[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: PROPOSAL: Cluster 20 - DESIGN (27 candidates)

Craig Ozancin said:

>=================================
>Candidate: CAN-1999-0352
>Published:
>Final-Decision:
>Interim-Decision:
>Modified:
>Announced: 19990721
>Assigned: 19990607
>Category: SF
>Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely
>Possible/32) enterprise management software
>Reference: XF:controlit-passwd-encrypt
>
>ControlIT 4.5 and earlier (aka Remotely Possible) has weak password
>encryption.
>
>VOTE: Recast
>
>Can we combine this with CAN-1999-0356 - ControlIT(tm) 4.5 and earlier uses
>weak encryption.
>
>=================================
>Candidate: CAN-1999-0356
>Published:
>Final-Decision:
>Interim-Decision:
>Modified:
>Announced: 19990721
>Assigned: 19990607
>Category: SF
>Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely
>Possible/32) enterprise management software
>Reference: XF:controlit-bookfile-access
>
>ControlIT v4.5 and earlier uses weak encryption to store
>usernames and passwords in an address book.
>
>VOTE: Recast
>

Assuming the CVE vulnerability definition isn't adapted to exclude
these candidates in the first place, I agree that these should be
merged.  According to the ISS advisory, the same encryption strategy
is used in both cases; it's the encryption algorithm that's the
vulnerability, not the fact that it's used in a number of different
functional areas.

I consider this situation to be equivalent to a bug in a library or
DLL - the vulnerability is in the library, not in all the different
executables that use it.

- Steve
Page Last Updated or Reviewed: May 22, 2007