[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [VOTEPRI] 12 high priority candidates as of 5/1/2000

* Steven M. Christey (coley@LINUS.MITRE.ORG) [000501 23:57]:
> The following 12 candidates have been assigned a high priority.  They
> are all acknowledged by the software vendor.  Some of them need more
> than one vote for acceptance, so your voting will be appreciated.
>
> The most important of these are CAN-1999-0210 and CAN-1999-0493.  CERT
> activity reports indicate that these bugs are still being exploited.
> Also note that CAN-1999-0387 was originally proposed in July 1999, but
> did not include any references at the time.  Since then, Microsoft
> released a security bulletin about it.
>
> - Steve
>
>
> Summary of votes to use (in ascending order of "severity")
> ----------------------------------------------------------
>
> ACCEPT - voter accepts the candidate as proposed
> NOOP - voter has no opinion on the candidate
> MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
> REVIEWING - voter is reviewing/researching the candidate, or needs more info
> RECAST - candidate must be significantly modified, e.g. split or merged
> REJECT - candidate is "not a vulnerability", or a duplicate, etc.
>
> 1) Please write your vote on the line that starts with "VOTE: ".  If
>    you want to add comments or details, add them to lines after the
>    VOTE: line.
>
> 2) If you see any missing references, please mention them so that they
>    can be included.  References help greatly during mapping.
>
> 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
>    So if you don't have sufficient information for a candidate but you
>    don't want to NOOP, use a REVIEWING.
>
> ********** NOTE ********** NOTE ********** NOTE ********** NOTE **********
>
> Please keep in mind that your vote and comments will be recorded and
> publicly viewable in the mailing list archives or in other formats.
>
> KEY FOR INFERRED ACTIONS
> ------------------------
>
> Inferred actions capture the voting status of a candidate.  They may
> be used by the moderator to determine whether or not a candidate is
> added to CVE.  Where there is disagreement, the moderator must resolve
> the issue and achieve consensus, or make the final decision if
> consensus cannot be reached.
>
> - ACCEPT = 3 non-MITRE votes to ACCEPT/MODIFY, and no REVIEWING or REJECT
> - ACCEPT_ACK = 2 non-MITRE ACCEPT/MODIFY, and vendor acknowledgement
> - MOREVOTES = needs more votes
> - ACCEPT_REV = 3 non-MITRE ACCEPT's but is delayed due to a REVIEWING
> - SMC_REJECT = REJECT by Steve Christey; likely to be rejected outright
> - SMC_REVIEW = REVIEWING by Steve Christey; likely related to CD's
> - REVIEWING = at least one member is REVIEWING
> - REJECT = at least one member REJECTed
> - REVOTE = members should review their vote on this candidate
>
> =================================
> Candidate: CAN-1999-0031
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 19990728
> Assigned: 19990607
> Category: SF
> Reference: CERT:CA-97.20.javascript
>
> JavaScript allows remote attackers to monitor a user's web
> activities.
>
> INFERRED ACTION: CAN-1999-0031 MOREVOTES-1 (1 accept, 1 ack, 0 review)
>
> Current Votes:
>    ACCEPT(1) Wall
>    MODIFY(1) Christey
>    NOOP(1) Northcutt
>
> Comments:
>  Christey> The CERT advisory is at http://www.cert.org/advisories/CA-97.20.javascript.html
>  Christey>
>  Christey> ADDREF HP:HPSBUX9707-065
>  Christey> http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html
>  Christey>
>  Christey> According to the CERT advisory, this issue affects Internet
>  Christey> Explorer 3.x and 4.x, and Netscape 2.x, 3.x, and 4.x.
>  Christey> Include this in the description.
>
>
> VOTE: MODIFY

Need a better description of the vulnerability there were several JS
vulnerabilities in the same time frame that had similar results but
were porly documented. This, the Bell Labs vulnerability, was one of them.
This is one of the other ones:

http://www.securityfocus.com/templates/archive.pike?list=1&msg=c%3dDE%25a%3dDBP%25p%3dSCN%25l%3dMCHH9EEA-970711140700Z-21724@de-mch-he01a.exchange.pn.siemens.de

>
> =================================
> Candidate: CAN-1999-0124
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 19990623
> Assigned: 19990607
> Category: SF
> Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability
> Reference: XF:gopher-vuln
>
> Vulnerabilities in UMN gopher and gopher+ allow an intruder to read
> any files that can be accessed by the gopher daemon.
>
> INFERRED ACTION: CAN-1999-0124 MOREVOTES-1 (1 accept, 1 ack, 0 review)
>
> Current Votes:
>    ACCEPT(1) Frech
>    NOOP(1) Christey
>
> Comments:
>  Christey> Modify the description to include the version numbers
>  Christey> 1.12 and 2.0x
>  Christey>
>  Christey> The advisory is at
>  Christey> http://www.cert.org/advisories/CA-93.11.UMN.UNIX.gopher.vulnerability.html
>  Christey>
>
>
> VOTE: ACCEPT
>
> =================================
> Candidate: CAN-1999-0210
> Published:
> Final-Decision:
> Interim-Decision:
> Modified: 19991130-01
> Proposed: 19990714
> Assigned: 19990607
> Category: SF
> Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd)
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88053459921223&w=2
> Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2
> Reference: HP:HPSBUX9910-104
> Reference: CERT:CA-99-05
>
> Automount daemon automountd allows local or remote users to gain
> privileges via shell metacharacters.
>
> Modifications:
>   Changed description and added references.
>
> INFERRED ACTION: CAN-1999-0210 ACCEPT_ACK (2 accept, 2 ack, 0 review)
>
> Current Votes:
>    MODIFY(2) Shostack, Frech
>    NOOP(3) Northcutt, Wall, Christey
>
> Comments:
>  Shostack> I think there was an SNI advisory on this
>  Frech> Not enough information; POSSIBLY XF:sun-automountd (changing mount options)
>  Christey>
>  Christey> SNI did not publish an advisory; however, Oliver Friedrichs
>  Christey> sent a post saying that SNI's security tool tested for it.
>  Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=91553343311719&w=2
>  Christey>
>  Christey> This is a tough one.  There's an old automount bug that's
>  Christey> only locally exploitable, then a newer rpc.statd bug allows
>  Christey> it to be remotely exploitable.  There's at least two bugs,
>  Christey> but should there be three?
>  Christey>
>  Christey> Also see CAN-1999-0493
>
>
> VOTE: ACCEPT

ADDREF: BID:235

The are three vulns. BID 235, BID 729, and BID 450.

> =================================
> Candidate: CAN-1999-0387
> Published:
> Final-Decision:
> Interim-Decision:
> Modified: 19991206-01
> Proposed: 19990728
> Assigned: 19990607
> Category: SF
> Reference: MS:MS99-052
> Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-052.asp
> Reference: MSKB:Q168115
> Reference: BID:829
> Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=829
>
> A legacy credential caching mechanism used in Windows 95 and Windows
> 98 systems allows attackers to read plaintext network passwords.
>
> Modifications:
>   ADDREF MS:MS99-052
>   ADDREF MSKB:Q168115
>   ADDREF BID:829
>
> INFERRED ACTION: CAN-1999-0387 REVOTE (0 accept, 1 review)
>
> Current Votes:
>    REVIEWING(1) Frech
>    REVOTE(1) Christey
>
> Comments:
>  Frech> Term 'legacy' is vague and can be subject to interpretation. Require a
>  Frech> reference to establish this vulnerability.
>  Christey> Added refs.  Interestingly, this candidate was assigned
>  Christey> on June 7, 1999, but there were no references until the
>  Christey> Microsoft advisory in late November.  I have lost the
>  Christey> original reference.
>
>
> VOTE: ACCEPT
>
> =================================
> Candidate: CAN-1999-0491
> Published:
> Final-Decision:
> Interim-Decision:
> Modified: 20000418-02
> Proposed: 19990728
> Assigned: 19990607
> Category: SF
> Reference: BUGTRAQ:19990420 Bash Bug
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9904202114070.6623-100000@smooth.Operator.org
> Reference: CALDERA:CSSA-1999-008.0
> Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-008.0.txt
> Reference: BID:119
> Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=119
>
> The prompt parsing in bash allows a local user to execute commands as
> another user by creating a directory with the name of the command
> to execute.
>
> Modifications:
>   CHANGEREF BUGTRAQ [title]
>   ADDREF CALDERA:CSSA-1999-008.0
>
> INFERRED ACTION: CAN-1999-0491 MOREVOTES-1 (1 accept, 1 ack, 0 review)
>
> Current Votes:
>    MODIFY(1) Frech
>    NOOP(1) Christey
>
> Comments:
>  Frech> bash-prompt-pars-dir
>  Christey> XF:bash-prompt-pars-dir doesn't exist.
>  Christey>
>  Christey> ADDREF CALDERA:CSSA-1999-008.0
>
>
> VOTE: ACCEPT
>
> =================================
> Candidate: CAN-1999-0493
> Published:
> Final-Decision:
> Interim-Decision:
> Modified: 19991203-01
> Proposed: 19990728
> Assigned: 19990607
> Category: SF
> Reference: CERT:CA-99-05
> Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html
> Reference: SUN:00186
> Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/186&type=0&nav=sec.sba
> Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2
>
> rpc.statd allows remote attackers to forward RPC calls to the local
> operating system via the SM_MON and SM_NOTIFY commands, which in turn
> could be used to remotely exploit other bugs such as in automountd.
>
> Modifications:
>   Added numerous references
>
> INFERRED ACTION: CAN-1999-0493 MOREVOTES-1 (1 accept, 2 ack, 0 review)
>
> Current Votes:
>    ACCEPT(1) Northcutt
>    NOOP(1) Christey
>
> Comments:
>  Christey> This candidate has been modified heavily.
>
>
> VOTE: ACCEPT

ADDREF: BID:450
>
> =================================
> Candidate: CAN-2000-0076
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000125
> Assigned: 20000122
> Category: SF
> Reference: BUGTRAQ:19991230 vibackup.sh
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94709988232618&w=2
> Reference: DEBIAN:20000109 nvi: incorrect file removal in boot script
> Reference: URL:http://www.debian.org/security/2000/20000108
>
> nviboot boot script in the Debian nvi package allows local users to
> delete files via malformed entries in vi.recover.
>
> INFERRED ACTION: CAN-2000-0076 MOREVOTES-2 (0 accept, 1 ack, 0 review)
>
> Current Votes:
>
>
> VOTE: NOOP
>
> =================================
> Candidate: CAN-2000-0092
> Published:
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed: 20000208
> Assigned: 20000202
> Category: SF
> Reference: FREEBSD:FreeBSD-SA-00:01
> Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:01.make.asc
> Reference: BID:939
> Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=939
>
> The BSD make program allows local users to modify files via a symlink
> attack when the -j option is being used.
>
> INFERRED ACTION: CAN-2000-0092 MOREVOTES-2 (0 accept, 1 ack, 1 review)
>
> Current Votes:
>    NOOP(1) Wall
>    REVIEWING(1) Cole
>
>
> VOTE: ACCEPT
>
> =================================
> Candidate: CAN-2000-0113
> Published:
> Final-Decision:
> Interim-Decision:
> Modified: 20000419-01
> Proposed: 20000208
> Assigned: 20000208
> Category: SF
> Reference: BUGTRAQ:20000128 SyGate 3.11 Port 7323 / Remote Admin hole
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94934808714972&w=2
> Reference: BUGTRAQ:20000202 SV: SyGate 3.11 Port 7323 / Remote Admin hole
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94952641025328&w=2
> Reference: BUGTRAQ:20000203 UPDATE: Sygate 3.11 Port 7323 Telnet Hole
> Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94973281714994&w=2
> Reference: CONFIRM:http://www.sybergen.com/support/fix.htm
> Reference: BID:952
> Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=952
>
> The SyGate Remote Management program does not properly restrict access
> to its administration service, which allows remote attackers to
> cause a denial of service, or access network traffic statistics.
>
> INFERRED ACTION: CAN-2000-0113 MOREVOTES-1 (1 accept, 1 ack, 0 review)
>
> Current Votes:
>    ACCEPT(1) Cole
>    NOOP(2) Wall, Christey
>
> Comments:
>  Christey> Sygate confirms this in 01/2000 - Build 563 (Beta) with
>  Christey> the comment: "fix to block external telnet to port 7323
>  Christey> without enhanced security."
>
>
> VOTE: ACCEPT
>
> =================================
> Candidate: CAN-2000-0157
> Published:
> Final-Decision:
> Interim-Decision:
> Modified: 20000321-01
> Proposed: 20000223
> Assigned: 20000223
> Category: SF
> Reference: NETBSD:1999-012
> Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-012.txt.asc
> Reference: XF:netbsd-ptrace
>
> NetBSD ptrace call on VAX allows local users to gain privileges by
> modifying the PSL contents in the debugging process.
>
> Modifications:
>   ADDREF XF:netbsd-ptrace
>
> INFERRED ACTION: CAN-2000-0157 MOREVOTES-2 (0 accept, 1 ack, 1 review)
>
> Current Votes:
>    NOOP(2) Wall, LeBlanc
>    REVIEWING(1) Cole
>
>
> VOTE: ACCEPT
>
> =================================
> Candidate: CAN-2000-0229
> Published:
> Final-Decision:
> Interim-Decision:
> Modified: 20000424-01
> Proposed: 20000412
> Assigned: 20000412
> Category: SF
> Reference: BUGTRAQ:20000322 gpm-root
> Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0242.html
> Reference: SUSE:20000405 Security hole in gpm < 1.18.1
> Reference: URL:http://www.suse.de/de/support/security/suse_security_announce_45.txt
> Reference: REDHAT:RHSA-2000:009-02
> Reference: URL:http://www.redhat.com/support/errata/RHSA-2000009-02.html
> Reference: BID:1069
> Reference: URL:http://www.securityfocus.com/bid/1069
> Reference: XF:linux-gpm-root
>
> gpm-root in the gpm package does not properly drop privileges, which
> allows local users to gain privileges by starting a utility from
> gpm-root.
>
> Modifications:
>   ADDREF SUSE:20000405 Security hole in gpm < 1.18.1
>   ADDREF REDHAT:RHSA-2000:009-02
>
> INFERRED ACTION: CAN-2000-0229 MOREVOTES-1 (1 accept, 2 ack, 0 review)
>
> Current Votes:
>    ACCEPT(1) Frech
>    NOOP(1) Cole
>
>
> VOTE: ACCEPT
>
> =================================
> Candidate: CAN-2000-0230
> Published:
> Final-Decision:
> Interim-Decision:
> Modified: 20000424-01
> Proposed: 20000412
> Assigned: 20000412
> Category: SF
> Reference: BUGTRAQ:20000316 TESO & C-Skills development advisory -- imwheel
> Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-03/0168.html
> Reference: REDHAT:RHSA-2000:016-02
> Reference: URL:http://www.redhat.com/support/errata/RHSA-2000016-02.html
> Reference: BID:1060
> Reference: URL:http://www.securityfocus.com/bid/1060
>
> Buffer overflow in imwheel allows local users to gain root privileges
> via the imwheel-solo script and a long HOME environmental variable.
>
> Modifications:
>   ADDREF REDHAT:RHSA-2000:016-02
>
> INFERRED ACTION: CAN-2000-0230 MOREVOTES-1 (1 accept, 1 ack, 0 review)
>
> Current Votes:
>    MODIFY(1) Frech
>    NOOP(1) Cole
>
> Comments:
>  Frech> XF:linux-imwheel-bo
>
>
> VOTE: ACCEPT

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Page Last Updated or Reviewed: May 22, 2007