Levy> BID 148 Name: CVE-1999-0216
Description:
Status: Candidate Votes: ACCEPT(1) Hill MODIFY(2) Baker, Frech RECAST(1) MeunierVoter Comments: Meunier> The location of the vulnerability, whether in the Linux kernel or the application, is debatable. Any program making the same (reasonnable) assumption is vulnerable, i.e., implements the same vulnerability: "Assumption that TCP-three-way handshake is complete after calling Linux kernel function accept(), which returns socket after getting SYN. Result is process death by SIGPIPE" Moreover, whether it results in DOS (to third parties) depends on the process that made the assumption. I think that the present entry should be split, one entry for every application that implements the vulnerability (really describing threat instances, which is what other people think about when we talk about vulnerabilities), and one entry for the Linux kernel that allows the vulnerability to happen. Frech> XF:hp-inetd XF:linux-inetd-dos Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast Name: CVE-1999-0220
Description:
Status: Candidate Votes: NOOP(2) Baker, Northcutt REJECT(2) Christey, FrechVoter Comments: Frech> Would reconsider if any references were available. Christey> No references available, combined with extremely vague description, equals REJECT. Name: CVE-1999-0222
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(3) Frech, Levy, Shostack NOOP(3) Balinsky, Northcutt, Wall RECAST(1) Ziese REJECT(1) ChristeyVoter Comments: Shostack> I follow cisco announcements and problems pretty closely, and haven't seen this. Source? Frech> XF:cisco-web-crash Christey> XF:cisco-web-crash has no additional references. I can't find any references in Bugtraq or Cisco either. This bug is supposedly tested by at least one security product, but that product's database doesn't have any references either. So a question becomes, how did it make it into at least two security companies' databases? Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 BID 1154 Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if recast to reflect that "...after using a long url..." should be replaced with "...A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled, browsing to "http://router-ip/anytext?/" is attempted, and the enable password is supplied when requested. This defect can be exploited to produce a denial of service (DoS) attack." Then I can accept this and mark it as "Verfied by my Company". If it can't be recast because this (long uri) is diffferent then our release (special url construction). CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> Elias Levy's suggested reference is CVE-2000-0380. I don't think that Kevin's description is really addressing this either. The lack of references and a specific description make this candidate unusable, so it should be rejected. Name: CVE-1999-0226
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) ChristeyVoter Comments: Christey> Too general, and no references. Frech> XF:nt-frag(528) See reference from BugTraq Mailing List, "A New Fragmentation Attack" at http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net Name: CVE-1999-0229
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Shostack MODIFY(2) Frech, Wall NOOP(1) Northcutt REJECT(1) Christey REVIEWING(1) LevyVoter Comments: Wall> Denial of service in Windows NT IIS Server 1.0 using ..\... Source: Microsoft Knowledge Base Article Q115052 - IIS Server. Frech> XF:http-dotdot (not necessarily IIS?) Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot problem. Christey> This actually looks like XF:iis-dot-dot-crash(1638) http://xforce.iss.net/static/1638.php If so, include the version number (2.0) CHANGE> [Christey changed vote from REVOTE to REJECT] Christey> Bill Wall intended to suggest Q155052, but the affected IIS version there is 1.0; the effect is to read files, so this sounds like a directory traversal problem, instead of an inability to process certain strings. As a result, this candidate is too general, since it could apply to 2 different problems, so it should be REJECTed. Christey> Consider adding BID:2218 Name: CVE-1999-0231
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Levy NOOP(3) Christey, Landfield, Northcutt RECAST(1) Frech REVIEWING(1) OzancinVoter Comments: Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below) XF:smtp-vrfy-bo (many mail packages) Northcutt> (There is no way I will have access to these systems) Christey> Some sources report that VRFY and EXPN are both affected. Name: CVE-1999-0232
Description:
Status: Candidate Votes: ACCEPT(2) Hill, Northcutt MODIFY(1) Frech NOOP(1) Prosser REJECT(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> Unable to provide a match due to vague/insufficient description/references. Possible matches are: XF:ftp-ncsa (probably not, considering you've mentioned the webserver.) XF:http-ncsa-longurl (highest probability) Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl More research is necessary for this one. Baker> Since this has no references at all, and is vague and we have a CAN for the most likely issue, we should kill this one Name: CVE-1999-0235
Description:
Status: Candidate Votes: ACCEPT(3) Hill, Northcutt, Prosser MODIFY(1) Frech REJECT(2) Baker, ChristeyVoter Comments: Frech> XF:http-ncsa-longurl Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267 Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both refer to the same problem. This should be rejected as 1999-0267 is the same problem. Name: CVE-1999-0238
Description:
Status: Candidate Votes: ACCEPT(5) Baker, Collins, Frech, Northcutt, Prosser NOOP(1) ChristeyVoter Comments: Prosser> additional source AUSCERT External Security Bulletin ESB-97.047 http://www.auscert.org.au Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole URL:http://www.dataguard.no/bugtraq/1997_2/0069.html The attacker specifies the filename as an argument to the program. Add "PHP/FI" to description to facilitate search. AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 Christey> Consider adding BID:2250 Name: CVE-1999-0240
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt NOOP(1) Baker REJECT(1) FrechVoter Comments: Frech> Would reconsider if any references were available. Name: CVE-1999-0241
Description:
Status: Candidate Votes: ACCEPT(3) Hill, Northcutt, Proctor MODIFY(2) Frech, Prosser NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> Also add to references: XF:sol-mkcookie Prosser> additional source Bugtraq "X11 cookie hijacker" http://www.securityfocus.com Christey> The cookie hijacker thread has to do with stealing cookies through a file with bad permissions. I'm not sure the X-Force reference identifies this problem either. Christey> CIAC:G-04 URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml SGI:19960601-01-I URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I CERT:VB-95:08 Name: CVE-1999-0242
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Christey, Northcutt, Shostack, Wall REVIEWING(1) LevyVoter Comments: Frech> Ambiguous description: need more detail. Possibly: XF:linux-pop3d (mktemp() leads to reading e-mail) Christey> At first glance this might look like CVE-1999-0123 or CVE-1999-0125, however this particular candidate arises out of a brief mention of the problem in a larger posting which discusses CVE-1999-0123 (which may be the same bug as CVE-1999-0125). See the following phrase in the Bugtraq post: "one such example of this is in.pop3d" However, the original source of this candidate's description explicitly mentions shadowed passwords, though it has no references to help out here. Name: CVE-1999-0243
Description:
Status: Candidate Votes: ACCEPT(1) Shostack NOOP(4) Baker, Levy, Northcutt, Wall REJECT(2) Christey, FrechVoter Comments: Christey> This has no sources; neither does the original database that this entry came from. It's a likely duplicate of CVE-1999-0813. Frech> I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> If the reference I previously supplied is correct, then it appears as if the poster modified the source using authorized access to make it vulnerable. Modifying the source in this manner does not qualify as being listed a vulnerability. I disagree on the dupe; see Linux-Security Mailing List, "[linux-security] Cfinger (Yet more :)" at http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains to 1.4.x and below and shows up two years later. Name: CVE-1999-0246
Description:
Status: Candidate Votes: ACCEPT(4) Frech, Hill, Northcutt, Prosser NOOP(1) Baker RECAST(1) ChristeyVoter Comments: Frech> Comment: Determine if it's RemoteWatch or Remote Watch. Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in Remote Watch (the advisory uses two words, not one, for the "Remote Watch" name) ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit) URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com Prosser> agree that the advisory mentions two vulnerabilities in Remote Watch, one being a socket connection and other with the showdisk utility which seems to be a suid vulnerability. Never get much details on this anywhere since the recommendation is to remove the program since it is obsolete and superceded by later tools. Believe the biggest concern here is to just not run the tool at all. Christey> CIAC:H-16 Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp And possibly AUSCERT:AA-96.07 at ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2 Include "remwatch" in the description to facilitate search. Name: CVE-1999-0249
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, Wall NOOP(2) Northcutt, Shostack RECAST(1) Christey REVIEWING(1) LevyVoter Comments: Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows remote users to execute arbitrary commands. Source: rshsvc.txt from the Windows NT Resource Kit. Frech> XF:rsh-svc Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case where remote users coming from authorized machines are allowed access regardless of what .rhosts says. XF:rsh-svc refers to a bug circa 1997 where any remote entity could execute commands as system. Name: CVE-1999-0250
Description:
Status: Candidate Votes: ACCEPT(2) Hill, Meunier MODIFY(1) Frech REJECT(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> XF:qmail-rcpt Christey> DUPE CVE-1999-0418 and CVE-1999-0144? Christey> Dan Bernstein, author of Qmail, says that this is not a vulnerability in qmail because Unix has built-in resource limits that can restrict the size of a qmail process; other limits can be specified by the administrator. See http://cr.yp.to/qmail/venema.html Significant discussion of this issue took place on the qmail list. The fundamental question appears to be whether application software should set its own limits, or rely on limits set by the parent operating system (in this case, UNIX). Also, some people said that the only problem was that the suggested configuration was not well documented, but this was refuted by others. See the following threads at http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html "Denial of service (qmail-smtpd)" "qmail-dos-2.c, another denial of service" "[PATCH] denial of service" "just another qmail denial-of-service" "the UNIX way" "Time for a reality check" Also see Bugtraq threads on a different vulnerability that is related to this topic: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading through both bugtraq postings, the one that is referenced by 0144 is based on a shell code exploit to cause memory exhaustion. The bugtraq posting referenced by this entry refers explicitly to the prior posting for 0144, and states that the same effect could be accomplished by a perl exploit, which was then attached. Baker> http://www.securityfocus.com/archive/1/6969 CVE-1999-0144 http://www.securityfocus.com/archive/1/6970 CVE-1999-0250 Both references should be added to CVE-1999-0144, and CVE-1999-0250 should likely be rejected. CHANGE> [Baker changed vote from REVIEWING to REJECT] Christey> XF:qmail-leng no longer exists; check with Andre to see if they regarded it as a duplicate as well. qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250) in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not use any RCPT commands. Instead, it sends long strings of "X" characters. A followup by "super@UFO.ORG" includes an exploit that claims to do the same thing; however, that exploit does not send long strings of X characters - it sends a large number of RCPT commands. It appears that super@ufo.org followed up to the wrong message. qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144) in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack" sends a large number of RCPT commands. ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd) ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack Also see a related thread: BUGTRAQ:19990308 SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2 This also describes a problem with mail servers not being able to handle too many "RCPT TO" requests. A followup message notes that application-level protection is used in Sendmail to prevent this: BUGTRAQ:19990309 Re: SMTP server account probing http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2 The person further says, "This attack can easily be prevented with configuration methods." Name: CVE-1999-0253
Description:
Status: Candidate Votes: ACCEPT(9) Armstrong, Baker, Bishop, Blake, Cole, Collins, Frech, Landfield, Northcutt MODIFY(1) LeBlanc NOOP(3) Ozancin, Prosser, Wall REVIEWING(1) ChristeyVoter Comments: Christey> This is a problem that was introduced after patching a previous dot bug with the iis-fix hotfix (see CVE-1999-0154). Since the hotfix introduced the problem, this should be treated as a seaprate issue. Wall> Agree with the comment. LeBlanc> - this one is so old, I don't remember it at all and can't verify or deny the issue. If you can find some documentation that says we fixed it (KB article, hotfix, something), then I would change this to ACCEPT CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:1814 URL:http://www.securityfocus.com/bid/1814 Name: CVE-1999-0254
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Frech NOOP(1) Wall REVIEWING(1) ChristeyVoter Comments: Christey> What is the proper level of abstraction to use here? Should we have a separate entry for each different default community string? See: http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and http://cve.mitre.org/Board_Sponsors/archives/msg00250.html http://cve.mitre.org/Board_Sponsors/archives/msg00251.html Until the associated content decisions have been approved by the Editorial Board, this candidate cannot be accepted for inclusion in CVE. Name: CVE-1999-0255
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Hill, Northcutt MODIFY(1) Frech NOOP(1) Prosser REJECT(1) ChristeyVoter Comments: Frech> XF:irc-bo Christey> This is too general and doesn't have any references. The XF reference doesn't appear toe xist any more. Perhaps this reference would help: BUGTRAQ:19970701 ircd buffer overflow Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post. Name: CVE-1999-0257
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> XF:nestea-linux-dos Christey> Not sure how many separate "instances" of Teardrop and its ilk. Also see comments on CVE-1999-0001. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Is CVE-1999-0001 the same as CVE-1999-0052? That one is related to nestea (CVE-1999-0257) and probably the one described in BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release The patch for nestea is in ip_input.c around line 750. The patches for CVE-1999-0001 are in lines 388&446. So, CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052. The FreeBSD patch for CVE-1999-0052 is in line 750. So, CVE-1999-0257 and CVE-1999-0052 may be the same, though CVE-1999-0052 should be RECAST since this bug affects Linux and other OSes besides FreeBSD. Also see BUGTRAQ:19990909 CISCO and nestea. Finally, note that there is no fundamental difference between nestea and nestea2/nestea-v2; they are different ports that exploit the same problem. The original nestea advisory is at http://www.technotronic.com/rhino9/advisories/06.htm but notice that the suggested fix is in line 375 of ip_fragment.c, not ip_input.c. Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> BUGTRAQ:19980501 nestea does other things http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2 BUGTRAQ:19980508 nestea2 and HP Jet Direct cards. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2 BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2 Nestea source code is in MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html Name: CVE-1999-0258
Description:
Status: Candidate Votes: MODIFY(2) Frech, Wall REVIEWING(1) ChristeyVoter Comments: Wall> Reference Q179129 Frech> XF:teardrop-mod Christey> Not sure how many separate "instances" of Teardrop there are. See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258 Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. Christey> BUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2 NTBUGTRAQ:19980108 bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2 NTBUGTRAQ:19980109 Re: Bonk.c URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2 NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2 BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2 CIAC:I-031a http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml CERT summary CS-98.02 implies that bonk, boink, and newtear all exploit the same vulnerability. Name: CVE-1999-0261
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, Landfield NOOP(3) Christey, Northcutt, OzancinVoter Comments: Frech> XF:chamelion-smtp-dos Landfield> - Specify what "a crash" means. Christey> ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site) Christey> Consider adding BID:2387 Name: CVE-1999-0271
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Blake, Northcutt MODIFY(1) Frech NOOP(1) Prosser REVIEWING(1) ChristeyVoter Comments: Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq posting), but may be multiple codebases since several Real Audio servers are affected. Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow. See CVE-1999-0896 CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:realvideo-telnet-dos Name: CVE-1999-0282
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Dik MODIFY(1) Frech NOOP(1) Ozancin RECAST(1) Prosser REJECT(1) ChristeyVoter Comments: Frech> XF:sun-loadmodule XF:sun-modload (CERT CA-93.18 very old!) Prosser> Believe the reference given, 95-12, is referencing a later loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the same as the HP patches are 100448-02 for the 93 loadmodule/modload vulnerability and 100448-03 for the 95 loadmodule vulnerability which normally indicated a patch update. Looks like the original patch either didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell much beyond that and this is my opinion only as have no way to check it. Which one is this CVE referencing? I accept both. Dik> There are three similar Sun bug ids associated with the patches. 1076118 loadmodule has a security vulnerability 1148753 loadmodule has a security vulnerability 1222192 loadmodule has a security vulnerability as well as: 1137491 Ancient stuff. Christey> Add period to the end of the description. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> This is distinct from CVE-1999-1584 - CVE-1999-1584 is for CA-93.18. CHANGE> [Christey changed vote from REVIEWING to REJECT] Christey> This candidate combines two separate issues. It uses the CERT alert reference from 1995, from one issue, but a description that is associated with a separate issue. Name: CVE-1999-0283
Description:
Status: Candidate Votes: ACCEPT(7) Baker, Blake, Cole, Collins, Dik, Northcutt, Wall MODIFY(1) Frech NOOP(5) Armstrong, Bishop, Christey, Landfield, Prosser REVIEWING(1) OzancinVoter Comments: Wall> Acknowledged by vendor at http://www.sun.com/software/jwebserver/techinfo/jws112info.html. Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/7260 Misc Defensive Info http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info Christey> BID:1891 URL:http://www.securityfocus.com/bid/1891 Christey> Add version number (1.1 beta) and details of attack (appending a . or a \) The Sun URL referenced by Dave Baker no longer exists, so I wasn't able to verify that it addressed the problem described in the Bugtraq post. This might not even be Sun's "Java Web Server," as CVE-2001-0186 describes some product called "Free Java Web Server" Dik> There appears to be some confusion. The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed in 1.1.2 (get foo.jthml source by appending "." of "\" to URL) There are other bugs that give access and that require a configuration change. http://www.sun.com/software/jwebserver/techinfo/security_advisory.html Christey> Need to make sure to create CAN's for the other bugs, as documented in: NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2 BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2 The reported bugs are: 1) file read by appending %20 2) Directly call /servlet/file URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html #2 is explicitly mentioned in the Sun advisory for CVE-1999-0283. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:javawebserver-cgi-source(5383) Name: CVE-1999-0284
Description:
Status: Candidate Votes: ACCEPT(2) Blake, Northcutt MODIFY(3) Frech, Levy, Ozancin NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification) XF:mdaemon-helo-bo XF:lotus-notes-helo-crash XF:slmail-helo-overflow XF:smtp-helo-bo (mentions several products) XF:smtp-exchangedos Levy> - Need one per software. Each one should be its own vulnerability. Ozancin> => Windows NT is correct Christey> These are probably multiple codebases, so we'll need to use dot notation. Also need to see if this should be merged with CVE-1999-0098 (Sendmail SMTP HELO). Name: CVE-1999-0285
Description:
Status: Candidate Votes: ACCEPT(1) Hill NOOP(2) Baker, Wall REJECT(2) Christey, FrechVoter Comments: Christey> No references, no information. CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> No references; closest documented match is with CVE-2001-0346, but that's for Windows 2000. Name: CVE-1999-0286
Description:
Status: Candidate Votes: ACCEPT(3) Armstrong, Cole, Shostack MODIFY(3) Blake, Levy, Wall NOOP(5) Baker, Bishop, Landfield, Northcutt, Ozancin REJECT(1) Frech REVIEWING(1) ChristeyVoter Comments: Wall> In some NT web servers, appending a dot at the end of a URL may allows attackers to read source code for active pages. Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears in Browser" Frech> In the meantime, reword description as 'Windows NT' (trademark issue) Christey> Q163485 does not refer to a space, it refers to a dot. However, I don't have other references. Reading source code with a dot appended is in CVE-1999-0154, which will be proposed. A subsequent bug similar to the dot bug is CVE-1999-0253. Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014 NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019 BID 273 Blake> Reference: http://www.allaire.com/handlers/index.cfm?ID=10967 CHANGE> [Christey changed vote from NOOP to REVIEWING] CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> BID articles) Name: CVE-1999-0287
Description:
Status: Candidate Votes: MODIFY(2) Frech, Shostack NOOP(4) Blake, Levy, Northcutt, Wall REJECT(2) Baker, ChristeyVoter Comments: Shostack> allows file reading Frech> XF:http-cgi-webcom-guestbook Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Mnemonix says that he had previously reported on a similar problem. Let's refer to the NTBugtraq posting as CVE-1999-0467. We will refer to the "previous report" as CVE-1999-0287, which could be found at: http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html 0287 describes an exploit via the "template" hidden variable. The exploit describes manually editing the HTML form to change the filename to read from the template variable. The exploit as described in 0467 encodes the template variable directly into the URL. However, hidden variables are also encoded into the URL, which would have looked the same to the web server regardless of the exploit. Therefore 0287 and 0467 are the same. Christey> BID:2024 Name: CVE-1999-0298
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Dik, Levy, Northcutt MODIFY(1) Frech NOOP(3) Baker, Christey, ShostackVoter Comments: Christey> ADDREF BID:1441 URL:http://www.securityfocus.com/bid/1441 Dik> If you run with "-ypset", then you're always insecure. With ypsetme, only root on the local host can run ypset in Solaris 2.x+. Probably true for SunOS 4, hence my vote. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> ADDREF XF:ypbind-ypset-root CHANGE> [Dik changed vote from REVIEWING to ACCEPT] Dik> This vulnerability does exist in SunOS 4.x in non default configurations. In Solaris 2.x, the vulnerability only applies to files named "cache_binding" and not all files ending in .2 Both releases are not vulnerable in the default configuration (both disabllow ypset by default which prevents this problem from occurring) Name: CVE-1999-0306
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Frech, Northcutt MODIFY(1) Prosser NOOP(1) Shostack REJECT(1) ChristeyVoter Comments: Prosser> This is another of those with multiple affected OSs. Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt, HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150 Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is the same problem as in CERT:CA-97.13, which is CVE-1999-0038. Name: CVE-1999-0307
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Northcutt NOOP(3) Baker, Prosser, Shostack RECAST(1) ChristeyVoter Comments: Prosser> only ref I can find is an old SOD exploit on www.outpost9.com Christey> MERGE CVE-1999-0336 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. See the original post: http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org Name: CVE-1999-0317
Description:
Status: Candidate Votes: ACCEPT(3) Frech, Hill, Northcutt NOOP(1) Prosser RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Christey> DUPE CVE-1999-0845? Also, ADDREF XF:unixware-su-username-bo A report summary by Aleph One states that nobody was able to confirm this problem on any Linux distribution. Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these. Sounds like the same bug however... Christey> XF:su-bo no longer seems to exist. How about XF:linux-subo(734) ? http://xforce.iss.net/static/734.php BID:475 also seems to describe the same problem (http://www.securityfocus.com/bid/475) in which case, vsyslog is blamed in: BUGTRAQ:19971220 Linux vsyslog() overflow http://www.securityfocus.com/archive/1/8274 Name: CVE-1999-0319
Description:
Status: Candidate Votes: ACCEPT(3) Frech, Hill, Northcutt NOOP(2) Baker, Prosser REVIEWING(1) ChristeyVoter Comments: Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1 A followup to this post says that xmcd is not suid here. Name: CVE-1999-0330
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Northcutt, Shostack, Wall REVIEWING(1) LevyVoter Comments: Frech> XF:bdash-bo Name: CVE-1999-0331
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Northcutt MODIFY(2) Frech, Shostack RECAST(1) Prosser REJECT(2) Christey, LeBlancVoter Comments: Shostack> this is a high cardinality item Prosser> needs to be more specific. Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague duplicate) Description (from xfdb): Some versions of Internet Explorer for Windows contain a vulnerability that may crash the broswer when a malicious web site contains a certain kind of URL (that begins with "mk://") with more characters than the browser supports. Christey> The description is too vague. LeBlanc> too vague Christey> Add period to the end of the description. Name: CVE-1999-0333
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Frech MODIFY(1) Prosser RECAST(1) ChristeyVoter Comments: Prosser> additional source HP Security Bulletin 85 http://us-support.external.hp.com http://europe-support.external.hp.com Christey> Two separate bugs, so SF-LOC says this candidate should be split Christey> ADDREF CIAC:J-007 URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml Name: CVE-1999-0336
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Northcutt NOOP(3) Baker, Prosser, Shostack RECAST(1) ChristeyVoter Comments: Prosser> same as CVE-1999-0307, only ref I can find is an old SOD exploit on www.outpost9.com Christey> MERGE CVE-1999-0307 (the exact exploit works with both cstm and mstm, which are clearly part of the same package, so CD:SF-EXEC says to merge them.) Also, there does not seem to be any recognition of this problem by HP. The only other information besides the Bugtraq post is the SOD exploit. Name: CVE-1999-0345
Description:
Status: Candidate Votes: ACCEPT(2) Blake, Cole MODIFY(2) Frech, Wall NOOP(4) Bishop, Landfield, Northcutt, Ozancin RECAST(1) Meunier REJECT(4) Armstrong, Baker, LeBlanc, Levy REVIEWING(1) ChristeyVoter Comments: Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and Windows NT systems. Reference: Q154174. Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. It is a modified teardrop 2 attack. Frech> XF:nt-ssping ADDREF XF:ping-death ADDREF XF:teardrop-mod ADDREF XF:mpeix-echo-request-dos Christey> I can't tell whether the Jolt exploit at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net is exploiting any different flaw than teardrop does. CHANGE> [Christey changed vote from NOOP to REVIEWING] Baker> Jolt (original) is basically just a fragmented oversized ICMP that kills Win boxes ala Ping of Death. Teardrop is altering the offset in fragmented tcp packets so that the end of subsequent fragments is inside first packet... Teardrop 2 is UDP packets, if I remember right. Seems like Jolt (original, not jolt 2) is just exploit code that creates a ping of death (CVE 1999-0128) Levy> I tend to agree with Baker. CHANGE> [Armstrong changed vote from REVIEWING to REJECT] Armstrong> This code does not use fragment overlap. It is simply a large ICMP echo request. Christey> See the SCO advisory at: http://www.securityfocus.com/templates/advisory.html?id=1411 which may further clarify the issue. LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same thing as ping of death - POD was an oversized ICMP packet, Jolt froze Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes. Teardrop and teardrop2 were related attacks (usually ICMP frag attacks), but each of these is a distinct vulnerability, affected a discrete group of systems, and should have distinct CVE numbers. CVE entries should be precise as to what the problem is. Meunier> I agree with Leblanc in that Jolt is multi-faceted. Jolt has characteristics of Ping of Death AND teardrop, but it doesn't do either exactly. Moreover, it sends a truncated IP fragment. I disagree with Armstrong; jolt uses overlapping fragments. It's not a simple ping of death either. It may be that the author's intent was to construct a "super attack" somehow combining elements of other vulnerabilities to try to make it more potent. In any case it succeeded in confusing the CVE board :-). I notice that Jolt uses echo replies (type 0) instead of echo requests (to get past firewalls?). Jolt is peculiar in that it also sends numerous overlapping fragments. The "Pascal Simulator" :-) says it sends: - 172 fragments of length 400 with offset starting at 5120 and increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)), which eventually results in sending fragments inside an already covered area once ((n* 380) >> 3) is greater than 5120, which occurs when n is reaches 108. This would look a bit like TearDrop if fragments were reassembled on-the-fly. - 1 fragment such that the total length of all the fragments is greater than 65535 (my calculation is 172*380 + 418 = 65778; the comment about 65538 must be wrong). The last packet is size 418 according to the IP header but the buffer is of size 400. The sendto takes as argument the size of the buffer so a truncated packet is sent. So, I am not sure if the problem is because the last packet doesn't extend to the payload it says it has or because the total size of all fragments is greater than 65535. The author says it may take more than one sending, so perhaps this has to do with an incorrect error handling and recovery. One would need to experiment and isolate each of those characteristics and test them independently. Inasmuch as each of those things is likely a different vulnerability, then I agree with Leblanc that this entry should be split. I'll try that if I ever get bored. Jolt 2 should also have a different entry (see below). Jolt 2 runs in an infinite loop, sending the same fragmented IP packet, which can pretend to be "ICMP" or "UDP" data; however this is meaningless, as it's just a late fragment of an IP packet. The attack works only as long as packets are sent. According to http://www.securityfocus.com/archive/1/62170 the packets are truncated, and would overflow over the 65535 byte limit, which is similar to Jolt. Note that Jolt does send that much data whereas jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it has weaker consequences, I believe that it's a different vulnerability. "Jolt 2 vulnerability causes a temporary denial-of-service in Windows-type OSes" would be a title for it. Name: CVE-1999-0347
Description:
Status: Candidate Votes: ACCEPT(4) Baker, LeBlanc, Levy, Northcutt MODIFY(2) Frech, Prosser REVIEWING(1) ChristeyVoter Comments: Prosser> this is a modified Cross-Frame vulnerability that circumvents the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012 http://www.microsoft.com/security/bulletins/ms99-012.asp Christey> Duplicate of CVE-1999-0490? LeBlanc> If Prosser is correct that this is MS99-012, accept Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2 NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2 BID:197 URL:http://www.securityfocus.com/bid/197 CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ie-window-spoof(2069) Name: CVE-1999-0352
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Frech NOOP(2) Northcutt, Wall RECAST(1) OzancinVoter Comments: Ozancin> Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses weak encryption. Name: CVE-1999-0354
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Ozancin, Wall MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:word97-template-macro Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2 BID:196 http://www.securityfocus.com/bid/196 Christey> MSKB:Q214652 http://support.microsoft.com/support/kb/articles/q214/6/52.asp Name: CVE-1999-0356
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Frech NOOP(2) Northcutt, Wall RECAST(1) Ozancin Name: CVE-1999-0359
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech MODIFY(1) BakerVoter Comments: Frech> XF:ptylogin-dos Baker> Should say "... lock out a modem, ..." rather than "... locking out modems..." Name: CVE-1999-0360
Description:
Status: Candidate Votes: ACCEPT(6) Blake, Cole, Collins, Landfield, Northcutt, Wall MODIFY(3) Baker, Frech, LeBlanc NOOP(4) Armstrong, Christey, Ozancin, ProsserVoter Comments: Christey> I can't find the original Bugtraq posting (it appears that mnemonix discovered the problem). LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a BUGTRAQ posting we can't find could be anything. Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type THis is the URL for the Bugtraq posting. It was cross posted to NT Bugtraq as well, but identical text. It was Mnemonix... Christey> BID:1811 URL:http://www.securityfocus.com/bid/1811 Christey> CHANGEREF BUGTRAQ add "Server 2." to the subject. Also standardize NTBUGTRAQ reference title. Christey> Add "uploadn.asp" to the description. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:siteserver-user-dir-permissions(5384) Name: CVE-1999-0361
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Northcutt, WallVoter Comments: Frech> XF:compulink-pw-laserfiche(1679) Normalize BUGTRAQ reference to: BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords Name: CVE-1999-0364
Description:
Status: Candidate Votes: ACCEPT(2) Baker, LeBlanc MODIFY(1) Frech NOOP(2) Northcutt, WallVoter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:access-weak-passwords(1774) An older published reference (from our own Adam) would be better: ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0" http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192 07028.1462108427&hitnum=1 Name: CVE-1999-0370
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Dik, Northcutt, Prosser MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> Reference: XF:sun-man Christey> ADDREF CIAC:J-028 Is the Linux man symlink problem the same as the one for Sun? See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1 Also see BID:305 Dik> sun bug 4154565 Name: CVE-1999-0381
Description:
Status: Candidate Votes: ACCEPT(7) Baker, Blake, Cole, Frech, Landfield, Levy, Ozancin MODIFY(1) Bishop NOOP(2) Armstrong, Wall REVIEWING(1) ChristeyVoter Comments: Christey> Is this the same as CVE-1999-0373? They both have the same X-Force reference. BID:342 suggests that there are two. http://www.debian.org/security/1999/19990215a suggests that there are two. However, CVE-1999-0373 is written up in a fashion that is too general; and both XF:linux-super-bo and XF:linux-super-logging-bo refer to CVE-1999-0373. CVE-1999-0373 may need to be split. Frech> From what I can surmise, ISS released the original advisory (attached to linux-super-bo), and Sekure SDI expanded on it by releasing another related overflow in syslog (which is linux-super-logging-bo). When I was originally assigning these issues, I placed both XF references and the ISS advisory on the -0373 candidate, since there was nothing else available. Based on the information above, I'd request that XF:linux-super-logging-bo be removed from CVE-1999-0373. Christey> Given Andre's feedback, these are different issues. CVE-1999-0373 does not need to be split because the ISS reference is sufficient to distinguish that CVE from this candidate; however, the CVE-1999-0373 description should probably be modified slightly. Bishop> (as indicated by Christey) CHANGE> [Cole changed vote from NOOP to ACCEPT] CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> There are 2 bugs, as confirmed by the super author at: BUGTRAQ:19990226 Buffer Overflow in Super (new) http://www.securityfocus.com/archive/1/12713 BID:397 also seems to cover this one, and it may cover CVE-1999-0373 as well. Name: CVE-1999-0389
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Ozancin, Stracener MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 has January 1999 dates associated with it, while CVE-1999-0798 was reported in late December. Also, is this the same line of code as CVE-1999-0914? Both are in the netstd package, it could look like a library problem. However, deep in the changelog in the netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes the following entry: +netstd (3.07-7slink.1) frozen; urgency=high + + * bootpd: Applied patch from Redhat as well as a fix for the overflow in + report() (fixes #30675). + * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow + bugs. + + -- Herbert Xu <herbert@debian.org> Sat, 19 Dec 1998 14:36:48 +1100 This tells me that two separate bugs are involved. Note that Red Hat posted *some* fix for *some* bootp problem in June 1998. See: http://www.redhat.com/support/errata/rh42-errata-general.html#bootp Frech> XF:debian-netstd-bo Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799 CHANGE> [Christey changed vote from REJECT to REVIEWING] Christey> The fix information for BID:324 suggests that there are two overflows, one of which is in handle_request (bootpd.c) and is likely related to a file name; but there is another issue in report (report.c) which also looks like a straightforward overflow, which would suggest that this is not a duplicate of CVE-1999-0798 or CVE-1999-0799. Note: see comments for CVE-1999-0798 which explain how that candidate is not related to CVE-1999-0799. Name: CVE-1999-0394
Description:
Status: Candidate Votes: ACCEPT(1) Baker NOOP(1) Christey REJECT(1) FrechVoter Comments: Frech> If I understand the issue, this HIGHCARD involves insecure web programming. If I don't understand, mark this as my first NOOP. Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com ADDREF BID:565 URL:http://www.securityfocus.com/vdb/bottom.html?vid=565 Name: CVE-1999-0397
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) WallVoter Comments: Wall> Reject based on beta copy. Frech> XF:quakenbush-pw-appraiser(1652) Name: CVE-1999-0398
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet released. v1.2.26 should be substituted in the description for '27. XF:ssh-exp-account-access Name: CVE-1999-0399
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> XF:mirc-dcc-metachar-filename Name: CVE-1999-0400
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> BUGTRAQ:Jan27,1999 (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22& msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com) XF:linux-kernel-ldd-dos Name: CVE-1999-0401
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> XF:linux-race-condition-proc Name: CVE-1999-0406
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> In description, change 'which' to 'that'. Name: CVE-1999-0411
Description:
Status: Candidate Votes: MODIFY(2) Baker, Frech NOOP(2) Christey, WallVoter Comments: Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not 19 February) does not mention gaining root access... it says a local user could "delete or overwrite arbitrary files on the system." Baker> By overwriting arbitrary files, one could then gain root access. I agree with a minor description change to reflect this. Christey> Normalize Bugtraq reference to: BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p). http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2 Also, SCO:SB-99.17 ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c Name: CVE-1999-0418
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Baker, Foat, Wall REVIEWING(1) ChristeyVoter Comments: Christey> DUPE CVE-1999-0144 and CVE-1999-0250? Frech> XF:smtp-rctpto-dos(7499) Name: CVE-1999-0419
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, LeBlanc REVIEWING(1) ChristeyVoter Comments: Frech> XF:smtp-4xx-error-dos LeBlanc> - if we can find a KB or something that shows that this wasn't just user error, I'd vote ACCEPT. Christey> David Lemson, Microsoft SMTP Service Program Manager, posted a followup that said "We have confirmed this as a problem..." http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2 Name: CVE-1999-0426
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) ChristeyVoter Comments: Frech> XF:linux-dev-kmem-spoof Christey> DUPE CVE-1999-0414 XF:linux-dev-kmem-spoof does not exist. Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists... Name: CVE-1999-0427
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq reference states: "Both the Win 95 and Win NT versions, along with the 4.2 beta of Eudora are affected." Christey> This issue seems to have been rediscovered in BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2 Also see BUGTRAQ:19990320 Eudora Attachment Buffer Overflow http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2 Is this a duplicate/subsumed by CVE-1999-0004? Name: CVE-1999-0431
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:linux-zerolength-fragment Christey> Consider adding BID:2247 Name: CVE-1999-0434
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:xfree86-xfs-symlink-dos Christey> Is this the same problem as CVE-1999-0433? CVE-1999-0433 deals with a symlink attack on one file (/tmp/.X11-unix), while xfs (this candidate) deals with /tmp/.font-unix XF:xfree86-xfs-symlink-dos doesn't exist. Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable Note: Debian's advisory says that this is not a problem for Debian. Name: CVE-1999-0435
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:hp-servicegaurd Christey> ADDREF CIAC:J-039 Christey> Note the typo in Andre's suggested reference. Normalize to XF:hp-serviceguard(2046) Name: CVE-1999-0443
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> Change "Patrol management software" to "The PATROL management product from BMC Software". Name: CVE-1999-0444
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) FrechVoter Comments: Frech> ADDREF: XF:windows-arp-dos Name: CVE-1999-0450
Description:
Status: Candidate Votes: ACCEPT(2) Ozancin, Wall NOOP(2) Baker, Christey REJECT(2) Frech, LeBlancVoter Comments: Frech> Can't find in database. Christey> This looks like another discovery of CVE-2000-0071 LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information, and it does not repro - GET /bogus.pl HTTP/1.0 HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Thu, 05 Oct 2000 21:04:20 GMT Content-Length: 3243 Content-Type: text/html No path is returned whatsoever. This may have been a problem on some version of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable. Let's try and figure out what version had the problem, whether it is intrinsic to IIS or the result of adding a 3rd party implementation of perl, and when it got fixed, then we can try again. CHANGE> [Frech changed vote from REVIEWING to REJECT] Christey> Add "no-such-file.pl" as an example to the desc, to facilitate search (it's used by CGI scanners and in the original example) Name: CVE-1999-0451
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) WallVoter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-ports-dos(8364) Name: CVE-1999-0452
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) FrechVoter Comments: Frech> Much too broad. Also may be HIGHCARD (or will be in the future). Baker> I think we want to address this using the dot notation idea. We do need to address this, just not a separate entry for every single occurance. Name: CVE-1999-0453
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Balinsky MODIFY(1) Frech NOOP(2) Northcutt, Wall REVIEWING(1) ChristeyVoter Comments: Frech> XF:cisco-ident(2289) ADDREF BUGTRAQ:19990118 Remote Cisco Identification In description, probably better to use "Cisco" as product/company name. Balinsky> CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity. Christey> There may be a slight abstraction problem here, e.g. look at the candidate for queso/nmap; also see followup Bugtraq post from "Basement Research" on 19990120 which says that there are many other features in Cisco products that allow remote identification. Christey> fix typo: "Dicsovery" Name: CVE-1999-0454
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Christey, Wall REJECT(2) Baker, NorthcuttVoter Comments: Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced ways to accomplish this. To pursue making the world signature free is as much a vulnerability as having signatures, nay more. Frech> XF:decod-nmap(2053) XF:decod-queso(2048) Christey> Add "fingerprinting" to facilitate search. Some references: MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2 BUGTRAQ:19990222 Preventing remote OS detection http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2 BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2 BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD, http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2 BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs) http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2 BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2 BUGTRAQ:20000609 p0f - passive os fingerprinting tool http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2 Baker> I think we can probably reject this as the corollary is that you can identify OS from a IP/TCP packet sent by a system, looking at various parts of the SYN packet. Unless we believe that all systems should always use identical packet header/identical responses, in which case the protocol should not permit variation. Name: CVE-1999-0455
Description:
Status: Candidate Votes: ACCEPT(3) Balinsky, Frech, Ozancin MODIFY(1) Wall NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues) make application plural since there are three sample applications (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm). Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here. Since there are 3 separate "executables" with the same (or similar) problem, we need to make sure that CD:SF-EXEC determines what to do here. There is evidence that some of these .cfm scripts have an "include" file, and if so, then CD:SF-LOC says that we shouldn't make separate entries for each of these scripts. On the other hand, the initial L0pht discovery didn't include all 3 of these scripts, and as far as I can tell, Allaire had patched the first problem before the others were discovered. So, CD:DISCOVERY-DATE may argue that we should split these because the problems were discovered and patched at different times. In any case, this candidate can not be accepted until the Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC, and CD:DISCOVERY-DATE content decisions. Name: CVE-1999-0459
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Baker, Northcutt REJECT(1) WallVoter Comments: Wall> Reject based on beta copy. Name: CVE-1999-0460
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) WallVoter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-autofs-bo(8365) Name: CVE-1999-0461
Description:
Status: Candidate Votes: MODIFY(1) Frech RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> ADDREF XF:pmap-sset Christey> CVE-1999-0195 = CVE-1999-0461 ? If this is approved over CVE-1999-0195, make sure it gets XF:pmap-sset Baker> THis does appear to be a duplicate. We should accept 1999-0195, since it already has the votes and get rid of this one Name: CVE-1999-0462
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:perl-suidperl-bo Christey> XF:perl-suidperl-bo doesn't exist. Name: CVE-1999-0465
Description:
Status: Candidate Votes: ACCEPT(2) Frech, Northcutt NOOP(1) Baker REJECT(2) LeBlanc, WallVoter Comments: Wall> Reject based on client-side DoS LeBlanc> Client side DOS Name: CVE-1999-0467
Description:
Status: Candidate Votes: ACCEPT(4) Blake, Frech, Landfield, Ozancin NOOP(3) Baker, Christey, NorthcuttVoter Comments: Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers Mnemonix says that he had previously reported on a similar problem. Let's refer to the NTBugtraq posting as CVE-1999-0467. We will refer to the "previous report" as CVE-1999-0287, which can be found at: http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html 0287 describes an exploit via the "template" hidden variable. The exploit describes manually editing the HTML form to change the filename to read from the template variable. The exploit as described in 0467 encodes the template variable directly into the URL. However, hidden variables are also encoded into the URL, which would have looked the same to the web server regardless of the exploit. Therefore 0287 and 0467 are the same. Christey> The CD:SF-EXEC content decision also applies here. We have 2 programs, wguest.exe and rguest.exe, which appear to have the same problem. CD:SF-EXEC needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry. When finalized, CD:SF-EXEC will decide whether this candidate should be split or not. Christey> BID:2024 Name: CVE-1999-0469
Description:
Status: Candidate Votes: ACCEPT(1) Wall NOOP(2) Baker, Northcutt REJECT(3) Christey, Frech, LeBlancVoter Comments: Wall> Reference: Microsoft Security Bulletin MS99-012 Christey> DUPE CVE-1999-0488 Frech> Defer to Christey's vote. However, XF:ie-mshtml-crossframe(2216) assigned to CVE-1999-0488. LeBlanc> Duplicate Name: CVE-1999-0476
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Frech, Ozancin NOOP(3) LeBlanc, Northcutt, Wall Name: CVE-1999-0477
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Christey, Frech, Ozancin REJECT(1) WallVoter Comments: Wall> Duplicate of 0455 Christey> CVE-1999-0477 and CVE-1999-0455 were discovered at different times. Also, the attack was different. So "Same Attack" and "Same Time of Discovery" dictate that these should remain separate. Name: CVE-1999-0480
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:midnight-commander-symlink-dos Christey> XF:midnight-commander-symlink-dos(3505) Name: CVE-1999-0486
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:aol-im. Christey> XF:aol-im appears to be related to the problem discussed in BUGTRAQ:19980224 AOL Instant Messanger Bug This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash Name: CVE-1999-0488
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Landfield MODIFY(2) Frech, Wall NOOP(2) Christey, OzancinVoter Comments: Frech> XF:ie-mshtml-crossframe Wall> (source: MSKB:Q168485) Christey> CVE-1999-0469 appears to be a duplicate; prefer this one over that one, since this one has an MS advisory. Confirm with Microsoft that these are really duplicates. Also review CVE-1999-0487, which appears to be a similar bug. Name: CVE-1999-0489
Description:
Status: Candidate Votes: ACCEPT(1) Levy MODIFY(1) Wall NOOP(2) Baker, Ozancin RECAST(1) Prosser REJECT(1) Christey REVIEWING(1) FrechVoter Comments: Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a clipboard in either. I cannot proceed on this one without further clarification. Wall> (source: MS:MS99-012) Prosser> agree with Andre here. The Untrusted Scripted paste vulnerability was originally addressed in MS98-015 and it is in the file upload intrinsic control in which an attacker can paste the name of a file on the target's drive in the control and a form submission would then send that file from the attacked machine to the remote web site. This one has nothing to do with the clipboard. What the advisory mentioned here, MS99-012, does is replace the MSHTML parsing engine which is supposed to fix the original Untrusted Scripted Paste issue and a variant, as well as the two Cross-Frame variants and a privacy issue in IMG SRC. The vulnerability that allowed reading of a user's clipboard is the Forms 2.0 Active X control vulnerability discussed in MS99-01 Christey> The advisory should have been listed as MS99-012. CVE-1999-0468 describes the untrusted scripted paste problem in MS99-012. Frech> Pending response to guidance request. 12/6/01. Name: CVE-1999-0490
Description:
Status: Candidate Votes: ACCEPT(2) Landfield, Wall MODIFY(1) Frech NOOP(2) Baker, Ozancin REVIEWING(1) ChristeyVoter Comments: Frech> XF:ie-scriplet-fileread Christey> Duplicate of CVE-1999-0347? Name: CVE-1999-0492
Description:
Status: Candidate Votes: ACCEPT(3) Armstrong, Collins, Northcutt MODIFY(4) Baker, Blake, Frech, Shostack NOOP(4) Christey, Cole, Landfield, Wall REVIEWING(1) OzancinVoter Comments: Shostack> isn't that what finger is supposed to do? Landfield> Maybe we need a new category of "unsafe system utilities and protocols" Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid usernames on the target system based on its responses to finger queries. Christey> CHANGEREF BUGTRAQ [canonicalize] BUGTRAQ:19990423 Ffingerd privacy issues http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2 Here's the nature of the problem. (1) FFingerd allows users to decide not to be fingered, printing a message "That user does not want to be fingered" (2) If the fingered user does not exist, then FFingerd's intended default is to print that the user does not want to be fingered; however, the error message has a period at the end. Thus, ffingerd can allow someone to determine who valid users on the server are, *in spite of* the intended functionality of ffingerd itself. Thus this exposure should be viewed in light of the intended functionality of the application, as opposed to the common usage of the finger protocol in general. Also, the vendor posted a followup and said that a patch was available. See: http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2 Baker> Vulnerability Reference (HTML) Reference Type http://www.securityfocus.com/archive/1/13422 Misc Defensive Info CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ffinger-user-info(5393) Name: CVE-1999-0495
Description:
Status: Candidate Votes: ACCEPT(6) Baker, Blake, Cole, Collins, Northcutt, Ozancin MODIFY(1) Frech NOOP(4) Armstrong, Bishop, Landfield, Wall REVIEWING(2) Christey, LevyVoter Comments: Frech> XF:nb-dotdotknown(837) References would be appreciated. We've got no reference for this issue; confidence rating is consequently low. Levy> Some refernces: http://www.securityfocus.com/archive/1/3894 http://www.securityfocus.com/archive/1/3533 http://www.securityfocus.com/archive/1/3535 Name: CVE-1999-0497
Description:
Status: Candidate Votes: ACCEPT(1) Shostack MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) NorthcuttVoter Comments: Frech> ftp-anon(52) at http://xforce.iss.net/static/52.php ftp-anon2(543) at http://xforce.iss.net/static/543.php Christey> Add period to the end of the description. Baker> DOn't know about this, but it may be the only easy way to allow access to data for some folks. Name: CVE-1999-0498
Description:
Status: Candidate Votes: ACCEPT(3) Blake, Hill, Northcutt MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> XF:linux-tftp Christey> XF:linux-tftp refers to CVE-1999-0183 Name: CVE-1999-0499
Description:
Status: Candidate Votes: ACCEPT(5) Baker, Northcutt, Ozancin, Shostack, Wall MODIFY(1) Frech REJECT(1) LeBlancVoter Comments: Frech> Change wording to 'Windows NT.' XF:snmp-netbios LeBlanc> Share info can be obtained via SNMP queries, but I question whether this is a vulnerability. The system can be configured not to do this, and one may argue that SNMP itself is an insecure configuration. Furthermore, the share information isn't published via registry keys - the description could refer to more than one actual issue. SNMP is meant to allow people to obtain information about systems. I'm willing to discuss this with the rest of the board. Name: CVE-1999-0501
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Northcutt, Shostack RECAST(2) Frech, Meunier REVIEWING(1) ChristeyVoter Comments: Frech> Guessable falls into the class of CVE-1999-0502, since I can guess a default, null, etc. password. Suggest changing to something like "has an existing non-default password that can be guessed." I'm also including default passwords in this entry. In that vein, we show the following references: XF:user-password XF:passwd-username XF:default-unix-sync XF:default-unix-4dgifts XF:default-unix-bin XF:default-unix-daemon XF:default-unix-lp XF:default-unix-me XF:default-unix-nuucp XF:default-unix-root XF:default-unix-toor XF:default-unix-tour XF:default-unix-tty XF:default-unix-uucp Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. CHANGE> [Meunier changed vote from ACCEPT to RECAST] Meunier> This relates only to account password technology, so this candidate is independent of the operating system, application, web site or other application of this technology. The appropriate (natural) level of abstraction is therefore without specifying that it is for UNIX. Change the description to "An account has a guessable password other than default, null, blank." This should satisfy Andre's objection. This Candidate should be merged with any candidate relating to account password technology where "Unix" in the original description can be replaced by something else. Name: CVE-1999-0502
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> XF:passwd-blank XF:no-pass XF:dict XF:sgi-accounts XF:linux-caldera-lisa Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Name: CVE-1999-0503
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> Note: I am assuming that this entry includes Windows 2000 accounts and machine/service accounts listed in User Manager. XF:nt-guess-admin XF:nt-guess-user XF:nt-guess-guest XF:nt-guessed-operpwd XF:nt-guessed-powerwd XF:nt-guessed-disabled XF:nt-guessed-backup XF:nt-guessed-acctoper-pwd XF:nt-adminuserpw XF:nt-guestuserpw XF:nt-accountuserpw XF:nt-operator-userpw XF:nt-service-user-pwd XF:nt-server-oper-user-pwd XF:nt-power-user-pwd XF:nt-backup-operator-userpwd XF:nt-disabled-account-userpwd Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Name: CVE-1999-0504
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> XF:nt-guestblankpw XF:nt-adminblankpw XF:nt-adminnopw XF:nt-usernopw XF:nt-guestnopw XF:nt-accountblankpw XF:nt-nopw XF:nt-operator-blankpwd XF:nt-server-oper-blank-pwd XF:nt-power-user-blankpwd XF:nt-backup-operator-blankpwd XF:nt-disabled-account-blankpwd Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Name: CVE-1999-0505
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) FrechVoter Comments: Frech> XF:nt-guessed-domain-userpwd XF:nt-guessed-domain-guestpwd XF:nt-guessed-domain-adminpwd XF:nt-domain-userpwd XF:nt-domain-admin-userpwd XF:nt-domain-guest-userpwd XF:win2k-certpub-usrpwd XF:win2k-dhcpadm-usrpwd XF:win2k-dnsadm-usrpwd XF:win2k-entadm-usrpwd XF:win2k-schema-usrpwd XF:win2k-guessed-certpub XF:win2k-guessed-dhcpadm XF:win2k-guessed-dnsadm XF:win2k-guessed-entadm XF:win2k-guessed-schema Name: CVE-1999-0506
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) FrechVoter Comments: Frech> XF:nt-domain-admin-blankpwd XF:nt-domain-admin-nopwd XF:nt-domain-guest-blankpwd XF:nt-domain-guest-nopwd XF:nt-domain-user-blankpwd XF:nt-domain-user-nopwd XF:win2k-certpub-blnkpwd XF:win2k-dhcpadm-blnkpwd XF:win2k-dnsadm-blnkpwd XF:win2k-entadm-blnkpwd XF:win2k-schema-blnkpwd Name: CVE-1999-0507
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) FrechVoter Comments: Frech> XF:firewall-tisopen XF:firewall-raptoropen XF:firewall-msopen XF:firewall-checkpointopen XF:firewall-ciscoopen Name: CVE-1999-0508
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> Note: Because the distinction between network hardware and software is not distinct, the term 'network device' was liberally interpreted. Feel free to reject any of the below terms. XF:default-netranger XF:cayman-gatorbox XF:breezecom-default-passwords XF:default-portmaster XF:wingate-unpassworded XF:netopia-unpassworded XF:default-bay-switches XF:motorola-cable-default-pass XF:default-flowpoint XF:qms-2060-no-root-password XF:avirt-ras-password XF:webtrends-rtp-serv-install-password XF:cisco-bruteforce XF:cisco-bruteadmin XF:sambar-server-defaults XF:management-pfcuser XF:http-cgi-wwwboard-default Christey> DELREF XF:avirt-ras-password - does not fit CVE-1999-0508. Name: CVE-1999-0509
Description:
Status: Candidate Votes: ACCEPT(2) Northcutt, Wall MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Christey> What is the right level of abstraction to use here? Should we combine all possible interpreters into a single entry, or have a different entry for each one? I've often seen Perl separated from other interpreters - is it included by default in some Windows web server configurations? Christey> Add tcsh, zsh, bash, rksh, ksh, ash, to support search. Frech> XF:http-cgi-vuln(146) Name: CVE-1999-0510
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) FrechVoter Comments: Frech> XF:source-routing Name: CVE-1999-0511
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) FrechVoter Comments: Frech> XF:ip-forwarding Name: CVE-1999-0512
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Northcutt, Shostack MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:smtp-sendmail-relay(210) XF:ntmail-relay(2257) XF:exchange-relay(3107) (also assigned to CVE-1999-0682) XF:smtp-relay-uucp(3470) XF:sco-sendmail-spam(4342) XF:sco-openserver-mmdf-spam(4343) XF:lotus-domino-smtp-mail-relay(6591) XF:win2k-smtp-mail-relay(6803) XF:cobalt-poprelayd-mail-relay(6806) Candidate implicitly may refer to relaying settings enabled by default, or the bypass/circumvention of relaying. Both interpretations were used in assigning this candidate. Christey> The intention of this candidate is to cover configurations in which the admin has explicitly enabled relaying. Other cases in which the application *intends* to prvent relaying, but there is some specific input that bypasses/tricks it, count as vulnerabilities (or exposures?) and as such would be assigned different numbers. http://www.sendmail.org/~ca/email/spam.html seems like a good general resource, as does ftp://ftp.isi.edu/in-notes/rfc2505.txt Christey> I changed the description to make it more clear that the issue is that of explicit configuration, as opposed to being the result of a vulnerability. Name: CVE-1999-0515
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Frech REJECT(1) ShostackVoter Comments: Shostack> Overly broad Frech> XF:rsh-equiv(111) Baker> Since this is unrestricted trust, I agree this is a problem Name: CVE-1999-0516
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> XF:snmp-get-guess XF:snmp-set-guess XF:sol-hidden-commstr XF:hpov-hidden-snmp-comm Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Name: CVE-1999-0517
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> XF:nt-snmp XF:snmp-comm XF:snmp-set-any XF:snmp-get-public XF:snmp-set-public XF:snmp-get-any Christey> This candidate is affected by the CD:CF-PASS content decision, which determines the appropriate level of abstraction to use for password problems. CD:CF-PASS needs to be accepted by the Editorial Board before this candidate can be converted into a CVE entry; the final version of CD:CF-PASS may require using a different LOA than this candidate is currently using. Christey> Consider adding BID:2112 Name: CVE-1999-0518
Description:
Status: Candidate Votes: ACCEPT(5) Baker, LeBlanc, Meunier, Northcutt, Shostack MODIFY(1) FrechVoter Comments: Frech> Change description term to NetBIOS. XF:nt-netbios-perm XF:sharepass XF:win95-smb-password XF:nt-netbios-dict Name: CVE-1999-0519
Description:
Status: Candidate Votes: ACCEPT(5) Baker, LeBlanc, Meunier, Northcutt, Shostack MODIFY(1) FrechVoter Comments: Frech> Change description term to NetBIOS. XF:decod-smb-password-empty XF:nt-netbios-everyoneaccess XF:nt-netbios-guestaccess XF:nt-netbios-allaccess XF:nt-netbios-open XF:nt-netbios-write XF:nt-netbios-shareguest XF:nt-writable-netbios XF:nt-netbios-everyoneaccess-printer XF:nt-netbios-share-print-guest Name: CVE-1999-0520
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(1) Baker RECAST(1) Northcutt REJECT(1) LeBlanc REVIEWING(1) ChristeyVoter Comments: Northcutt> I think we need to enumerate the shares and or the access control Christey> One question is, what is "inappropriate"? It's probably very dependent on the policy of the enterprise on which this is found. And should writable shares be different from readable shares? (Or file systems, mail spools, etc.) Yes, the impact may be different, but we could have a large number of entries for each possible type of access. A content decision (CD:CF-DATA) needs to be reviewed and accepted by the Editorial Board in order to resolve this question. LeBlanc> Unacceptably vague - agree with Christey's comments. Frech> associated to: XF:nt-netbios-everyoneaccess(1) XF:nt-netbios-guestaccess(2) XF:nt-netbios-allaccess(3) XF:nt-netbios-open(15) XF:nt-netbios-write(19) XF:nt-netbios-shareguest(20) XF:nt-writable-netbios(26) XF:nb-rootshare(393) XF:decod-smb-password-empty(2358) Name: CVE-1999-0521
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:nis-dom Christey> Consider http://www.cert.org/advisories/CA-1992-13.html as well as ftp://ciac.llnl.gov/pub/ciac/bulletin/c-fy92/c-25.ciac-sunos-nis-patch Name: CVE-1999-0522
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey RECAST(1) NorthcuttVoter Comments: Northcutt> Why not say world readable, this is what you do further down in the file (world exportable in CVE-1999-0554) Christey> ADDREF AUSCERT:AA-96.02 Name: CVE-1999-0523
Description:
Status: Candidate Votes: MODIFY(1) Meunier NOOP(1) Baker REJECT(2) Frech, NorthcuttVoter Comments: Northcutt> (Though I sympathize with this one :) CHANGE> [Frech changed vote from REVIEWING to REJECT] Frech> Ping is a utility that can be run on demand; ICMP echo is a message type. As currently worded, this candidate seems as if an arbitrary host is vulnerable because it is capable of running an arbitrary program or function (in this case, ping/ICMP echo). There are many programs/functions that 'shouldn't' be on a computer, from a security admin's perspective. Even if this were a vulnerability, it would be impacted by CD-HIGHCARD. Meunier> Every ICMP message type presents a vulnerability or an exposure, if access is not controlled. By that I mean not only those in RFC 792, but also those in RFC 1256, 950, and more. I think that the description should be changed to "ICMP messages are acted upon without any access control". ICMP is an error and debugging protocol. We complain about vendors leaving testing backdoors in their programs. ICMP is the equivalent for TCP/IP. ICMP should be in the dog house, unless you are trying to troubleshoot something. MTU discovery is just a performance tweak -- it's not necessary. I don't know of any ICMP message type that is necessary if the network is functional. Limited logging of ICMP messages could be useful, but acting upon them and allowing the modification of routing tables, the behavior of the TCP/IP stack, etc... without any form of authentication is just crazy. Name: CVE-1999-0524
Description:
Status: Candidate Votes: MODIFY(3) Baker, Frech, Meunier REJECT(1) NorthcuttVoter Comments: Frech> XF:icmp-timestamp XF:icmp-netmask Meunier> If this is not merged with 1999-0523 as I commented for that CVE, then the description should be changed to "ICMP messages of types 13 and 14 (timestamp request and reply) and 17 and 18 (netmask request and reply) are acted upon without any access control". It's a more precise and correct language. I believe that this is a valid CVE entry (it's a common source of vulnerabilities or exposures) even though I see that the inferred action was "reject". Knowing the time of a host also allows attacks against random number generators that are seeded with the current time. I want to push to have it accepted. Baker> I agree with the description changes suggested by Pascal Name: CVE-1999-0525
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) NorthcuttVoter Comments: Frech> XF:traceroute Name: CVE-1999-0527
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Northcutt, Wall MODIFY(1) FrechVoter Comments: Northcutt> That that starts to get specific :) Frech> ftp-writable-directory(6253) ftp-write(53) "writeable" in the description should be "writable." Name: CVE-1999-0528
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Meunier, Northcutt MODIFY(1) FrechVoter Comments: Frech> possibly XF:nisd-dns-fwd-check CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:firewall-external-packet-forwarding(8372) Name: CVE-1999-0529
Description:
Status: Candidate Votes: ACCEPT(1) Frech MODIFY(2) Baker, Meunier REJECT(1) NorthcuttVoter Comments: Northcutt> I have seen ISPs "assign" private addresses within their domain Meunier> A border router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc, outside of their area of validity. CHANGE> [Frech changed vote from REVIEWING to ACCEPT] Baker> I think the description should be modified to say they accept this type of traffic from an interface not residing on private/reserved network. Name: CVE-1999-0530
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Frech REJECT(1) ShostackVoter Comments: Frech> XF:etherstatd(264) XF:sniffer-attack(778) XF:decod-packet-capture-remote(1072) XF:netmon-running(1448) XF:netxray3-probe(1450) XF:sol-snoop-getquota-bo(3670) (also assigned to CVE-1999-0974) Baker> Does pose a problem in non-switched environments Name: CVE-1999-0531
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(1) Christey RECAST(1) Shostack REJECT(1) NorthcuttVoter Comments: Shostack> I think expn != vrfy, help, esmtp. Frech> XF:lotus-domino-esmtp-bo(4499) (also assigned to CVE-2000-0452 and CVE-2000-1046) XF:smtp-expn(128) XF:smtp-vrfy(130) XF:smtp-helo-bo(886) XF:smtp-vrfy-bo(887) XF:smtp-expn-bo(888) XF:slmail-vrfyexpn-overflow(1721) XF:smtp-ehlo(323) Perhaps add RCPT? If so, add XF:smtp-rcpt(1928) Christey> XF:smtp-vrfy(130) ? Name: CVE-1999-0532
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) NorthcuttVoter Comments: Northcutt> (With split DNS implementations this is quite appropriate) Frech> XF:dns-zonexfer Name: CVE-1999-0533
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(1) NorthcuttVoter Comments: Northcutt> (rule of thumb) Frech> XF:dns-iquery Name: CVE-1999-0534
Description:
Status: Candidate Votes: ACCEPT(5) Baker, Christey, Ozancin, Shostack, Wall MODIFY(2) Frech, NorthcuttVoter Comments: Northcutt> If we are going to write a laundry list put access to the scheduler in it. Christey> The list of privileges is very useful for lookup. Frech> XF:nt-create-token XF:nt-replace-token XF:nt-lock-memory XF:nt-increase-quota XF:nt-unsol-input XF:nt-act-system XF:nt-create-object XF:nt-sec-audit XF:nt-add-workstation XF:nt-manage-log XF:nt-take-owner XF:nt-load-driver XF:nt-profile-system XF:nt-system-time XF:nt-single-process XF:nt-increase-priority XF:nt-create-pagefile XF:nt-backup XF:nt-restore XF:nt-debug XF:nt-system-env XF:nt-remote-shutdown Name: CVE-1999-0535
Description:
Status: Candidate Votes: ACCEPT(2) Shostack, Wall MODIFY(2) Baker, Frech RECAST(2) Northcutt, OzancinVoter Comments: Northcutt> inappropriate implies there is appropriate. As a guy who has been monitoring networks for years I have deep reservations about justiying the existance of any fixed cleartext password. For appropriate to exist, some "we" would have to establish some criteria for appropriate passwords. Baker> Perhaps this could be re-worded a bit. The CVE CVE-1999-00582 specifies "...settings for lockouts". To remain consistent with the other, maybe it should specify "...settings for passwords" I think most people would agree that passwords should be at least 8 characters; contain letters (upper and lowercase), numbers and at least one non-alphanumeric; should only be good a limited time 30-90 days; and should not contain character combinations from user's prior 2 or 3 passwords. Suggested rewrite - A Windows NT account policy does not enforce reasonable minimum security-critical settings for passwords, e.g. passwords of sufficient length, periodic required password changes, or new password uniqueness Ozancin> What is appropriate? Frech> XF:nt-autologonpwd XF:nt-pwlen XF:nt-maxage XF:nt-minage XF:nt-pw-history XF:nt-user-pwnoexpire XF:nt-unknown-pwdfilter XF:nt-pwd-never-expire XF:nt-pwd-nochange XF:nt-pwdcache-enable XF:nt-guest-change-passwords Name: CVE-1999-0537
Description:
Status: Candidate Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) Frech REJECT(1) LeBlancVoter Comments: Frech> Good candidate for dot notation. XF:nav-java-enabled XF:nav-javascript-enabled XF:ie-active-content XF:ie-active-download XF:ie-active-scripting XF:ie-activex-execution XF:ie-java-enabled XF:netscape-javascript XF:netscape-java XF:zone-active-scripting XF:zone-activex-execution XF:zone-desktop-install XF:zone-low-channel XF:zone-file-download XF:zone-file-launch XF:zone-java-scripting XF:zone-low-java XF:zone-safe-scripting XF:zone-unsafe-scripting LeBlanc> Not a vulnerability. These are just checks for configuration settings that a user might have changed. I understand need to increase number of checks in a scanning product, but don't feel like these belong in CVE. Scanner vendors could argue that these entries are needed to keep a common language. Baker> Not sure about whether we should bother to include this type issue or not. It does provide a stepping stone for further actions, but in and of itself it isn't a specific vulnerability. Name: CVE-1999-0539
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(2) Northcutt, ShostackVoter Comments: Northcutt> Too non specific Frech> XF:trusted-host(341) XF:trust-remote-same(717) XF:trust-remote-root(718) XF:trust-remote-nonroot(719) XF:trust-remote-any(720) XF:trust-other-host(723) XF:trust-all-nonroot(726) XF:trust-any-remote(727) XF:trust-local-acct(728) XF:trust-local-any(729) XF:trust-local-nonroot(730) XF:trust-all-hosts(731) XF:nt-trusted-domain(1284) XF:rsagent-trusted-domainadded(1588) XF:trust-remote-user(2955) XF:user-trust-hosts(3074) XF:user-trust-other-host(3077) XF:user-trust-remote-account(3079) Name: CVE-1999-0541
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Meunier, Northcutt, Shostack MODIFY(1) FrechVoter Comments: Frech> XF:http-password Name: CVE-1999-0546
Description:
Status: Candidate Votes: ACCEPT(5) Baker, Northcutt, Ozancin, Shostack, Wall MODIFY(1) FrechVoter Comments: Frech> XF:nt-guest-account Name: CVE-1999-0547
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Shostack MODIFY(1) Frech NOOP(1) NorthcuttVoter Comments: Frech> XF:sshd-rhosts(315) Name: CVE-1999-0548
Description:
Status: Candidate Votes: ACCEPT(1) Shostack NOOP(1) Baker REJECT(1) Northcutt Name: CVE-1999-0549
Description:
Status: Candidate Votes: ACCEPT(1) Hill MODIFY(3) Blake, Frech, Ozancin NOOP(1) Wall REJECT(1) BakerVoter Comments: Wall> Don't know what this is. Don't think it is a vulnerability and would initially reject. This is different than just renaming the administrator account. Frech> Would appreciate more information on this one, as in a reference. Blake> Reference: XF:nt-autologin Ozancin> Needs more detail Baker> I tried to find the XF:nt-autologin reference, and got no matching records from their search engine. No refs, no details, should reject CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:nt-autologon(5) Name: CVE-1999-0550
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech RECAST(1) NorthcuttVoter Comments: Northcutt> Don't you mean obtained by arbitrary hosts Frech> XF:routed XF:decod-rip-entry XF:rip Baker> Concur with this as a security issue Name: CVE-1999-0554
Description:
Status: Candidate Votes: ACCEPT(2) Northcutt, Wall NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Christey> A content decision (CD:CF-DATA) needs to be reviewed and accepted by the Editorial Board in order to resolve this question. Name: CVE-1999-0555
Description:
Status: Candidate Votes: NOOP(1) Baker REJECT(2) Northcutt, ShostackVoter Comments: Northcutt> This is very bogus Name: CVE-1999-0556
Description:
Status: Candidate Votes: NOOP(2) Baker, Christey REJECT(2) Northcutt, ShostackVoter Comments: Christey> XF:duplicate-uid(876) Christey> Add terms "duplicate" and "user ID" to facilitate search. ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist Name: CVE-1999-0559
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall RECAST(2) Northcutt, ShostackVoter Comments: Northcutt> Writable other than by root/bin/wheelgroup? Name: CVE-1999-0560
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall RECAST(1) NorthcuttVoter Comments: Northcutt> I think we should specify these Name: CVE-1999-0561
Description:
Status: Candidate Votes: NOOP(2) Baker, Northcutt RECAST(1) Shostack REJECT(1) LeBlancVoter Comments: LeBlanc> Does not meet definition of a vulnerability. This function is just enabled. You can turn it off if you want. if you trust the people putting up your web pages, this isn't a problem. If you don't, this is just one of many things you need to change. Name: CVE-1999-0562
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Ozancin, Shostack, Wall MODIFY(1) Frech RECAST(1) NorthcuttVoter Comments: Northcutt> This isn't all or nothing, users may be allowed to access part of the registry. Frech> XF:nt-winreg-all XF:nt-winreg-net Name: CVE-1999-0564
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Shostack NOOP(1) Northcutt Name: CVE-1999-0565
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt NOOP(1) Baker RECAST(1) Shostack REVIEWING(1) ChristeyVoter Comments: Shostack> Is this a default alias? Is my .procmailrc an instance of this? Christey> It is not entirely clear whether the simple fact that an alias pipes into a program should be considered a vulnerability. It all depends on the behavior of that particular program. This is one of a number of configuration-related issues from the "draft" CVE that came from vulnerability scanners. In general, when we get to general configuration and "policy," it becomes more difficult to use the current CVE model to represent them. So at the very least, this candidate (and similar ones) should be given close consideration and discussion before being added to the official CVE list. Because this candidate is related to general configuration issues, and we have not completely determined how to handle such issues in CVE, this candidate cannot be promoted to an official CVE entry until such issues are resolved. Name: CVE-1999-0568
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt NOOP(2) Baker, Christey RECAST(2) Dik, ShostackVoter Comments: Shostack> are there secure modes? Dik> Several: 1) there is no "rpc.admind" daemon. there used to be a "admind" RPC daemon (100087/10) and there's now an "sadmind" daemon (100232/10) The switch over was somewhere around Solaris 2.4. 2) Neither defaults to "secure mode" 3) secure mode is "using secure RPC" which does proper over the wire authentication by specifying the "-S 2" option in inetd.conf (security level 2) Christey> XF:rpc-admind(626) http://xforce.iss.net/static/626.php MISC:http://pulhas.org/xploitsdb/mUNIXes/admind.html Name: CVE-1999-0569
Description:
Status: Candidate Votes: ACCEPT(1) Wall NOOP(2) Baker, Christey REJECT(1) NorthcuttVoter Comments: Northcutt> I do this intentionally somethings in high content directories Christey> XF:http-noindex(90) ? Name: CVE-1999-0570
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) WallVoter Comments: Northcutt> Here we are crossing into the best practices arena again. However since passfilt does establish a measurable standard and since we aren't the ones defining the stanard, simply saying it should be employed I will vote for this. Frech> XF:nt-passfilt-not-inst(1308) XF:nt-passfilt-not-found(1309) Christey> Consider MSKB:Q161990 and MSKB:Q151082 Name: CVE-1999-0571
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Christey, NorthcuttVoter Comments: CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:ascend-config-kill(889) XF:cisco-ios-crash(1238) XF:webramp-remote-access(1670) XF:ascom-timeplex-debug(1824) XF:netopia-unpassworded(1850) XF:cisco-web-crash(1886) XF:cisco-router-commands(1951) XF:motorola-cable-default-pass(2002) XF:default-flowpoint(2091) XF:netgear-router-idle-dos(4003) XF:cisco-cbos-telnet(4251) XF:routermate-snmp-community(4290) XF:cayman-router-dos(4479) XF:wavelink-authentication(5185) XF:ciscosecure-ldap-bypass-authentication(5274) XF:foundry-firmware-telnet-dos(5514) XF:netopia-view-system-log(5536) XF:cisco-webadmin-remote-dos(5595) XF:cisco-cbos-web-access(5626) XF:netopia-telnet-dos(6001) XF:cisco-sn-gain-access(6827) XF:cayman-dsl-insecure-permissions(6841) XF:linksys-etherfast-reveal-passwords(6949) XF:zyxel-router-default-password(6968) XF:cisco-cbos-web-config(7027) XF:prestige-wan-bypass-filter(7146) Christey> I changed the description to make it more explicit that this candidate is about router configuration, as opposed to vulnerabilities that accidentally make a configuration service accessible to anyone. Name: CVE-1999-0572
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Ozancin, Shostack, Wall MODIFY(1) Frech NOOP(2) Christey, NorthcuttVoter Comments: Northcutt> I don't quite get what this means, sorry Frech> XF:nt-regfile(178) Christey> MISC:http://security-archive.merton.ox.ac.uk/nt-security-199902/0087.html Name: CVE-1999-0575
Description:
Status: Candidate Votes: ACCEPT(4) Christey, Ozancin, Shostack, Wall MODIFY(1) Frech RECAST(2) Baker, NorthcuttVoter Comments: Northcutt> It isn't a great truth that you should enable all or the above, if you do you potentially introduce a vulnerbility of filling up the file system with stuff you will never look at. Ozancin> It is far less interesting what a user does successfully that what they attempt and fail at. Christey> The list of event types is very useful for lookup. Frech> XF:nt-system-audit XF:nt-logon-audit XF:nt-object-audit XF:nt-privil-audit XF:nt-process-audit XF:nt-policy-audit XF:nt-account-audit CHANGE> [Baker changed vote from REVIEWING to RECAST] Name: CVE-1999-0576
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Shostack, Wall MODIFY(2) Frech, Ozancin REJECT(1) NorthcuttVoter Comments: Northcutt> 1.) Too general are we ready to state what the security-critical files and directories are 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability Ozancin> Some files and directories are clearly understood to be critical. Others are unclear. We need to clarify that critical is. Frech> XF:nt-object-audit Name: CVE-1999-0577
Description:
Status: Candidate Votes: ACCEPT(2) Shostack, Wall MODIFY(3) Baker, Frech, Ozancin REJECT(1) NorthcuttVoter Comments: Ozancin> It is far less interesting what a user does successfully that what they attempt and fail at. Perhaps only failure should be logged. Frech> XF:nt-object-audit CHANGE> [Baker changed vote from REVIEWING to MODIFY] Baker> Failure on non-critical files is what should be monitored. Name: CVE-1999-0578
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Ozancin, Shostack, Wall MODIFY(1) Frech REJECT(1) NorthcuttVoter Comments: Ozancin> with reservation Again what is defined as critical CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:nt-object-audit(228) Name: CVE-1999-0579
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Shostack, Wall MODIFY(2) Frech, Ozancin REJECT(1) NorthcuttVoter Comments: Ozancin> Again only failure may be of interest. It would be impractical to wad through the incredibly large amount of logging that this would generate. It could overwhelm log entries that you might find interesting. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:nt-object-audit(228) Name: CVE-1999-0580
Description:
Status: Candidate Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) NorthcuttVoter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> This is way vague... Name: CVE-1999-0581
Description:
Status: Candidate Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) NorthcuttVoter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> way too vague Name: CVE-1999-0582
Description:
Status: Candidate Votes: ACCEPT(3) Ozancin, Shostack, Wall MODIFY(2) Baker, Frech REJECT(1) NorthcuttVoter Comments: Northcutt> The definition is? Baker> Maybe a rewording of this one too. I think most people would agree on some "minimum" policies like 3-5 bad attempts lockout for an hour or until the administrator unlocks the account. Suggested rewrite - A Windows NT account policy does not enforce reasonable minimum security-critical settings for lockouts, e.g. lockout duration, lockout after bad logon attempts, etc. Ozancin> with reservations What is appropriate? Frech> XF:nt-thres-lockout XF:nt-lock-duration XF:nt-lock-window XF:nt-perm-lockout XF:lockout-disabled Name: CVE-1999-0583
Description:
Status: Candidate Votes: NOOP(2) Baker, Christey REJECT(2) Northcutt, ShostackVoter Comments: Christey> XF:nt-trusted-domain(1284) Name: CVE-1999-0584
Description:
Status: Candidate Votes: ACCEPT(2) Northcutt, Wall MODIFY(1) Frech NOOP(2) Baker, ChristeyVoter Comments: Wall> NTFS partition provides the security. This could be re-worded to "A Windows NT file system is FAT" since it is either NTFS or FAT and FAT is less secure. Frech> XF:nt-filesys(195) Christey> MSKB:Q214579 MSKB:Q214579 http://support.microsoft.com/support/kb/articles/Q100/1/08.ASP Name: CVE-1999-0585
Description:
Status: Candidate Votes: ACCEPT(1) Ozancin MODIFY(1) Frech REJECT(3) Baker, Northcutt, Shostack REVIEWING(1) WallVoter Comments: Wall> Some sources say this is not a vulnerability, but a warning. It just slows down the search for the admin account (SID = 500) which can always be found. Northcutt> I change this on all NT systems I am responsible for, but is root a vulnerability? Baker> There are ways to identify the administrator account anyway, so this is only a minor delay to someone that is knowledgeable. This, in and of itself, doesn't really strike me as a vulnerability, anymore than the root account on a Unix box. Shostack> (there is no way to hide the account name today) Frech> XF:nt-adminexists Name: CVE-1999-0586
Description:
Status: Candidate Votes: NOOP(1) Baker RECAST(1) Shostack REJECT(1) NorthcuttVoter Comments: Shostack> Might be acceptable if clearer; is that a standard service on a non-standard port, or any service on an unassigned port? Baker> It might actually be an enhancement rather than a problem to run a service on a non-standard port Name: CVE-1999-0587
Description:
Status: Candidate Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) NorthcuttVoter Comments: Northcutt> While I would accept this for Unix, I am not sure this applies to NT, VMS, palm pilots, or commodore 64 Name: CVE-1999-0588
Description:
Status: Candidate Votes: MODIFY(2) Baker, Frech REJECT(1) NorthcuttVoter Comments: Northcutt> I want to vote to accept this one, but unusual is a shade broad. Frech> XF:nt-rras XF:cisco-fragmented-attacks XF:ip-frag Baker> Perhaps we should use the word abnormally fragmented or some other descriptor. Name: CVE-1999-0589
Description:
Status: Candidate Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(2) Christey, NorthcuttVoter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Christey> Upon further reflection, this is too high-level for CVE. Specific registry keys with bad permissions is roughly equivalent to Unix configuration files that have bad permissions; those permission problems can be created by any vendor, not just a specific one. Therefore this candidate should be RECAST into each separate registry key that has this problem. Name: CVE-1999-0590
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Northcutt MODIFY(1) Christey RECAST(1) ShostackVoter Comments: Christey> ADDREF CIAC:J-043 URL:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml Also add "banner" to the description to facilitate search. Baker> Should be in place where ever it is possible Name: CVE-1999-0591
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall RECAST(1) NorthcuttVoter Comments: Northcutt> splain Lucy, splain Name: CVE-1999-0592
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(2) Northcutt, WallVoter Comments: Wall> Information gathering, not vulnerability Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing not just vulnerability Frech> XF:nt-display-last-username(1353) Use it if you will. :-) If not, let us know so I can remove the CAN reference from our database. Christey> MSKB:Q114463 http://support.microsoft.com/support/kb/articles/q114/4/63.asp Name: CVE-1999-0593
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(1) Baker REJECT(1) NorthcuttVoter Comments: Wall> Still a denial of service. Northcutt> May well be appropriate Frech> XF:nt-shutdown-without-logon(1291) Name: CVE-1999-0594
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) NorthcuttVoter Comments: Wall> Perhaps it can be re-worded to "removable media drives such as a floppy disk drive or CDROM drive can be accessed (shared) in a Windows NT system." Northcutt> - what good is my NT w/o its floppy Frech> XF:nt-allocate-cdroms(1294) XF:nt-allocate-floppy(1318) Christey> MSKB:Q172520 URL:http://support.microsoft.com/support/kb/articles/q172/5/20.asp Name: CVE-1999-0595
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall MODIFY(1) Frech NOOP(1) NorthcuttVoter Comments: Frech> XF:nt-clearpage(216) XF:reg-pagefile-clearing(2551) Name: CVE-1999-0596
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(2) Northcutt, WallVoter Comments: Northcutt> define appropriate Frech> XF:reg-app-log-small(2521) XF:reg-sec-log-maxsize(2577) XF:reg-sys-log-small(2586) Name: CVE-1999-0597
Description:
Status: Candidate Votes: ACCEPT(1) Northcutt MODIFY(1) Frech NOOP(1) Baker REJECT(1) WallVoter Comments: Frech> XF:nt-forced-logoff(1343) Name: CVE-1999-0598
Description:
Status: Candidate Votes: ACCEPT(3) Armstrong, Baker, Northcutt NOOP(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html Name: CVE-1999-0599
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html Name: CVE-1999-0600
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html Name: CVE-1999-0601
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> Waiting for Godot, er, CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html Name: CVE-1999-0602
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Northcutt NOOP(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> Waiting for CIEL. Christey> This is a design flaw, along with the other reported IDS problems; at least reference Ptacek/Newsham's paper. Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html Name: CVE-1999-0603
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(1) Baker REJECT(2) Northcutt, WallVoter Comments: Frech> XF:nt-system-operator XF:nt-admin-group XF:nt-replicator XF:nt-print-operator XF:nt-power-user XF:nt-guest-in-group XF:nt-backup-operator XF:nt-domain-admin XF:nt-domain-guest XF:win2k-acct-oper-grp XF:win2k-admin-grp XF:win2k-backup-oper-grp XF:win2k-certpublishers-grp XF:win2k-dhcp-admin-grp XF:win2k-dnsadm-grp XF:win2k-domainadm-grp XF:win2k-entadm-grp XF:win2k-printoper-grp XF:win2k-replicator-grp XF:win2k-schemaadm-grp XF:win2k-serveroper-grp You asked for it... :-) Use or reject at your discretion. If rejected, please let us know so we can remove CAN references from database. Name: CVE-1999-0604
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Northcutt, WallVoter Comments: Frech> XF:webstore-misconfig(3861) Name: CVE-1999-0605
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, WallVoter Comments: Frech> XF:orderform-misconfig(3860) Christey> BID:2021 Christey> Mention affected files: order_log_v12.dat and order_log.dat fix version number (1.2) Name: CVE-1999-0606
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, WallVoter Comments: Frech> XF:ezmall2000-misconfig(3859) Christey> Add mall_log_files/order.log to desc Name: CVE-1999-0607
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, WallVoter Comments: Frech> XF:quikstore-misconfig(3858) Christey> http://www.quikstore.com/help/pages/Security/security.htm says: "It is IMPORTANT that during the setup of the QuikStore program, you check to make sure that the cgi-bin or executable program directory of your web site not be viewable from the outside world. You don't want the users to have access to your programs or log files that could be stored there! ... If you can view or download these files from the browser, someone else can too" So is this a configuration problem? See the configuration file at http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm The [DIRECTORY_PATHS] section identifies pathnames and describes how pathnames are constructed. It clearly uses relative pathnames, so all data is underneath the base directory!! If we call this a configuration problem, then maybe this (and all other "CGI-data-in-web-tree" configuration problems) should be combined. Christey> Consider adding BID:1983 Name: CVE-1999-0609
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(3) Christey, Northcutt, WallVoter Comments: Frech> XF:softcart-misconfig(3856) Christey> Consider adding BID:2055 Name: CVE-1999-0610
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(2) Northcutt, WallVoter Comments: Frech> Cite reference as: BUGTRAQ:19990424 Re: Shopping Carts exposing CC data URL: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist% 3D1%26date%3D2000-08-22%26msg%3D3720E2B6.6031A2E7@datashopper.dk CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:webcart-data-exposure(8374) Name: CVE-1999-0611
Description:
Status: Candidate Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) NorthcuttVoter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> too vague Name: CVE-1999-0613
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall REJECT(1) NorthcuttVoter Comments: Frech> XF:sprayd Name: CVE-1999-0614
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0615
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Prosser, Wall NOOP(1) Christey REJECT(1) NorthcuttVoter Comments: Baker> Although newer versions on snmp are not as vulnerable as prior versions, this can still be a significant risk of exploitation, as seen in recent attacks on snmp services via automated worms Christey> XF:snmp(132) ? Prosser> This fits the "exposure" description although we also know there are many vulnerabilities in SNMP. This is more of a policy/best practice issue for administrators. If you need SNMP lock it down as tight as you can, if you don't need it, don't run it. Name: CVE-1999-0616
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0617
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0618
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Northcutt, Ozancin, Wall MODIFY(1) FrechVoter Comments: Frech> XF:decod-rexec XF:rexec Name: CVE-1999-0619
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0620
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) NorthcuttVoter Comments: Christey> XF:ypserv(261) Name: CVE-1999-0621
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall MODIFY(1) Frech REJECT(2) LeBlanc, NorthcuttVoter Comments: LeBlanc> There is insufficient description to even know what this is. Lots of component services related to NetBIOS run, and usually do not constitute a problem. Frech> associated to: XF:nt-alerter(29) XF:nt-messenger(69) XF:reg-ras-gateway-enabled(2567) Name: CVE-1999-0622
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0623
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) NorthcuttVoter Comments: Christey> Add "X11" to facilitate search. Name: CVE-1999-0624
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Northcutt, Ozancin MODIFY(1) Frech NOOP(2) Meunier, WallVoter Comments: Frech> XF:rstat-out XF:rstatd Name: CVE-1999-0625
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Northcutt, Ozancin MODIFY(1) Frech NOOP(1) WallVoter Comments: Frech> XF:rquotad Name: CVE-1999-0629
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(2) Christey, Wall REJECT(1) NorthcuttVoter Comments: Frech> possibly XF:identd? Christey> XF:ident-users(318) ? CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:identd-vuln(61) XF:ident-users(318) Name: CVE-1999-0630
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) NorthcuttVoter Comments: Christey> http://support.microsoft.com/support/kb/articles/q189/2/71.asp Name: CVE-1999-0631
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) NorthcuttVoter Comments: Christey> XF:nfs-nfsd(76) ? Christey> Add rpc.mountd/mountd to facilitate search. Name: CVE-1999-0632
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0633
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0634
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0635
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Northcutt, Wall REVIEWING(1) ChristeyVoter Comments: Northcutt> The method to my madness is echo is the common denom in the dos attack Christey> How much of this is an overlap with the echo/chargen flood problem (CVE-1999-0103)? If this is only an exposure because of CVE-1999-0103, then maybe this should be REJECTed. Name: CVE-1999-0636
Description:
Status: Candidate Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt Name: CVE-1999-0637
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0638
Description:
Status: Candidate Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt Name: CVE-1999-0639
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt REVIEWING(1) ChristeyVoter Comments: Christey> How much of this is an overlap with the echo/chargen flood problem (CVE-1999-0103)? If this is only an exposure because of CVE-1999-0103, then maybe this should be REJECTed. Name: CVE-1999-0640
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0641
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0642
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0643
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0644
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) NorthcuttVoter Comments: Christey> XF:nntp-post(88) ? Name: CVE-1999-0645
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall NOOP(1) Christey REJECT(1) NorthcuttVoter Comments: Christey> XF:irc-server(767) ? Name: CVE-1999-0646
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0647
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Ozancin MODIFY(1) Frech NOOP(1) Wall REJECT(1) NorthcuttVoter Comments: Frech> XF:bootp Name: CVE-1999-0648
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0649
Description:
Status: Candidate Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt Name: CVE-1999-0650
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0651
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall MODIFY(1) Frech NOOP(1) Christey REJECT(1) NorthcuttVoter Comments: Christey> aka "shell" on UNIX systems (at least Solaris) in the /etc/inetd.conf file. Frech> associated to: XF:nt-rlogin(92) XF:rsh-svc(114) XF:rshd(2995) Name: CVE-1999-0652
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) Wall REJECT(1) NorthcuttVoter Comments: Frech> XF:nt-sql-server(1289) XF:msql-detect(2211) XF:oracle-detect(2388) XF:sybase-detect-namedpipes(1461) Name: CVE-1999-0653
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0654
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) NorthcuttVoter Comments: Wall> These subsystems could still allow a process to persist across logins. Frech> XF:nt-posix(217) XF:nt-posix-sub-c2(2397) XF:nt-posix-sub-onceonly(2478) XF:nt-os2-sub(218) XF:nt-os2-sub-c2(2396) XF:nt-os2-sub-onceonly(2477) XF:nt-os2-registry(2550) Christey> s2-file-os2(1865) Name: CVE-1999-0655
Description:
Status: Candidate Votes: ACCEPT(5) Baker, Frech, Northcutt, Ozancin, WallVoter Comments: CHANGE> [Frech changed vote from REVIEWING to ACCEPT] Name: CVE-1999-0656
Description:
Status: Candidate Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt Name: CVE-1999-0657
Description:
Status: Candidate Votes: ACCEPT(1) Baker NOOP(1) Wall REJECT(1) Northcutt Name: CVE-1999-0658
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Wall REJECT(1) Northcutt Name: CVE-1999-0659
Description:
Status: Candidate Votes: REJECT(3) Baker, Northcutt, WallVoter Comments: Wall> Don't consider this a service or a problem. Baker> concur with wall on this Name: CVE-1999-0660
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Hill, Northcutt, Wall NOOP(1) ChristeyVoter Comments: Christey> Add "back door" to description. Name: CVE-1999-0661
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Hill, Northcutt, Wall REVIEWING(1) ChristeyVoter Comments: Christey> Should add the specific CERT advisory references for well-known Trojaned software. TCP Wrappers -> CERT:CA-1999-01 CERT:CA-1999-02 includes util-linux wuarchive - CERT:CA-94.07 IRC client - CERT:CA-1994-14 Christey> BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1) Modify description to use dot notation. Christey> CERT:CA-2002-24 URL:http://www.cert.org/advisories/CA-2002-24.html XF:openssh-backdoor(9763) URL:http://www.iss.net/security_center/static/9763.php BID:5374 URL:http://www.securityfocus.com/bid/5374 CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Add libpcap and tcpdump: BUGTRAQ:20021113 Latest libpcap & tcpdump sources from tcpdump.org contain a trojan URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103722456708471&w=2 CERT:CA-2002-30 URL:http://www.cert.org/advisories/CA-2002-30.html This CAN has been active for over 4 years. At this moment, my thinking is that we should SPLIT this CAN into each separate trojaned product, then create some criteria that restrict creation of new CANs to "widespread" or "important" products only. Name: CVE-1999-0662
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Hill, Northcutt, Wall Name: CVE-1999-0663
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Hill, Wall RECAST(1) NorthcuttVoter Comments: Northcutt> This needs to be worded carefully. 1. Rootkits evade checksum detection. 2. The modification could be positive (a patch) Name: CVE-1999-0664
Description:
Status: Candidate Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(2) Christey, NorthcuttVoter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Christey> Upon further reflection, this is too high-level for CVE. Specific registry keys with bad permissions is roughly equivalent to Unix configuration files that have bad permissions; those permission problems can be created by any vendor, not just a specific one. Therefore this candidate should be RECAST into each separate registry key that has this problem. Name: CVE-1999-0665
Description:
Status: Candidate Votes: ACCEPT(1) Wall NOOP(1) Baker RECAST(1) NorthcuttVoter Comments: Northcutt> I think we can define appropriate, take a look at the nt security .pdf and see if you can't see a way to phrase specific keys in a way that defines inappropriate. Baker> very vague Name: CVE-1999-0667
Description:
Status: Candidate Votes: ACCEPT(2) Blake, Cole MODIFY(1) Stracener NOOP(2) Baker, Christey REJECT(1) FrechVoter Comments: Stracener> Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP Frech> Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp: CVE-1999-0763: NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network. CVE-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries. Will reconsider if reference provides enough information to render a distinction. Christey> This particular vulnerability was exploited by an attacker during the ID'Net IDS test network exercise at the SANS Network Security '99 conference. The attacker adapted a publicly available program that was able to spoof another machine on the same physical network. See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2 for the Bugtraq reference that Tom Stracener suggested. This generated a long thread on Bugtraq in 1997. Blake> I'll second Tom's request to add the reference, it's a very posting good and the vulnerability is clearly derivative of the work. (I do recall talking to the guy and drafting a description.) Name: CVE-1999-0669
Description:
Status: Candidate Votes: ACCEPT(5) Baker, Cole, Ozancin, Prosser, Wall MODIFY(2) Frech, Stracener REVIEWING(1) ChristeyVoter Comments: Frech> XF:ms-scriptlet-eyedog-unsafe Stracener> Add Ref: MSKB Q240308 Christey> Should CVE-1999-0669 and 668 be merged? If not, then this is a reason for not merging CVE-1999-0988 and CVE-1999-0828. Name: CVE-1999-0670
Description:
Status: Candidate Votes: ACCEPT(3) Ozancin, Prosser, Wall MODIFY(2) Frech, Stracener REJECT(2) Baker, ColeVoter Comments: Frech> XF:ie-eyedog-bo Cole> Based on the references and information listed this is the same as CVE-1999-0669 Stracener> Add Ref: MSKB Q240308 Baker> Duplicate Name: CVE-1999-0673
Description:
Status: Candidate Votes: ACCEPT(6) Baker, Blake, Cole, Collins, Levy, Wall MODIFY(2) Frech, Stracener NOOP(3) Armstrong, Landfield, Oliver REVIEWING(1) OzancinVoter Comments: Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037 Frech> XF:almail-bo CHANGE> [Cole changed vote from NOOP to ACCEPT] Name: CVE-1999-0677
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Blake, Stracener MODIFY(2) Cole, Frech NOOP(2) Armstrong, ChristeyVoter Comments: Cole> I would add that is is not forced to be changed. Frech> XF:webramp-default-password Christey> This problem may have been detected in January 1999: BUGTRAQ:19990121 Re: WebRamp M3 remote network access bug http://marc.theaimsgroup.com/?l=bugtraq&m=91702375402055&w=2 Name: CVE-1999-0684
Description:
Status: Candidate Votes: ACCEPT(2) Blake, Cole MODIFY(3) Frech, Prosser, Stracener NOOP(1) Baker REJECT(1) ChristeyVoter Comments: Stracener> Add Ref: CIAC: J-040 Prosser> Might change description to indicate DoS caused by multiple connections Christey> Andre's right. This is a duplicate of CVE-1999-0684. Frech> Without further information and/or references, this issue looks like an ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail 8.8.6 related to accepting connections. (was REJECT) XF:hp-sendmail-connect-dos Name: CVE-1999-0698
Description:
Status: Candidate Votes: ACCEPT(6) Armstrong, Baker, Blake, Cole, Collins, Ozancin MODIFY(1) Frech NOOP(4) Landfield, Levy, Stracener, Wall REJECT(1) ChristeyVoter Comments: Stracener> Is the candidate referring to the denial of service problem mentioned in the changelogs for versions previous to 1.4.3-1 or does it pertain to some problem with or 1.4.8-1? Frech> Depending on the version, this could be any number of DoSes related to ippl. From http://www.larve.net/ippl/: 9 April 1999: version 1.4.3 released, correctly fixing a potential denial of service attack. 7 April 1999: version 1.4.2 released, fixing a potential denial of service attack. XF:linux-ippl-dos Christey> Changelog: http://pltplp.net/ippl/docs/HISTORY See comments for version 1.4.2 and 1.4.3 Another source: http://freshmeat.net/news/1999/04/08/923586598.html CHANGE> [Stracener changed vote from REVIEWING to NOOP] CHANGE> [Christey changed vote from NOOP to REJECT] Christey> As mentioned by others, this could apply to several different versions. Since the description is too vague, this CAN should be REJECTED and recast into other candidates. Name: CVE-1999-0712
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Cole, Frech, Stracener MODIFY(1) Blake NOOP(1) Armstrong REVIEWING(1) ChristeyVoter Comments: Blake> This obscurely-written advisory seems to state that COAS will make the file world-readable, not that it allows the user to make it so. I hardly think that allowing the user to turn off security is a vulnerability. Christey> It's difficult to write the description based on what's in the advisory. If COAS inadvertently changes permissions without user confirmation, then it should be ACCEPTed with appropriate modification to the description. Christey> ADDREF BID:137 CHANGE> [Armstrong changed vote from REVIEWING to NOOP] Name: CVE-1999-0736
Description:
Status: Candidate Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(2) Cole, Frech NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> XF:iis-samples-showcode Cole> There are several sample files that allow this. I would quote showcode.asp but make it more generic. Prosser> (Modify) Have a question on this and on the following three candidates as well. All of these are part of the file viewers utilities that allow unauthorized files reading, but MSKB Q231368 also mentioned the diagnostics program,Winmsdp.exe, as another vulnerable viewer in this same set of viewers. If we are going to split out the seperate viewer tools then shouldn't there should be a seperate CAN for Winmsdp.exe also. Christey> Mike's question basically touches on the CD:SF-EXEC content decision - what do you do when you have the same bug in multiple executables? CD:SF-EXEC needs to be reviewed and approved by the Editorial Board before we can decide what to do with this candidate. Christey> Mark Burnett says that Microsoft's mention of winmsdp.exe in MSKB:Q231368 may be an error, and that winmsdp.exe is a Microsoft Diagnostics Report Generator which may not even be installed as part of IIS. Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html Christey> ADDREF BID:167 URL:http://www.securityfocus.com/vdb/bottom.html?vid=167 Christey> MISC:http://p.ulh.as/xploitsdb/NT/iis38.html covers a showcode.asp directory traversal vulnerability and refers to the L0pht advisory. Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 Name: CVE-1999-0737
Description:
Status: Candidate Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) ColeVoter Comments: Frech> XF:iis-samples-viewcode Cole> I would combine this with the previous. Prosser> (modify) See comments in 0736 above Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html for additional details. Christey> Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 Name: CVE-1999-0738
Description:
Status: Candidate Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) ColeVoter Comments: Frech> XF:iis-samples-code Cole> Same as above Prosser> (modify) See comments in 0736 above Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html for additional details. Christey> Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 Name: CVE-1999-0739
Description:
Status: Candidate Votes: ACCEPT(4) Ozancin, Prosser, Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) ColeVoter Comments: Frech> XF:iis-samples-codebrws Cole> Same as above. Prosser> (modify) See comments in 0736 above Christey> codebrw2.asp and Codebrw1.asp also need to be included somewhere. Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html Christey> Mark Burnett's article is at: MISC:http://www.securityfocus.com/infocus/1317 Name: CVE-1999-0741
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Frech, Levy, Stracener NOOP(2) Christey, OliverVoter Comments: Christey> change description - anyone can log on *as* root Frech> (Note: this XF also cataloged under CVE-1999-0508.) Name: CVE-1999-0748
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Baker, Cole, Stracener MODIFY(1) Frech REJECT(1) BlakeVoter Comments: Blake> RHSA-1999:017-01 describes "potential security problem fixed" in the absence of knowing whether or not the problems actually existed, I don't think we have an entry here. Frech> XF:redhat-net-tool-bo Name: CVE-1999-0750
Description:
Status: Candidate Votes: ACCEPT(1) Levy MODIFY(2) Frech, Stracener NOOP(1) BakerVoter Comments: Stracener> Many sites are vulnerable to this problem. I recommend removing the explicit references to Hotmail and making the description more generic. Suggest: Javascript can be injected using the STYLE tag in an HTML formatted e-mail, allowing remote attackers to execute commands on user accounts. Frech> XF:hotmail-html-style-embed Name: CVE-1999-0757
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Cole, Frech NOOP(1) ChristeyVoter Comments: Frech> XF:coldfusion-encryption Christey> BUGTRAQ:19990724 Re: New Allaire Security Zone Bulletins and KB Articles URL:http://www.securityfocus.com/archive/1/19471 Christey> ADDREF BID:275 URL:http://www.securityfocus.com/bid/275 Name: CVE-1999-0767
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Blake, Cole, Dik MODIFY(2) Frech, Stracener REVIEWING(2) Christey, ProsserVoter Comments: Stracener> Add Ref: CIAC: J-069 Frech> XF:sun-libc-lcmessages Prosser> BID 268 is an additional reference for this one as it has info on the Sun vulnerability. However, BID 268 also includes AIX in this vulnerability and refs APARS issued to fix a vulnerability in various 'nixs with the Natural Language Service environmental variables NSLPATH and PATH_LOCALE depending on the 'nix, ref CERT CA-97.10, CVE-1999-0041. However, Georgi Guninski reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it is possible the AIX APARs fix an earlier, similar vulnerability to the Sun BO in LC_MESSAGES. This should probably be considered under a different CAN. Any ideas? Christey> Given that the buffer overflows in CVE-1999-0041 are NLSPATH and PATH_LOCALE, I'd say that's good evidence that this is not the same problem. But a buffer overflow in libc in LC_MESSAGES... We must ask if these are basically the same codebase. ADDREF CIAC:J-069 Christey> While the description indicates multiple programs, CD:SF-EXEC does not apply because the vulnerability was in libc, and rcp and ufsrestore were both statically linked against libc. Thus CD:SF-LOC applies, and a single candidate is maintained because the problem occurred in a library. Dik> Sun bug 4240566 Christey> I'm consulting with Casper Dik and Troy Bollinger to see if this should be combined with the AIX buffer overflows for LC_MESSAGES; current indications are that they should be split. Christey> For further consultation, consider this post, though it's associated with CVE-1999-0041: BUGTRAQ:19970213 Linux NLSPATH buffer overflow http://www.securityfocus.com/archive/1/6296 Also add "NLSPATH" and "PATH_LOCALE" to the description to facilitate search. Name: CVE-1999-0776
Description:
Status: Candidate Votes: ACCEPT(4) Frech, Levy, Ozancin, Stracener MODIFY(1) Baker NOOP(6) Armstrong, Blake, Cole, Landfield, LeBlanc, Wall REVIEWING(1) ChristeyVoter Comments: Christey> This candidate is unconfirmed by the vendor. Posted by Arne Vidstrom. Blake> I'd like to change my vote on this from ACCEPT to NOOP. I did some digging and the vendor seems to have discontinued the product, so no information is available beyond Arne's post. Unless Andre has a copy in his archive and can test it, I think we have to leave it out. Wall> I agree with Blake. We have not seen the product and it has been discontinued. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> If this is (or was) tested by some tool, we should ACCEPT it. Baker> http://www.securityfocus.com/bid/270 Christey> BID:270 URL:http://www.securityfocus.com/bid/270 Name: CVE-1999-0784
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(1) ColeVoter Comments: Frech> XF:oracle-tnslsnr-dos(1551) Name: CVE-1999-0792
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(2) Frech, Stracener NOOP(1) Christey REVIEWING(1) LevyVoter Comments: Stracener> Change the Ref to read: ROOTSHELL: Osicom Technologies ROUTERmate Security Advisory Frech> XF:routermate-snmp-community Christey> BUGTRAQ:19980914 [rootshell] Security Bulletin #23 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90581019105693&w=2 Name: CVE-1999-0795
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(1) OzancinVoter Comments: Frech> XF:sun-nisplus Name: CVE-1999-0798
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Ozancin, Stracener MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389 has January 1999 dates associated with it, while CVE-1999-0798 was reported in late December. http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2 SCO appears to have acknowledged this as well: ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a The poster also claims that OpenBSD fixed this as well. Frech> XF:bootp-remote-bo Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799 CHANGE> [Christey changed vote from REJECT to NOOP] Christey> What was I thinking? Brian Caswell pointed out that this is *not* the same bug as CVE-1999-0799. As reported in the 1998 Bugtraq post, the bug is in bootpd.c, and is related to providing an htype value that is used as an index into an array, and exceeds the intended boundaries of that array. Name: CVE-1999-0805
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Frech NOOP(2) Christey, ColeVoter Comments: Christey> BID:276 URL:http://www.securityfocus.com/vdb/bottom.html?vid=276 Frech> XF:novell-tts-dos Name: CVE-1999-0808
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) WallVoter Comments: Frech> XF:dhcp-remote-dos(7248) Name: CVE-1999-0816
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Cole, Stracener MODIFY(1) Frech NOOP(2) Christey, LeBlancVoter Comments: Christey> This candidate is unconfirmed by the vendor. Frech> XF:motorola-cable-default-pass Name: CVE-1999-0818
Description:
Status: Candidate Votes: ACCEPT(2) Armstrong, Stracener MODIFY(4) Cole, Dik, Frech, Prosser NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Cole> This can cause code to be executed. Frech> XF:sol-kcms-conf-netpath-bo Dik> the bug has nothing to do with kcms_configure; it's a bug in libnsl.so. All set-uid executables that trigger this code path are vulnerable. Sun bug 4295834; fixed in Solaris 8. Prosser> Okay, I am confused. Based on Casper's comments and checking on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security problem in libnsl) fixed in SunOS 5.4, Patch 101974-37(x86) 101973 (sparc). Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin #00172 for 5.4 up through 2.6. Was this NETPATH a problem that resurfaced in 7 (looks like in 5.4 as well) and was fixed in 8? Christey> Need to dig up my offline email on this. Christey> May be a duplicate of CVE-1999-0321, whose sole reference (XF:sun-kcms-configure-bo) no longer exists. Also examine BID:452 and BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated) which are the same as XF:sol-kcms-conf-p-bo(3652), which could be the new name for XF:sun-kcms-configure-bo. Name: CVE-1999-0821
Description:
Status: Candidate Votes: ACCEPT(2) Armstrong, Stracener MODIFY(1) Frech NOOP(2) Baker, Christey REJECT(1) Cole REVIEWING(1) ProsserVoter Comments: Cole> I would combine this with the previous. To me the general vulnerabilities are similar it is just the end result that changes. Frech> XF:freebsd-seyon-setgid Christey> ADDREF? CALDERA:CSSA-1999-037.0 Name: CVE-1999-0822
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Baker, Cole, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) ProsserVoter Comments: Frech> XF:qpopper-auth-bo Christey> ADDREF? DEBIAN:19991215 buffer overflow in qpopper v3.0 ADDREF XF:qpopper-auth-bo Name: CVE-1999-0825
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Baker, Cole, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) ProsserVoter Comments: Frech> XF:sco-mail-permissions Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.25a Name: CVE-1999-0827
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Baker, LeBlanc, Stracener MODIFY(2) Cole, Frech REVIEWING(1) ProsserVoter Comments: Cole> The BID is 855. If I have the right vulnerability, this allows an attacker to access URL's of there choosing which could lead to a compromise of private information. Frech> XF:http-frame-spoof Question: Similar vulnerability to MS98-020 / CVE-1999-0869? LeBlanc> MSRC tells me this is patched in MS00-009 Name: CVE-1999-0828
Description:
Status: Candidate Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(2) Cole, Frech REVIEWING(2) Christey, ProsserVoter Comments: Cole> This is BID 850. Christey> See comments on CVE-1999-0988. Perhaps these two should be merged. ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely alludes to this problem; the README for patch SSE053 effectively confirms it. Frech> XF:sco-pkg-dacread-fileread Name: CVE-1999-0829
Description:
Status: Candidate Votes: ACCEPT(2) Armstrong, Stracener MODIFY(1) Frech NOOP(2) Baker, Cole REVIEWING(1) ProsserVoter Comments: Cole> I could not find details on this using the above references. Frech> XF:hp-secure-console Name: CVE-1999-0830
Description:
Status: Candidate Votes: ACCEPT(3) Armstrong, Baker, Stracener MODIFY(3) Cole, Frech, Prosser REVIEWING(1) ChristeyVoter Comments: Cole> This is BID 824 and the BUGTRAQ reference is 19991125. Frech> XF:sco-unixware-xsco Christey> Confirmed by vendor, albeit vaguely: http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2 Prosser> agree with Steve on vendor confirmation, however not sure the fix ref'd in BID 824 (SSE041) is right. It lists fixes for libnsl and tcpip.so, nothing about xsco. SSE050b (ftp://ftp.sco.com/SSE/security_bulletins/SB-99.26b) fixes a buffer overflow in xsco on OpenServer (the vendor message Steve refers to) but not the UnixWare vulnerability reported on Bugtraq and in BID824. Anyone more familar with SCO shed some light on this? Are they the same codebase so fix would be same? From the SCO site it seems the UnixWare and OpenSever products are similar but have differences. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> BID:824 http://www.securityfocus.com/bid/824 Name: CVE-1999-0840
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Baker, Dik, Stracener MODIFY(1) Frech NOOP(1) Cole REVIEWING(1) ProsserVoter Comments: Cole> I went to 1129 and it looks like a reference for a different vulnerability. Frech> In the description, should dtmailptr be dtmailpr? XF:solaris-dtmailpr-overflow XF:solaris-dtmail-overflow Dik> sun bug: 4166321 Name: CVE-1999-0841
Description:
Status: Candidate Votes: ACCEPT(5) Armstrong, Baker, Cole, Dik, Stracener MODIFY(1) Frech REVIEWING(1) ProsserVoter Comments: Frech> XF:cde-mailtool-bo Dik> bug 4163471 (Root access is only possible when mail is send to root and he uses dtmail to read it) Name: CVE-1999-0843
Description:
Status: Candidate Votes: ACCEPT(3) Balinsky, Cole, Stracener MODIFY(1) Frech NOOP(2) Armstrong, Baker REVIEWING(3) Christey, Prosser, ZieseVoter Comments: Frech> XF:cisco-nat-dos Christey> Mike Prosser's REVIEWING vote expires July 17, 2000 Ziese> After reviewing http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml I can not confirm this exists unless it's restructred to describe a problem against IOS per se; not NAT per se. I am reviewing this and it may take some time. CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> Not sure if Kevin's suggested reference really describes this one. However, a followup email by Jim Duncan of Cisco does acknowledge the problem as discussed in the Bugtraq post: http://marc.theaimsgroup.com/?l=vuln-dev&m=94385601831585&w=2 The original post is: http://marc.theaimsgroup.com/?l=bugtraq&m=94184947504814&w=2 It could be that the researcher believed that the problem was NAT, but in fact it wasn't. I need to follow up with Ziese/Balinsky on this one. Name: CVE-1999-0844
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Stracener MODIFY(2) Cole, Frech NOOP(1) Armstrong RECAST(1) Christey REVIEWING(1) ProsserVoter Comments: Cole> 823 and 820 are two different vulnerabilities and should be separated out. They are both buffer overflows but accomplish it in a different fashion and the end exploit is different. Frech> (RECAST?) XF:mdaemon-worldclient-dos XF:mdaemon-webconfig-dos Recast request: This is really two services exhibiting the same problem. Christey> as suggested by others. Also see confirmation at: http://mdaemon.deerfield.com/helpdesk/hotfix.cfm Name: CVE-1999-0845
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Cole, Prosser, Stracener MODIFY(1) Frech RECAST(1) Baker REVIEWING(1) ChristeyVoter Comments: Christey> DUPE CVE-1999-0317? Frech> XF:sco-su-username-bo Christey> ADDREF BID:826 CONFIRM:ftp://ftp.sco.com/SSE/sse039.tar.Z Name: CVE-1999-0846
Description:
Status: Candidate Votes: ACCEPT(5) Armstrong, Baker, Cole, Prosser, Stracener MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> XF:mdaemon-dos Christey> CVE-1999-0844 is confirmed by MDaemon at http://mdaemon.deerfield.com/helpdesk/hotfix.cfm but there is no apparent confirmation for this problem, even though it was posted the same day. Prosser> Looks like from a follow-on message on Bugtraq from Nobuo <http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-28&msg=199912011604.HJI39569.BX-NOJ@lac.co.jp> Deerfield sent a reply about the DoS problems in MDaemon 2.8.5, that also talks about fixing the 2.7 J DoS that Nobuo initially reported. Can't find the original message, so may have been limited distro. Looks like an upgrade to the latest release might be the final solution here. Name: CVE-1999-0850
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Stracener MODIFY(1) Frech NOOP(2) Armstrong, Baker REVIEWING(1) ProsserVoter Comments: Frech> XF:endymion-mailman-perms Name: CVE-1999-0852
Description:
Status: Candidate Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) ProsserVoter Comments: Frech> XF:websphere-protect Name: CVE-1999-0855
Description:
Status: Candidate Votes: ACCEPT(3) Armstrong, Prosser, Stracener MODIFY(2) Cole, Frech NOOP(2) Baker, ChristeyVoter Comments: Cole> The BID is 834 and the reference is 19991201 not 1130. Frech> XF:freebsd-gdc-bo Christey> ADDREF BID:780 ? Name: CVE-1999-0857
Description:
Status: Candidate Votes: ACCEPT(3) Armstrong, Prosser, Stracener MODIFY(2) Cole, Frech NOOP(1) BakerVoter Comments: Cole> This is via debug output. Frech> XF:freebsd-gdc Name: CVE-1999-0860
Description:
Status: Candidate Votes: ACCEPT(2) Armstrong, Stracener MODIFY(2) Dik, Frech NOOP(2) Baker, Christey REJECT(1) Cole REVIEWING(1) ProsserVoter Comments: Cole> This is the same as the pervious. Frech> XF:sol-chkperm-vmsys Dik> include reference to Sun bug 4296167 Christey> Remove BID:837, which is for arp, not chkperm Name: CVE-1999-0862
Description:
Status: Candidate Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) ProsserVoter Comments: Frech> XF:postgresql-insecure-perms Name: CVE-1999-0863
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Cole, Prosser, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Frech> XF:freebsd-seyon-bo Christey> ADDREF? CALDERA:CSSA-1999-037.0 Christey> May be multiple bugs here, or a single library problem. CD:SF-LOC needs to be resolved before determining if this candidate should be SPLIT. Also see CVE-1999-0821. Name: CVE-1999-0872
Description:
Status: Candidate Votes: MODIFY(2) Cole, Frech NOOP(1) Baker REJECT(3) Blake, Christey, StracenerVoter Comments: Cole> 611 is the mail to listed above but 759 is for the mail from and should be listed as a separate vulenrability. Blake> This does not appear materially different from CVE-1999-0768 Christey> This is an apparent duplicate of CVE-1999-0768. REDHAT:RHSA-1999:030-02 describes two issues, one of which is CVE-1999-0768, and the other is CVE-1999-0769. Stracener> This is a duplicate of candidate CVE-1999-0768. Frech> XF:cron-sendmail-bo-root Christey> BID:759 is improperly assigned to this candidate and doesn't even describe it. It may have been inadvertently copied from CVE-1999-0873. Name: CVE-1999-0882
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Blake, Stracener MODIFY(1) Frech NOOP(2) Armstrong, ColeVoter Comments: Frech> XF:falcon-server-long-filename Name: CVE-1999-0885
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(5) Armstrong, Blake, Christey, Cole, LeBlancVoter Comments: Christey> This candidate is unconfirmed by the vendor. Blake> Same as CVE-1999-0776. Frech> XF:alibaba-url-file-manipulation Christey> CD:SF-LOC and CD:SF-EXEC may say to merge this candidate with the problems described in: BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0 URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html If so, then ADDREF BID:1485 as well. Christey> Include the names of the affected CGI's, including tst.bat, get32.exe, alibaba.pl, etc. Name: CVE-1999-0910
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Ozancin, Prosser, Wall MODIFY(2) Frech, Stracener REJECT(1) ColeVoter Comments: Frech> XF:siteserver-cis-cookie-cache Cole> Whether cookies are a vulnerbality is a debate for another time, the question here is whether the expiration feature is a vulnerability and I do not think it is because the underlying concerns for this are present even without this feature. The expiration feature does not add any new vulenrabilities that are not already present with cookies. Stracener> Add Ref: MSKB Q238647 Name: CVE-1999-0911
Description:
Status: Candidate Votes: ACCEPT(5) Baker, Blake, Cole, Prosser, Stracener MODIFY(1) Frech REVIEWING(1) ChristeyVoter Comments: Frech> XF:proftpd-long-dir-bo(3399) Christey> Not absolutely sure if this isn't the same as Palmetto (CVE-1999-0368), which describes a similar type of overflow. NETBSD:NetBSD-SA1999-003 may refer to CVE-1999-0368: ADDREF URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-003.txt.asc Christey> ADDREF CIAC:J-068 Include version numbers; too many wu-ftp/etc. problems were published in summer/fall 1999 Name: CVE-1999-0913
Description:
Status: Candidate Votes: ACCEPT(2) Blake, Stracener MODIFY(1) Frech NOOP(4) Armstrong, Baker, Cole, LeBlanc REVIEWING(1) ChristeyVoter Comments: Christey> Some voters should use ABSTAIN. Frech> XF:dragon-fire-ids-metachar(3834) CHANGE> [Armstrong changed vote from REVIEWING to NOOP] Name: CVE-1999-0919
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(7) Armstrong, Christey, Landfield, LeBlanc, Ozancin, Stracener, Wall REVIEWING(1) LevyVoter Comments: Christey> This candidate is unconfirmed by the vendor. Frech> XF:motorola-cable-crash Christey> This has enough votes, but not the "confidence" yet (until we resolve the question of the amount of verification needed for CVE). Name: CVE-1999-0923
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Cole MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:coldfusion-source-display(1741) XF:coldfusion-syntax-checker(1742) XF:coldfusion-file-existence(1743) XF:coldfusion-sourcewindow(1744) Christey> List all affected runnable code snippets to facilitate search, which may include: viewexample.cfm (though could that be part of CVE-1999-0922?) Name: CVE-1999-0925
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) LevyVoter Comments: Frech> XF:unitymail-web-dos(1630) Christey> BID:1760 URL:http://www.securityfocus.com/bid/1760 Christey> Affected version is 2.0 Change date of Bugtraq post - it was 1998. Name: CVE-1999-0926
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, WallVoter Comments: Christey> BID:1760 URL:http://www.securityfocus.com/bid/1760 Frech> XF:unitymail-web-dos(1630) Name: CVE-1999-0929
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Blake, Cole, Stracener MODIFY(1) Frech NOOP(1) BakerVoter Comments: Frech> XF:novell-webserver-dos(2287) Name: CVE-1999-0941
Description:
Status: Candidate Votes: ACCEPT(1) Stracener NOOP(2) Baker, Christey REJECT(1) Frech REVIEWING(1) LevyVoter Comments: Frech> References are vague, but seem to be identical to CVE-1999-0940 (XF:mutt-text-enriched-mime-bo). According to the references, the malformed messages consist of metacharacters. In addition, -0941's reference and -0940's SuSE reference both refer to fixes in 1.0pre3 release. Will reconsider vote if other clearer references are forthcoming. Christey> Modify to mention that the metachar's are in the Content-Type header. http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2 Name: CVE-1999-0944
Description:
Status: Candidate Votes: ACCEPT(2) Baker, Stracener MODIFY(1) Frech NOOP(2) Bollinger, Christey REVIEWING(1) LevyVoter Comments: Frech> XF:websphere-database-pwd-accessible Christey> ADDREF BID:1763 URL:http://www.securityfocus.com/bid/1763 Name: CVE-1999-0948
Description:
Status: Candidate Votes: ACCEPT(2) Levy, Stracener MODIFY(1) Frech NOOP(2) Baker, ChristeyVoter Comments: Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar. uum (0948) is exploitable through a different set of options than canuum (0949). If it's the same generic option parsing routine used by both programs, then CD:SF-CODEBASE says to merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC says to split them. However, this is a prime example of how SF-EXEC might be modified - uum and canuum are clearly part of the same package, so in the absence of clear information, maybe we should merge them. Frech> XF:canna-uum-bo Name: CVE-1999-0949
Description:
Status: Candidate Votes: ACCEPT(2) Levy, Stracener MODIFY(1) Frech NOOP(2) Baker, ChristeyVoter Comments: Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar. uum (0948) is exploitable through a different set of options than canuum (0949). If it's the same generic option parsing routine used by both programs, then CD:SF-CODEBASE says to merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC says to split them. However, this is a prime example of how SF-EXEC might be modified - uum and canuum are clearly part of the same package, so in the absence of clear information, maybe we should merge them. Also review BID:758 and BID:757 - may need to change the BID here. Frech> XF:canna-uum-bo Christey> CHANGEREF BID:757 BID:758 Christey> The following page says that canuum is a "Japanese input tty frontend for Canna using uum," which suggests that it is, at the least, a different package, so perhaps this should stay SPLIT. http://wuarchive.wustl.edu/mirrors/NetBSD/NetBSD-current/pkgsrc/inputmethod/canuum/README.html Name: CVE-1999-0952
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Ozancin, Stracener MODIFY(2) Dik, Frech REVIEWING(1) ChristeyVoter Comments: Frech> XF:solaris-lpstat-bo Christey> It is unclear from Casper Dik's followup whether this is exploitable or not. Dik> Sunbug 4129917 (other reports in the same thread suggest that the then current patchd id fix the problem) Christey> Confirm with Casper Dik that the overflow is in the -c option, and if so, include it in the description to differentiate it from the lpstat -n buffer overflow. Name: CVE-1999-0970
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Blake, Stracener MODIFY(1) Frech NOOP(1) Christey REVIEWING(1) LevyVoter Comments: Frech> XF:omnihttpd-dos Christey> Some sort of confirmation might be findable at: http://www.omnicron.ab.ca/httpd/docs/release.html Christey> See http://www.omnicron.ab.ca/index.html The August 16, 2000 news item says "This release fixes some security problems." It's for version 2.07, but the discloser didn't say what version was available. Other security fixes are in the release notes at http://www.omnicron.ab.ca/httpd/docs/release.html Notes for Professional Version 1.01 say "Patched up two security weaknesses." Notes for version 2.07 say "Fixes dot-appending vulnerability." Professional Alpha 7 says "Revamped CGI launching and security," Professional Alpha 4 says "Fixed SSI path mapping and security problems," Alpha 5 says "Security fixup." In other words, you can't tell whether they've fixed this bug or not. Christey> BID:1808 URL:http://www.securityfocus.com/bid/1808 Name: CVE-1999-0983
Description:
Status: Candidate Votes: ACCEPT(3) Blake, Cole, Stracener MODIFY(1) Frech NOOP(1) Baker REVIEWING(1) ChristeyVoter Comments: Christey> More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. Frech> XF:whois-internic-shell-meta Christey> ADDREF BID:2000 Christey> The XF appears to be gone. Perhaps it's this one: XF:http-cgi-whois-meta(3798) Name: CVE-1999-0984
Description:
Status: Candidate Votes: ACCEPT(2) Blake, Stracener MODIFY(1) Frech NOOP(2) Baker, Cole REVIEWING(1) ChristeyVoter Comments: Cole> How is this different than the previous? Christey> More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. Frech> XF:matts-whois-meta Christey> ADDREF BID:2000 Christey> XF reference is gone. Replace with http-cgi-matts-whois-meta(3799) ? Name: CVE-1999-0985
Description:
Status: Candidate Votes: ACCEPT(2) Blake, Stracener MODIFY(1) Frech NOOP(2) Baker, Cole REVIEWING(1) ChristeyVoter Comments: Cole> I would combine all of these. Christey> More examination is required to determine if CVE-1999-0983, CVE-1999-0984, or CVE-1999-0985 are the same codebase. Frech> XF:cc-whois-meta Christey> ADDREF BID:2000 Frech> Change cc-whois-meta(3800) to http-cgi-ccwhois(3747) Christey> Replace XF reference with XF:cc-whois-meta(3800) ? Name: CVE-1999-0988
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Blake, Cole MODIFY(1) Frech RECAST(1) Stracener REVIEWING(1) ChristeyVoter Comments: Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam can be used to mount etc/shadow printing attacks as a result of the "dacread" permission (cf. /etc/security/tcb/privs). The procedural differences between the individual exploits for each of these utilities are therefore inconsequential. CVE-1999-0988 should be merged with CVE-1999-0828. From the standpoint of maintaining consistency of the level of abstraction used in CVE, the co-existence of CANS 1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the very small differences (in principle) between the exploits subsumed by 0828 and 0988 and the shared dacread permissions of the pkg* suite, I suggest a merge. Below is a summary of the data upon which my decision was based. utility exploit -------- ---------------------------------- pkgtrans --> symlink + dacread permission prob pkginfo --> truss (debugging utility) in conjunction with pkginfio -d etc/shadow. In this case, it captures the interaction between pkginfo the shadow file. Once again: dacread. pkgcat --> buffer overflow + dacread permission prob pkginstall -> buffer overflow + dacread permission prob pkgparam --> -f etc/shadow (works because of dacread). Christey> This is a tough one. While there are few procedural differences, one could view "assignment of an improper permission" as a "class" of problems along the lines of buffer overflows and the like. Just like some programs were fine until they got turned into CGI scripts, this could be an emerging pattern which should be given consideration. Consider the Eyedog and scriptlet.typelib ActiveX utilities being marked as safe for scripting (CVE-1999-0668 and 0669). ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely alludes to this problem; the README for patch SSE053 effectively confirms it. Frech> XF:unixware-pkgtrans-symlink Name: CVE-1999-0990
Description:
Status: Candidate Votes: ACCEPT(3) Blake, Cole, Stracener MODIFY(1) Frech NOOP(1) BakerVoter Comments: Frech> XF:verbose-auth-identify-user(3804) Name: CVE-1999-0993
Description:
Status: Candidate Votes: ACCEPT(2) Stracener, Wall MODIFY(1) Frech NOOP(2) Baker, Cole REJECT(1) LeBlancVoter Comments: Frech> XF:exchange-acl-changes(3916) LeBlanc> Not a vulnerability Name: CVE-1999-1002
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Cole, Stracener, Wall MODIFY(1) Frech NOOP(1) ChristeyVoter Comments: Frech> XF:netscape-mail-encryption(3921) Christey> CHANGEREF make the RCA URL a "MISC" reference Name: CVE-1999-1003
Description:
Status: Candidate Votes: ACCEPT(3) Baker, Cole, Stracener MODIFY(1) Frech NOOP(1) WallVoter Comments: Frech> XF:warftp-connection-flood Name: CVE-1999-1006
Description:
Status: Candidate Votes: ACCEPT(4) Baker, Cole, Prosser, Stracener MODIFY(1) Frech NOOP(2) Christey, WallVoter Comments: Frech> XF:groupwise-web-path Prosser> Pretty well confirmed by testing with responses to BugTraq list. additional ref: BugTraq ID 879 http://www.securityfocus.com/bid/879 Christey> A later discovery almost 2 years later is at: BUGTRAQ:20020227 SecurityOffice Security Advisory:// Novell GroupWise Web Access Path Disclosure Vulnerability http://marc.theaimsgroup.com/?l=bugtraq&m=101494830315071&w=2 CD:SF-LOC might suggest merging these together. Name: CVE-1999-1009
Description:
Status: Candidate Votes: ACCEPT(1) Baker MODIFY(1) Frech NOOP(4) Balinsky, Cole, Stracener, WallVoter Comments: Frech> XF:disney-search-info(3955) Balinsky> The go.express.com web site does not mention the existence of the Express web server mentioned in the advisory. There appears to be no way of verifying this. Name: CVE-1999-1012
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, WallVoter Comments: Frech> (Task 1770) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:lotus-domino-smtp-dos(8790) Name: CVE-1999-1013
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:aix-named-xfer-root-access(3308) Name: CVE-1999-1015
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:smtp-helo-bo(886) Name: CVE-1999-1016
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Wall MODIFY(1) Frech NOOP(2) Christey, FoatVoter Comments: Frech> XF:ms-html-table-form-dos(3246) Frech> XF:ms-html-table-form-dos(3246) Christey> Add period to the end of the description. Name: CVE-1999-1017
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> (Task 2281) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:emurl-attachment-execution(8794) Name: CVE-1999-1018
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, WallVoter Comments: Frech> XF:linux-ipchains-bypass-filter(6516) Frech> XF:linux-ipchains-bypass-filter(6516) Name: CVE-1999-1020
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1022
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Christey, FoatVoter Comments: Christey> Note: CVE-1999-1310 is a duplicate of this candidate. CVE-1999-1310 will be REJECTed; this is the proper CAN to use. CIAC:F-01 URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml SGI:19941001-01-P URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html Name: CVE-1999-1023
Description:
Status: Candidate Votes: ACCEPT(1) Dik MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Dik> sun bug: 4222400 Frech> XF:solaris-useradd-expired-accounts(8375) CONFIRM:(2.6)110883-01, (2.6_x86) 110884-01, (7)110869-01, (7_x86) 110870-01 Name: CVE-1999-1024
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, WallVoter Comments: Frech> XF:tcpdump-ipprint-dos(8373) Name: CVE-1999-1025
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:solaris-cde-nisplus-lock(7473) Dik> sun bug: 4115685 Name: CVE-1999-1026
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(1) FoatVoter Comments: Frech> XF:sun-aspppd-tmp-symlink(7173) Name: CVE-1999-1029
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1030
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:http-cgi-counter-long(2196) Frech> XF:http-cgi-counter-long(2196) Name: CVE-1999-1031
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:http-cgi-counter-long(2196) Frech> XF:http-cgi-counter-long(2196) Name: CVE-1999-1033
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Wall MODIFY(1) Frech NOOP(1) FoatVoter Comments: Frech> (Task 2241) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:outlook-pop3-dot-dos(8926) Name: CVE-1999-1036
Description:
Status: Candidate Votes: ACCEPT(1) Foat MODIFY(1) Frech NOOP(2) Cole, WallVoter Comments: Frech> XF:cops-temp-file-symlink(7325) Name: CVE-1999-1038
Description:
Status: Candidate Votes: ACCEPT(1) Foat MODIFY(1) Frech NOOP(2) Cole, WallVoter Comments: Frech> XF:tiger-workdir-symlink(7326) Name: CVE-1999-1039
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener REJECT(1) Frech Name: CVE-1999-1040
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener NOOP(1) Christey REJECT(1) FrechVoter Comments: Christey> This candidate and CVE-1999-1501 are duplicates. However, CVE-1999-1501 will be REJECTed in favor of this candidate. Add the following references: BID:70 URL:http://www.securityfocus.com/bid/70 BID:71 URL:http://www.securityfocus.com/bid/71 XF:irix-ipxchk-ipxlink-ifs-commands(7365) URL:http://xforce.iss.net/static/7365.php Name: CVE-1999-1041
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) ChristeyVoter Comments: Frech> XF:sco-openserver-mscreen-bo(1379) Christey> Possible dupe with CVE-1999-1185. Name: CVE-1999-1042
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REJECT(3) Armstrong, Balinsky, ChristeyVoter Comments: Frech> XF:cisco-crm-file-vuln(1575) Armstrong> I think that this is the same as Can-1999-1126 Balinsky> This is the same as CVE-1999-1126. Merge them. Christey> DUPE CVE-1999-1126, as noted by others. This candidate will be rejected. CVE-1999-1126 will be promoted. Name: CVE-1999-1043
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Wall MODIFY(1) FrechVoter Comments: Frech> XF:exchange-dos(1223) Name: CVE-1999-1046
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1049
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:arcserve-agent-passwords(1822) Name: CVE-1999-1050
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) ChristeyVoter Comments: Christey> Abstraction and definition issue: CD:SF-LOC suggests combining issues of the same type. Some people refer to "directory traversal" and just mean .. problems; but there are other issues (specifying an absolute pathname, using C: drive letters, doing encodings) that, to my way of thinking, are "different." Perhaps this should be split. My brain hurts too much right now. There are a couple problems with the references and descriptions of CVE-1999-1050 and CVE-1999-1051. I'm interpreting the underlying nature of the problem(s) a little differently than others are. Some of it may be due to differing definitions or thoughts about what "directory traversal vulnerabilities" are. Name: CVE-1999-1051
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) ChristeyVoter Comments: Frech> XF:formhandler-cgi-reply-message(7782) Christey> I view one of these as a configuration issue: FormHandler.cgi *could* be configured to limit hard-coded pathnames to a single directory which, while being an information leak, would still be "reasonably secure." But by default, it's just not configured that way. My brain hurts too much right now. There are a couple problems with the references and descriptions of CVE-1999-1050 and CVE-1999-1051. I'm interpreting the underlying nature of the problem(s) a little differently than others are. Some of it may be due to differing definitions or thoughts about what "directory traversal vulnerabilities" are. Name: CVE-1999-1052
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:frontpage-formresults-world-readable(8362) Name: CVE-1999-1053
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:guestbook-cgi-command-execution(7783) Name: CVE-1999-1054
Description:
Status: Candidate Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall Name: CVE-1999-1056
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REJECT(1) ChristeyVoter Comments: Frech> XF:vms-monitor-gain-privileges(7136) Christey> DUPE CVE-1999-1395 This CAN is being rejected in favor of CVE-1999-1395 because CVE-1999-1395 has more references. Name: CVE-1999-1058
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1060
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:tetrinet-dns-hostname-bo(7500) Name: CVE-1999-1061
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(1) FoatVoter Comments: Frech> CONFIRM:http://www.hp.com/cposupport/printers/support_doc/bpl 02914.html Name: CVE-1999-1062
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(1) FoatVoter Comments: Frech> DELREF:XF:laserjet-unpassworded(1876) ADDREF:XF:hp-printer-flood(1818) Name: CVE-1999-1063
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1064
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:windowmaker-bo(3249) Frech> XF:windowmaker-bo(3249) Name: CVE-1999-1065
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, WallVoter Comments: Frech> XF:palm-hotsync-bo(7785) Name: CVE-1999-1066
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(4) Christey, Cole, Foat, WallVoter Comments: Christey> This is apparently a problem with the connection protocol. See BUGTRAQ:19980522 NetQuake Protocol problem resulting in smurf like effect. URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2 Frech> XF:quake-udp-connection-dos(7862) Name: CVE-1999-1067
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> I'd be a lot more confident in this vote if there was a more concrete reference strongly associating webdist.cgi and machineinfo. Name: CVE-1999-1068
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:oracle-webserver-dos(1812) Name: CVE-1999-1069
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(1) FoatVoter Comments: Frech> iCat's site at http://www.icat.com/ is shut down, and no further support seems to be available. Name: CVE-1999-1070
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:annex-ping-crash(2090) Name: CVE-1999-1071
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1072
Description:
Status: Candidate Votes: NOOP(3) Cole, Foat, Wall Name: CVE-1999-1073
Description:
Status: Candidate Votes: NOOP(3) Cole, Foat, Wall Name: CVE-1999-1075
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:aix-ttdbserver(813) CONFIRM:APAR IX70400 Name: CVE-1999-1076
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Foat MODIFY(1) Frech NOOP(1) WallVoter Comments: Frech> XF:macos-idle-screenlock-bypass(7794) Name: CVE-1999-1077
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Foat MODIFY(1) Frech NOOP(1) WallVoter Comments: Frech> XF:macos-debug-screenlock-access(3426) Name: CVE-1999-1078
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:wsftp-weak-password-encryption(8349) Name: CVE-1999-1079
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:aix-ptrace-setgid(7487) Name: CVE-1999-1081
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(1) Foat Name: CVE-1999-1082
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, WallVoter Comments: Frech> XF:jana-server-directory-traversal(6513) Name: CVE-1999-1083
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, WallVoter Comments: Frech> XF:jana-server-directory-traversal(6513) Christey> MODIFY description - the attack is of the form "/./../" (single dot followed by double-dot) Name: CVE-1999-1084
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Wall MODIFY(1) FrechVoter Comments: Frech> XF:nt-registry-permissions(4111) Name: CVE-1999-1086
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, WallVoter Comments: Frech> XF:netware-ipx-session-spoof(2350) Name: CVE-1999-1088
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener Name: CVE-1999-1089
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener Name: CVE-1999-1091
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1092
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:tin-insecure-permissions(7796) Confirmed in changelog for 1.4.1 http://ftp.kreonet.re.kr/pub/tools/news/tin/v1.4/CHANGES Name: CVE-1999-1095
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Christey, Cole, FoatVoter Comments: Frech> XF:sort-tmp-file-symlink(7182) Christey> This issue clearly has a long history. CALDERA:CSSA-2002-SCO.21 URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html CALDERA:CSSA-2002-SCO.2 URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html (There are 2 Caldera advisories because one is for Open UNIX and UnixWare, and the other is for OpenServer) XF:openserver-sort-symlink(9218) URL:http://www.iss.net/security_center/static/9218.php Name: CVE-1999-1096
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1097
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1101
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:lydia-ini-passwords(7501) ADDREF:http://www.kabsoftware.com/lydia_history.txt (Version History for Lydia, V3.3 - 11/24/00) Name: CVE-1999-1106
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1107
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1108
Description:
Status: Candidate Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall REJECT(2) Christey, FrechVoter Comments: Frech> Has exactly the same attributes as CVE-1999-1107. Christey> DUPE CVE-1999-1107. Name: CVE-1999-1110
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:ie-mediaplayer-activex(7800) Name: CVE-1999-1112
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1113
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:eudora-ims-user-dos(7300) Name: CVE-1999-1123
Description:
Status: Candidate Votes: ACCEPT(5) Cole, Dik, Foat, Frech, Stracener NOOP(1) WallVoter Comments: Dik> sun bug: 1059621 Name: CVE-1999-1124
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Wall NOOP(1) Foat Name: CVE-1999-1125
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:oracle-webserver-gain-root(7174) Name: CVE-1999-1126
Description:
Status: Candidate Votes: ACCEPT(5) Armstrong, Cole, Foat, Frech, Stracener NOOP(1) Wall REJECT(1) BalinskyVoter Comments: Balinsky> Duplicate of CVE-1999-1042 Name: CVE-1999-1128
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Christey, FoatVoter Comments: Frech> XF:http-ie-exec(462) Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/ie3.html Name: CVE-1999-1129
Description:
Status: Candidate Votes: ACCEPT(2) Foat, Frech NOOP(2) Cole, WallVoter Comments: CHANGE> [Foat changed vote from NOOP to ACCEPT] Name: CVE-1999-1130
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, WallVoter Comments: Frech> XF:netscape-enterprise-view-jhtml(8352) Name: CVE-1999-1133
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) ChristeyVoter Comments: Christey> CHANGEREF: chaneg XF reference to XF:hp-vue-dt(499) Name: CVE-1999-1134
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:hp-vue(2284) Packetstorm URL is dead. Try another archive. Name: CVE-1999-1135
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener Name: CVE-1999-1141
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1149
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1150
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1151
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1152
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:microcom-brute-force(7301) Name: CVE-1999-1153
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1154
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(3) Christey, Foat, WallVoter Comments: Christey> I confirmed this problem via visual inspection of the source code in http://www.lakeweb.com/scripts/filemail.zip Line 82 has an insufficient check for shell metacharacters that doesn't exclude semicolons. Line 129 is the call where the metacharacters are injected. Need to add "filemail.pl" to the description. Name: CVE-1999-1155
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1158
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Dik, Foat, Stracener MODIFY(1) Frech RECAST(1) ChristeyVoter Comments: Frech> XF:solaris-pam-bo(7432) Dik> sun bug: 4018347 Christey> These issues should be SPLIT per CD:SF-EXEC because the PAM problem appears in different Solaris versions than unix_scheme. Name: CVE-1999-1164
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:outlook-xuidl-dos(8356) Name: CVE-1999-1165
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:gnu-finger-privilege-dropping(7175) Name: CVE-1999-1166
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> (Task 2253) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:linux-segment-limit-privileges(11202) Name: CVE-1999-1168
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:iss-temp-files(1793) ADDREF:http://www.securityfocus.com/archive/1/12679 Name: CVE-1999-1169
Description:
Status: Candidate Votes: ACCEPT(1) Foat MODIFY(1) Frech NOOP(2) Cole, WallVoter Comments: Frech> XF:nobo-udp-packet-dos(7502) ADDREF:http://www.securityfocus.com/archive/1/12378 ADDREF:http://web.cip.com.br/nobo/mudancas_en.html Name: CVE-1999-1170
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:imail-registry(1725) Name: CVE-1999-1171
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:wsftp-registry(1726) Name: CVE-1999-1172
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) ChristeyVoter Comments: Christey> The discloser does not provide enough details to fully understand what the problem is. This makes it difficult because if Maximizer has a concept of "users" and it is designed to allow any user to modify any other user's data, then this would not be a vulnerability or exposure, unless that "cross-user" capability could be used to violate system integrity, data confidentiality, or the like. There are some features of Maximizer 6.0 that, if abused, could allow someone to do some bad things. For example, an attacker could modify the email addresses for contacts to redirect sales to locations besides the customer. There's also a capability of assigning priorities and alarms, which could be susceptible to an "inconvenience attack" at the very least, as well as tie-ins to e-commerce capabilities. The critical question becomes: "how is this data shared" in the first place? If it's through a network share or other distribution method besides transferring the complete database between sites, then this may be accessible to any attacker who can mimic a Maximizer client (if there is such a thing as a client), and this could be a vulnerability or exposure according to the CVE definition. However, since the Maximizer functionality is unknown to me and not readily apparent from product documentation, it's hard to know what to do about this one. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:maximizer-enterprise-calendar-modification(7590) Name: CVE-1999-1173
Description:
Status: Candidate Votes: NOOP(3) Cole, Foat, Wall Name: CVE-1999-1174
Description:
Status: Candidate Votes: ACCEPT(1) Cole NOOP(2) Foat, Wall Name: CVE-1999-1176
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:cidentd-authlie-bo(7327) Name: CVE-1999-1178
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1179
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:mansh-execute-commands(7328) Name: CVE-1999-1180
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(3) Christey, Cole, FoatVoter Comments: Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/buffer.html Frech> XF:website-pro-args-commands(7529) Name: CVE-1999-1182
Description:
Status: Candidate Votes: NOOP(2) Cole, Foat Name: CVE-1999-1183
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:sgi-mailcap(809) Name: CVE-1999-1184
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:elm-term-bo(7183) Name: CVE-1999-1185
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall REVIEWING(1) ChristeyVoter Comments: Frech> Possible dupe on CVE-1999-1041. Christey> Possible dupe with CVE-1999-1041. Name: CVE-1999-1186
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:rxvtpipe(425) Name: CVE-1999-1187
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> CONFIRM:http://www.washington.edu/pine/changes.html Name: CVE-1999-1190
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:emailclub-pop3-from-bo(7873) Name: CVE-1999-1195
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:virusscan-ftp-update(8387) Name: CVE-1999-1196
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:exceed-xserver-dos(7530) Name: CVE-1999-1200
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1202
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1206
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Christey, WallVoter Comments: Frech> XF:systemwizard-modify-registry(7080) Christey> CERT-VN:VU#22919 URL:http://www.kb.cert.org/vuls/id/22919 CERT-VN:VU#34453 URL:http://www.kb.cert.org/vuls/id/34453 Name: CVE-1999-1207
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1210
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1211
Description:
Status: Candidate Votes: ACCEPT(5) Cole, Dik, Foat, Frech, Stracener NOOP(1) WallVoter Comments: Frech> CONFIRM:Sun Microsystems, Inc. Security Bulletin #00106 at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/1 06&type=0&nav=sec.sba Dik> sun bug: 1054669 1049886 1042370 1033809 Name: CVE-1999-1212
Description:
Status: Candidate Votes: ACCEPT(5) Cole, Dik, Foat, Frech, Stracener NOOP(1) WallVoter Comments: Dik> sun bug: 1054669 1049886 1042370 1033809 Name: CVE-1999-1213
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener Name: CVE-1999-1216
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall Name: CVE-1999-1218
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall Name: CVE-1999-1219
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall Name: CVE-1999-1220
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1221
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1224
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1225
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1227
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1228
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1229
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1230
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1231
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1232
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1234
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Frech, Wall NOOP(1) Foat Name: CVE-1999-1235
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, WallVoter Comments: CHANGE> [Foat changed vote from NOOP to ACCEPT] Name: CVE-1999-1236
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1237
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1238
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener Name: CVE-1999-1239
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener Name: CVE-1999-1240
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1241
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Frech, Wall NOOP(2) Christey, FoatVoter Comments: Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html ADDREF MISC:http://focus.silversand.net/vulner/allbug/activex4.html Frech> Change MISC to http://www.securitybugware.org/NT/1018.html Name: CVE-1999-1242
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener Name: CVE-1999-1244
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1245
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> http://www.securityfocus.com/archive/1/13130 Name: CVE-1999-1247
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener Name: CVE-1999-1248
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener Name: CVE-1999-1250
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1251
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener Name: CVE-1999-1252
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall Name: CVE-1999-1253
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener NOOP(1) Wall Name: CVE-1999-1254
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Frech, Wall MODIFY(1) Meunier NOOP(2) Christey, FoatVoter Comments: Christey> Need to get feedback from MS on this. Christey> (prompted from Pascal Meunier) should this be treated as a general design issue with ICMP? Or is it a specific implementation flaw that only affects Reliant? Meunier> The description is too narrow and incorrect. Spoofed ICMP redirect messages can be used to setup man-in-the-middle attacks instead of a DoS. There's no reason that this behavior would be limited to Windows, as it is specified by the standard. As I said elsewhere, ICMP messages should not be acted upon without access controls. Name: CVE-1999-1255
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1256
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1257
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1260
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1261
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1264
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1265
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Wall Name: CVE-1999-1266
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1267
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1268
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1269
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1270
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1271
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1272
Description:
Status: Candidate Votes: ACCEPT(4) Cole, Foat, Frech, Stracener Name: CVE-1999-1273
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1274
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1275
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(2) Cole, Foat Name: CVE-1999-1277
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1278
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Frech NOOP(1) Wall Name: CVE-1999-1280
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1281
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, WallVoter Comments: Frech> There have been no followups to indicate that this issue has been resolved in the production version, and as a benefit to the doubt, this issue transcends EX-BETA until proven otherwise. Name: CVE-1999-1282
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1283
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, WallVoter Comments: Frech> Will go along with a REJECT if MITRE decides on EX-CLIENT-DOS. Name: CVE-1999-1285
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Frech NOOP(2) Foat, Wall Name: CVE-1999-1286
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Christey, Cole, FoatVoter Comments: Christey> CHANGE DESC: "via a symlink attack on the printers temporary file." Add 5.3 as another affected version. MISC:ftp://patches.sgi.com/support/free/security/advisories/19961203-02-PX SGI:19961203-02-PX may solve this problem, but the advisory is so vague that it is uncertain whether this was fixed or not. addnetpr is not specifically named in the advisory, which names netprint, which is not specified in the original Bugtraq post. In addition, the date on the advisory is one day earlier than that of the Bugtraq post, though that could be a difference in time zones. It seems plausible that the problem had already been patched (the researcher did say "There *was* [a] race condition") so maybe SGI released this advisory after the problem was publicized. ADDREF BID:330 URL:http://www.securityfocus.com/bid/330 Note: this is a dupe of CVE-1999-1410, but CVE-1999-1410 will be rejected in favor of CVE-1999-1286. Name: CVE-1999-1287
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Cole, Frech, Stracener NOOP(2) Foat, WallVoter Comments: CHANGE> [Foat changed vote from ACCEPT to NOOP] Name: CVE-1999-1289
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Frech, Wall NOOP(1) FoatVoter Comments: Frech> Override EX-BETA in this case, since ICQ is always in beta and is widely run in production environments. Name: CVE-1999-1291
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Frech, Wall NOOP(2) Christey, FoatVoter Comments: Christey> Need to get feedback from MS on this. Name: CVE-1999-1292
Description:
Status: Candidate Votes: ACCEPT(1) Frech NOOP(3) Cole, Foat, Wall Name: CVE-1999-1293
Description:
Status: Candidate Votes: ACCEPT(3) Armstrong, Cole, Stracener MODIFY(1) Frech NOOP(2) Foat, WallVoter Comments: Frech> XF:apache-mod-proxy-dos(7249) CONFIRM reference no longer seems to exist. BugTraq message seems to be a confirmation/advisory, however. CHANGE> [Foat changed vote from ACCEPT to NOOP] Name: CVE-1999-1295
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) WallVoter Comments: Frech> XF:dfs-login-groups(7154) Name: CVE-1999-1296
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:kerberos-config-file-bo(7184) Name: CVE-1999-1299
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:rcp-nobody-file-overwrite(7187) Name: CVE-1999-1300
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) WallVoter Comments: Frech> XF: unicos-accton-read-files(7210) Name: CVE-1999-1302
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:sco-pt_chmod(7586) Name: CVE-1999-1303
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:sco-prwarn(7587) Name: CVE-1999-1304
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:sco-login(7588) Name: CVE-1999-1305
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:sco-at(7589) Name: CVE-1999-1306
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) Wall REVIEWING(1) ChristeyVoter Comments: Frech> XF:cisco-acl-established(1248) Possibly duplicate with CVE-1999-0162? Christey> Might be a duplicate of CVE-1999-0162, but CVE-1999-0162 was released in 1995, whereas this bug was released in 1992. Name: CVE-1999-1307
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) WallVoter Comments: Frech> XF;novell-unixware-urestore-root(7211) Name: CVE-1999-1308
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:hp-large-uid-gid(7594) Name: CVE-1999-1310
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener REJECT(2) Christey, FrechVoter Comments: Frech> DUPE CVE-1999-1022 Christey> As noted by Andre Frech, this is a duplicate of CVE-1999-1022. The references from this candidate will be added to CVE-1999-1022. Name: CVE-1999-1311
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:hp-dt-bypass-auth(7668) ACKNOWLEDGED-BY-VENDOR Name: CVE-1999-1312
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) WallVoter Comments: Frech> XF:openvms-local-privilege-elevation(7142) Name: CVE-1999-1313
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:bsd-man-command-sequence(7348) Name: CVE-1999-1314
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:unionfs-mount-ordering(7429) Name: CVE-1999-1315
Description:
Status: Candidate Votes: ACCEPT(4) Armstrong, Cole, Foat, Stracener MODIFY(1) Frech NOOP(1) WallVoter Comments: Frech> XF:openvms-decnetosi-gain-privileges(7212) Name: CVE-1999-1319
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) FrechVoter Comments: Frech> XF:irix-object-server(7430) Name: CVE-1999-1322
Description:
Status: Candidate Votes: NOOP(3) Cole, Foat, Wall Name: CVE-1999-1323
Description:
Status: Candidate Votes: ACCEPT(1) Prosser MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:nav-admin-password(7543) Prosser> This has been since corrected in later releases. Name: CVE-1999-1334
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Stracener MODIFY(1) Frech NOOP(2) Armstrong, WallVoter Comments: Frech> XF:elm-filter-getfilterrules-bo(7214) XF:elm-filter2(711) Name: CVE-1999-1338
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:delegate-dgroot-permissions(8438) Name: CVE-1999-1340
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:hylafax-faxalter-gain-privs(3453) Proper spelling of the product is HylaFAX (see http://www.hylafax.org/) Name: CVE-1999-1342
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:icq-activelist-udp-dos(7877) Name: CVE-1999-1343
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:xerox-docucolor4lp-dos(8041) Name: CVE-1999-1344
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:autoftp-plaintext-password(8045) Name: CVE-1999-1345
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:autoftp-shared-directory(8047) Name: CVE-1999-1346
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:pam-rlogin-bypass(8315) Name: CVE-1999-1347
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:xsession-bypass(8316) Name: CVE-1999-1348
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(2) Foat, WallVoter Comments: Frech> XF:linuxconf-pam-shutdown-dos(8437) Name: CVE-1999-1349
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:xlink-nfsd-dos(8317) Name: CVE-1999-1350
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:arcad-insecure-permissions(8318) Name: CVE-1999-1352
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:mknod-symlink(8319) Name: CVE-1999-1353
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:msgcore-plaintext-passwords(8271) BUGTRAQ Reference is actually NTBUGTRAQ. Name: CVE-1999-1354
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, WallVoter Comments: Frech> (Task 1766) CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:firstclass-plaintext-account(9874) Christey> The following reference is for the FCCLIENT.LOG piece: ADDREF NTBUGTRAQ:19990911 Re: SoftArc's FirstClass E-mail Client URL:http://archives.neohapsis.com/archives/ntbugtraq/1999-q3/0189.html Name: CVE-1999-1355
Description:
Status: Candidate Votes: ACCEPT(5) Armstrong, Cole, Foat, Frech, Stracener NOOP(1) Wall Name: CVE-1999-1357
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:netscape-cgi-filtering-css(8274) Name: CVE-1999-1361
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:winnt-wins-packet-flood-dos(7329) Name: CVE-1999-1364
Description:
Status: Candidate Votes: ACCEPT(3) Cole, Foat, Wall MODIFY(1) FrechVoter Comments: Frech> XF:nt-threadcontext-dos(7421) Name: CVE-1999-1366
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:pegasus-weak-password-encryption(8430) Name: CVE-1999-1367
Description:
Status: Candidate Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) FrechVoter Comments: Frech> (Task 2283) Name: CVE-1999-1368
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:inoculate-message-redirect-bypass(5602) Name: CVE-1999-1369
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:realserver-insecure-password(7544) Name: CVE-1999-1370
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:ie-ie5setup-disable-password(7545) Name: CVE-1999-1371
Description:
Status: Candidate Votes: ACCEPT(2) Cole, Dik MODIFY(1) Frech NOOP(3) Christey, Foat, WallVoter Comments: Frech> XF:solaris-write-bo(7546) Christey> This appears to be a rediscovery of the problem for Solaris 2.8: BUGTRAQ:20011114 /usr/bin/write (solaris2.x) Segmentation Fault URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100588255815773&w=2 Dik> sun bug: 4218941 Name: CVE-1999-1372
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:triactive-remote-basic-auth(7548) Name: CVE-1999-1373
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:powerhub-nmap-dos(7556) Name: CVE-1999-1374
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:perlshop-cgi-obtain-information(7557) Name: CVE-1999-1375
Description:
Status: Candidate Votes: ACCEPT(1) Cole MODIFY(1) Frech NOOP(3) Christey, Foat, WallVoter Comments: Frech> XF:iis-fso-read-files(7558) Christey> Explicitly mention IIS Name: CVE-1999-1376
Description:
Status: Candidate Votes: ACCEPT(1) Wall MODIFY(1) Frech NOOP(2) Cole, FoatVoter Comments: Frech> XF:frontpage-ext-fpcount-crash(5494) Name: CVE-1999-1377
Description:
Status: Candidate Votes: MODIFY(1) Frech NOOP(3) Cole, Foat, WallVoter Comments: Frech> XF:download-cgi-directory-traversal(8279) Name: CVE-1999-1378
Description:
Status: Candidate Votes: NOOP(3) Cole, Foat, Wall REVIEWING(1) FrechVoter Comments: Frech> (Task 2284) Name: CVE-1999-1381
Description:
Status: Candidate Votes: NOOP(3) Cole, Foat, Wall Name: CVE-1999-1383
Description:
Status: Candidate Votes: NOOP(2) Cole, Foat Name: CVE-1999-1387
Description: | ||||