[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VOTEPRI] 12 high priority candidates as of 5/1/2000

The following 12 candidates have been assigned a high priority.  They
are all acknowledged by the software vendor.  Some of them need more
than one vote for acceptance, so your voting will be appreciated.

The most important of these are CAN-1999-0210 and CAN-1999-0493.  CERT
activity reports indicate that these bugs are still being exploited.
Also note that CAN-1999-0387 was originally proposed in July 1999, but
did not include any references at the time.  Since then, Microsoft
released a security bulletin about it.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

KEY FOR INFERRED ACTIONS
------------------------

Inferred actions capture the voting status of a candidate.  They may
be used by the moderator to determine whether or not a candidate is
added to CVE.  Where there is disagreement, the moderator must resolve
the issue and achieve consensus, or make the final decision if
consensus cannot be reached.

- ACCEPT = 3 non-MITRE votes to ACCEPT/MODIFY, and no REVIEWING or REJECT
- ACCEPT_ACK = 2 non-MITRE ACCEPT/MODIFY, and vendor acknowledgement
- MOREVOTES = needs more votes
- ACCEPT_REV = 3 non-MITRE ACCEPT's but is delayed due to a REVIEWING
- SMC_REJECT = REJECT by Steve Christey; likely to be rejected outright
- SMC_REVIEW = REVIEWING by Steve Christey; likely related to CD's
- REVIEWING = at least one member is REVIEWING
- REJECT = at least one member REJECTed
- REVOTE = members should review their vote on this candidate

=================================
Candidate: CAN-1999-0031
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.20.javascript

JavaScript allows remote attackers to monitor a user's web
activities.

INFERRED ACTION: CAN-1999-0031 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Wall
   MODIFY(1) Christey
   NOOP(1) Northcutt

Comments:
 Christey> The CERT advisory is at http://www.cert.org/advisories/CA-97.20.javascript.html
 Christey>
 Christey> ADDREF HP:HPSBUX9707-065
 Christey> http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html
 Christey>
 Christey> According to the CERT advisory, this issue affects Internet
 Christey> Explorer 3.x and 4.x, and Netscape 2.x, 3.x, and 4.x.
 Christey> Include this in the description.


VOTE:

=================================
Candidate: CAN-1999-0124
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability
Reference: XF:gopher-vuln

Vulnerabilities in UMN gopher and gopher+ allow an intruder to read
any files that can be accessed by the gopher daemon.

INFERRED ACTION: CAN-1999-0124 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Frech
   NOOP(1) Christey

Comments:
 Christey> Modify the description to include the version numbers
 Christey> 1.12 and 2.0x
 Christey>
 Christey> The advisory is at
 Christey> http://www.cert.org/advisories/CA-93.11.UMN.UNIX.gopher.vulnerability.html
 Christey>


VOTE:

=================================
Candidate: CAN-1999-0210
Published:
Final-Decision:
Interim-Decision:
Modified: 19991130-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88053459921223&w=2
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2
Reference: HP:HPSBUX9910-104
Reference: CERT:CA-99-05

Automount daemon automountd allows local or remote users to gain
privileges via shell metacharacters.

Modifications:
  Changed description and added references.

INFERRED ACTION: CAN-1999-0210 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   MODIFY(2) Shostack, Frech
   NOOP(3) Northcutt, Wall, Christey

Comments:
 Shostack> I think there was an SNI advisory on this
 Frech> Not enough information; POSSIBLY XF:sun-automountd (changing mount options)
 Christey>
 Christey> SNI did not publish an advisory; however, Oliver Friedrichs
 Christey> sent a post saying that SNI's security tool tested for it.
 Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=91553343311719&w=2
 Christey>
 Christey> This is a tough one.  There's an old automount bug that's
 Christey> only locally exploitable, then a newer rpc.statd bug allows
 Christey> it to be remotely exploitable.  There's at least two bugs,
 Christey> but should there be three?
 Christey>
 Christey> Also see CAN-1999-0493


VOTE:

=================================
Candidate: CAN-1999-0387
Published:
Final-Decision:
Interim-Decision:
Modified: 19991206-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: MS:MS99-052
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-052.asp
Reference: MSKB:Q168115
Reference: BID:829
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=829

A legacy credential caching mechanism used in Windows 95 and Windows
98 systems allows attackers to read plaintext network passwords.

Modifications:
  ADDREF MS:MS99-052
  ADDREF MSKB:Q168115
  ADDREF BID:829

INFERRED ACTION: CAN-1999-0387 REVOTE (0 accept, 1 review)

Current Votes:
   REVIEWING(1) Frech
   REVOTE(1) Christey

Comments:
 Frech> Term 'legacy' is vague and can be subject to interpretation. Require a
 Frech> reference to establish this vulnerability.
 Christey> Added refs.  Interestingly, this candidate was assigned
 Christey> on June 7, 1999, but there were no references until the
 Christey> Microsoft advisory in late November.  I have lost the
 Christey> original reference.


VOTE:

=================================
Candidate: CAN-1999-0491
Published:
Final-Decision:
Interim-Decision:
Modified: 20000418-02
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990420 Bash Bug
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9904202114070.6623-100000@smooth.Operator.org
Reference: CALDERA:CSSA-1999-008.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-008.0.txt
Reference: BID:119
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=119

The prompt parsing in bash allows a local user to execute commands as
another user by creating a directory with the name of the command
to execute.

Modifications:
  CHANGEREF BUGTRAQ [title]
  ADDREF CALDERA:CSSA-1999-008.0

INFERRED ACTION: CAN-1999-0491 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Christey

Comments:
 Frech> bash-prompt-pars-dir
 Christey> XF:bash-prompt-pars-dir doesn't exist.
 Christey>
 Christey> ADDREF CALDERA:CSSA-1999-008.0


VOTE:

=================================
Candidate: CAN-1999-0493
Published:
Final-Decision:
Interim-Decision:
Modified: 19991203-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-99-05
Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html
Reference: SUN:00186
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/186&type=0&nav=sec.sba
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2

rpc.statd allows remote attackers to forward RPC calls to the local
operating system via the SM_MON and SM_NOTIFY commands, which in turn
could be used to remotely exploit other bugs such as in automountd.

Modifications:
  Added numerous references

INFERRED ACTION: CAN-1999-0493 MOREVOTES-1 (1 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Northcutt
   NOOP(1) Christey

Comments:
 Christey> This candidate has been modified heavily.


VOTE:

=================================
Candidate: CAN-2000-0076
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000125
Assigned: 20000122
Category: SF
Reference: BUGTRAQ:19991230 vibackup.sh
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94709988232618&w=2
Reference: DEBIAN:20000109 nvi: incorrect file removal in boot script
Reference: URL:http://www.debian.org/security/2000/20000108

nviboot boot script in the Debian nvi package allows local users to
delete files via malformed entries in vi.recover.

INFERRED ACTION: CAN-2000-0076 MOREVOTES-2 (0 accept, 1 ack, 0 review)

Current Votes:


VOTE:

=================================
Candidate: CAN-2000-0092
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000208
Assigned: 20000202
Category: SF
Reference: FREEBSD:FreeBSD-SA-00:01
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:01.make.asc
Reference: BID:939
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=939

The BSD make program allows local users to modify files via a symlink
attack when the -j option is being used.

INFERRED ACTION: CAN-2000-0092 MOREVOTES-2 (0 accept, 1 ack, 1 review)

Current Votes:
   NOOP(1) Wall
   REVIEWING(1) Cole


VOTE:

=================================
Candidate: CAN-2000-0113
Published:
Final-Decision:
Interim-Decision:
Modified: 20000419-01
Proposed: 20000208
Assigned: 20000208
Category: SF
Reference: BUGTRAQ:20000128 SyGate 3.11 Port 7323 / Remote Admin hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94934808714972&w=2
Reference: BUGTRAQ:20000202 SV: SyGate 3.11 Port 7323 / Remote Admin hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94952641025328&w=2
Reference: BUGTRAQ:20000203 UPDATE: Sygate 3.11 Port 7323 Telnet Hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94973281714994&w=2
Reference: CONFIRM:http://www.sybergen.com/support/fix.htm
Reference: BID:952
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=952

The SyGate Remote Management program does not properly restrict access
to its administration service, which allows remote attackers to
cause a denial of service, or access network traffic statistics.

INFERRED ACTION: CAN-2000-0113 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(1) Cole
   NOOP(2) Wall, Christey

Comments:
 Christey> Sygate confirms this in 01/2000 - Build 563 (Beta) with
 Christey> the comment: "fix to block external telnet to port 7323
 Christey> without enhanced security."


VOTE:

=================================
Candidate: CAN-2000-0157
Published:
Final-Decision:
Interim-Decision:
Modified: 20000321-01
Proposed: 20000223
Assigned: 20000223
Category: SF
Reference: NETBSD:1999-012
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-012.txt.asc
Reference: XF:netbsd-ptrace

NetBSD ptrace call on VAX allows local users to gain privileges by
modifying the PSL contents in the debugging process.

Modifications:
  ADDREF XF:netbsd-ptrace

INFERRED ACTION: CAN-2000-0157 MOREVOTES-2 (0 accept, 1 ack, 1 review)

Current Votes:
   NOOP(2) Wall, LeBlanc
   REVIEWING(1) Cole


VOTE:

=================================
Candidate: CAN-2000-0229
Published:
Final-Decision:
Interim-Decision:
Modified: 20000424-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000322 gpm-root
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0242.html
Reference: SUSE:20000405 Security hole in gpm < 1.18.1
Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_45.txt
Reference: REDHAT:RHSA-2000:009-02
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000009-02.html
Reference: BID:1069
Reference: URL:http://www.securityfocus.com/bid/1069
Reference: XF:linux-gpm-root

gpm-root in the gpm package does not properly drop privileges, which
allows local users to gain privileges by starting a utility from
gpm-root.

Modifications:
  ADDREF SUSE:20000405 Security hole in gpm < 1.18.1
  ADDREF REDHAT:RHSA-2000:009-02

INFERRED ACTION: CAN-2000-0229 MOREVOTES-1 (1 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(1) Frech
   NOOP(1) Cole


VOTE:

=================================
Candidate: CAN-2000-0230
Published:
Final-Decision:
Interim-Decision:
Modified: 20000424-01
Proposed: 20000412
Assigned: 20000412
Category: SF
Reference: BUGTRAQ:20000316 TESO & C-Skills development advisory -- imwheel
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0168.html
Reference: REDHAT:RHSA-2000:016-02
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000016-02.html
Reference: BID:1060
Reference: URL:http://www.securityfocus.com/bid/1060

Buffer overflow in imwheel allows local users to gain root privileges
via the imwheel-solo script and a long HOME environmental variable.

Modifications:
  ADDREF REDHAT:RHSA-2000:016-02

INFERRED ACTION: CAN-2000-0230 MOREVOTES-1 (1 accept, 1 ack, 0 review)

Current Votes:
   MODIFY(1) Frech
   NOOP(1) Cole

Comments:
 Frech> XF:linux-imwheel-bo


VOTE:
Page Last Updated or Reviewed: May 22, 2007