[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[INTERIM] ACCEPT 22 legacy candidates (Final 6/1)
I have made an Interim Decision to ACCEPT the following 22 candidates
from various legacy clusters, most of which were originally proposed
sometime in 1999. I will make a Final Decision on the evening of June
1, 2000.
The candidates come from the following clusters:
1 CERT
1 MULT
1 NTLOW
1 RESTLOW
2 NOREFS
3 VERIFY-BUGTRAQ
1 VERIFY-TOOL
1 PRIVACY
2 MS
1 CERT2
1 MISC-01
1 UNIX-UNCONF
6 MS-99
Voters:
Levy ACCEPT(4) MODIFY(1)
Shostack ACCEPT(1) MODIFY(1) NOOP(1)
Wall ACCEPT(9) MODIFY(1) NOOP(6)
LeBlanc ACCEPT(8) NOOP(3)
Ozancin ACCEPT(3) NOOP(1)
Cole ACCEPT(13) NOOP(5) RECAST(1)
Stracener ACCEPT(7) MODIFY(3)
Dik MODIFY(1)
Frech ACCEPT(2) MODIFY(18)
Hill ACCEPT(3)
Northcutt ACCEPT(6) NOOP(2) RECAST(1)
Magdych ACCEPT(1)
Armstrong ACCEPT(6) NOOP(6)
Prosser ACCEPT(8) RECAST(1)
=================================
Candidate: CAN-1999-0031
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.20.javascript
Reference: HP:HPSBUX9707-065
Reference: URL:http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html
JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and
4.x, allows remote attackers to monitor a user's web activities, aka
the Bell Labs vulnerability.
Modifications:
ADDREF HP:HPSBUX9707-065
DESC add affected browsers and versions, mentioned Bell Labs
INFERRED ACTION: CAN-1999-0031 ACCEPT (3 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(1) Cole
MODIFY(2) Levy, Wall
NOOP(2) Northcutt, Christey
Comments:
Christey> The CERT advisory is at http://www.cert.org/advisories/CA-97.20.javascript.html
Christey>
Christey> ADDREF HP:HPSBUX9707-065
Christey> http://www.codetalker.com/advisories/vendor/hp/hpsbux9707-065.html
Christey>
Christey> According to the CERT advisory, this issue affects Internet
Christey> Explorer 3.x and 4.x, and Netscape 2.x, 3.x, and 4.x.
Christey> Include this in the description.
Levy> Need a better description of the vulnerability there were several JS
Levy> vulnerabilities in the same time frame that had similar results but
Levy> were porly documented. This, the Bell Labs vulnerability, was one of them.
Levy> This is one of the other ones:
Levy> http://www.securityfocus.com/templates/archive.pike?list=1&msg=c%3dDE%25a%3dDBP%25p%3dSCN%25l%3dMCHH9EEA-970711140700Z-21724@de-mch-he01a.exchange.pn.siemens.de
Wall> Add Internet Explorer 5 also. See
Wall> http://www.microsoft.com/technet/security/bulletin/ms99-043.asp which allows
Wall> JavaScript to read files on other computers.
Christey> MS:MS99-043 is already handled by CVE-1999-0793. This one is
Christey> different because IE 3.x and 4.x are affected; for
Christey> CVE-1999-0793, it affected 4.x and 5.x. Also, this one
Christey> just allows someone to read cookies, HTML form data, and
Christey> what URLs were visited. CVE-1999-0793 allows the attacker
Christey> to read files on the target's computer. Thus this one is
Christey> different than CVE-1999-0793, and MS:MS99-043 should not be
Christey> added.
Christey>
Christey> The reference that Elias provided describes 2 bugs, neither
Christey> of which is the "Bell Labs" bug, i.e. this candidate (just to
Christey> confirm what Elias said; the CERT advisory explicitly thanks
Christey> Bell Labs). The first bug *sounds* a lot like this candidate, but
Christey> didn't need Javascript. Refer to this as the "Danish bug"
Christey> since it was "discovered by a Danish IS consultant company."
Christey>
Christey> The second bug describes the same symptoms as CVE-1999-0793.
Christey> However, this reference only describes the problem for
Christey> Netscape Nagivator; CVE-1999-0793 only mentions IE.
Christey> Thus it's possible that the problem was identified and fixed
Christey> for Netscape, and later "rediscovered" by Microsoft and
Christey> addressed for Internet Explorer. (The CD:DISCOVERY-DATE content
Christey> decision, when reviewed by the Board, will dictate what to
Christey> do in these sorts of cases). But then again, they could be
Christey> different bugs entirely, but they just happen to have the same
Christey> symptoms. If the bug is more in the Javascript model than in
Christey> the implementation, then maybe CD:SF-CODEBASE won't apply.
Christey> We might be able to roll this second bug in with
Christey> CVE-1999-0793; thus we may need to REASSESS CVE-1999-0793 in
Christey> the future.
Christey>
Christey> It is possible that this second bug is the same as the
Christey> "Singapore privacy bug" described here:
Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-28&msg=Pine.SUN.3.94.970728112219.25473B-100000@dfw.dfw.net
Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-22&msg=Pine.SUN.3.94.970726193056.27668B-100000@dfw.dfw.net
Christey>
Christey> These posts were on July 22 and 28. Singapore is dated after
Christey> the initial CERT advisory and references LiveConnect, which
Christey> "enables communication between JavaScript and Java applets."
Christey> Kuo Chiang, the person referenced in the above posts as the
Christey> discovered, sent a followup a week later on August 1:
Christey>
Christey> http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719458&w=2
Christey> But this is merely a clarification of the earlier problem, as
Christey> his post includes a reference to a ZDNet article written
Christey> on July 25.
Christey>
Christey> The poster referred to by Elias, Matthias Dominick, sent a
Christey> followup to the CERT advisory saying that the Danish bug
Christey> appeared to be fixed, but the Bell Labs bug wasn't.
Christey>
Christey> http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&msg=c%3dDE%25a%3dDBP%25p%3dSCN%25l%3dMCHH9EEA-970710145437Z-20375@de-mch-he01a.exchange.pn.siemens.de
Christey>
Christey> Two legacy candidates will eventually be created to handle
Christey> these 2 other bugs, i.e. Singapore and Danish.
Christey>
Christey> In the meantime, the description for this one can be extended
Christey> to mention the Bell Labs bug and include pointers back to some
Christey> of the related posts.
Christey>
Christey> If this mess isn't an argument for a naming standard, I don't
Christey> know what is :-) :-) On a more serious note, this is an
Christey> indicator of why it may be important for CVE to provide a way
Christey> of distinguishing between different bugs discovered in the
Christey> same software at around the same time (CD:SF-LOC will address this,
Christey> and is one of the first CD's we will discuss when I reintroduce
Christey> them).
Levy> Add "Bell Labs" to the description or name.
=================================
Candidate: CAN-1999-0118
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000106-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91158980826979&w=2
Reference: XF:aix-infod
AIX infod allows local users to gain root access through an X display.
Modifications:
ADDREF XF:aix-infod
ADDREF BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD
INFERRED ACTION: CAN-1999-0118 ACCEPT (3 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(2) Stracener, Northcutt
MODIFY(1) Frech
NOOP(6) Shostack, Wall, Christey, LeBlanc, Cole, Armstrong
Comments:
Frech> XF:aix-infod
Christey> See BUGTRAQ:19981119 RSI.0011.11-09-98.AIX.INFOD
Christey> AIX APAR's confirm this problem: IX84642, IX89281, and IX84642
=================================
Candidate: CAN-1999-0124
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-93:11.UMN.UNIX.gopher.vulnerability
Reference: XF:gopher-vuln
Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow
an intruder to read any files that can be accessed by the gopher
daemon.
Modifications:
DESC Add versions
INFERRED ACTION: CAN-1999-0124 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(2) Frech, Levy
NOOP(3) Christey, Wall, Cole
Comments:
Christey> Modify the description to include the version numbers
Christey> 1.12 and 2.0x
Christey>
Christey> The advisory is at
Christey> http://www.cert.org/advisories/CA-93.11.UMN.UNIX.gopher.vulnerability.html
Christey>
=================================
Candidate: CAN-1999-0142
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.05.java_applet_security_mgr
Reference: XF:http-java-appletsecmgr
The Java Applet Security Manager implementation in Netscape Navigator
2.0 and Java Developer's Kit 1.0 allows an applet to connect to
arbitrary hosts.
Modifications:
DESC include Netscape and JDK, with version numbers
ADDREF XF:http-java-appletsecmgr
INFERRED ACTION: CAN-1999-0142 RECAST (1 recast, 3 accept, 0 review)
Current Votes:
ACCEPT(3) Hill, Shostack, Wall
MODIFY(1) Frech
NOOP(1) Christey
RECAST(1) Northcutt
Comments:
Northcutt> Please note I am not a Java expert, but I think jdk 2.0 and
Northcutt> so forth do not have a sandbox notion and applets (perhaps trusted
Northcutt> applets) can connect to arbitrary hosts as a matter of course. You
Northcutt> might want to contact Li Gong (li.gong@sun.com) or a similar
Northcutt> expert before issuing this one. NOTE: another reason to consider
Northcutt> the original date!!!
Christey> Noting Steve Northcutt's comments, perhaps we would need to modify the
Christey> description somewhat to distinguish between current Java versions and
Christey> the one that had this vulnerability. However, the CERT reference
Christey> associates a general place and time for where this vulnerability
Christey> arose, so I don't think it's too big of a deal.
Frech> Reference: XF:http-java-appletsecmgr
=================================
Candidate: CAN-1999-0210
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-02
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19971126 Solaris 2.5.1 automountd exploit (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88053459921223&w=2
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2
Reference: HP:HPSBUX9910-104
Reference: CERT:CA-99-05
Reference: BID:235
Automount daemon automountd allows local or remote users to gain
privileges via shell metacharacters.
Modifications:
Changed description and added references.
ADDREF BID:235
INFERRED ACTION: CAN-1999-0210 ACCEPT (4 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(2) Levy, Cole
MODIFY(2) Shostack, Frech
NOOP(3) Northcutt, Christey, Wall
Comments:
Shostack> I think there was an SNI advisory on this
Frech> Not enough information; POSSIBLY XF:sun-automountd (changing mount options)
Christey>
Christey> SNI did not publish an advisory; however, Oliver Friedrichs
Christey> sent a post saying that SNI's security tool tested for it.
Christey> See http://marc.theaimsgroup.com/?l=bugtraq&m=91553343311719&w=2
Christey>
Christey> This is a tough one. There's an old automount bug that's
Christey> only locally exploitable, then a newer rpc.statd bug allows
Christey> it to be remotely exploitable. There's at least two bugs,
Christey> but should there be three?
Christey>
Christey> Also see CAN-1999-0493
Levy> ADDREF: BID:235
Levy> The are three vulns. BID 235, BID 729, and BID 450.
=================================
Candidate: CAN-1999-0225
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000524-02
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: NAI:19980214 Windows NT Logon Denial of Service
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/25_windows_nt_dos_adv.asp
Reference: MSKB:Q180963
Reference: URL:http://www.microsoft.com/technet/support/kb.asp?ID=180963
Reference: XF:nt-logondos
Windows NT 4.0 allows remote attackers to cause a denial of service
via a malformed SMB logon request in which the actual data size does
not match the specified size.
Modifications:
ADDREF MSKB:Q180963
ADDREF XF:nt-logondos
reword description
Canonicalize NAI advisory
INFERRED ACTION: CAN-1999-0225 ACCEPT (7 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(7) Hill, Magdych, Stracener, LeBlanc, Northcutt, Cole, Armstrong
MODIFY(1) Frech
NOOP(1) Wall
Comments:
Frech> XF:nt-logondos
=================================
Candidate: CAN-1999-0323
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000524-01
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: FreeBSD:FreeBSD-SA-98:04
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:04.mmap.asc
Reference: NETBSD:1998-003
Reference: URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-003.txt.asc
Reference: XF:bsd-mmap
FreeBSD mmap function allows users to modify append-only or immutable
files.
Modifications:
ADDREF NETBSD:1998-003
ADDREF XF:bsd-mmap
INFERRED ACTION: CAN-1999-0323 ACCEPT (5 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(5) Hill, Stracener, Northcutt, Cole, Armstrong
MODIFY(1) Frech
NOOP(1) LeBlanc
Comments:
Frech> ADDREF XF:bsd-mmap (was REVIEWING)
=================================
Candidate: CAN-1999-0407
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990209 ALERT: IIS4 allows proxied password attacks over NetBIOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91983486431506&w=2
Reference: BUGTRAQ:19990209 Re: IIS4 allows proxied password attacks over NetBIOS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92000623021036&w=2
Reference: XF:iis-iisadmpwd
By default, IIS 4.0 has a virtual directory /IISADMPWD which contains
files that can be used as proxies for brute force password attacks, or
to identify valid users on the system.
Modifications:
Modified Bugtraq ref, added KB article and ISS ref
DELREF MSKB:Q184619 - doesn't refer to this problem
INFERRED ACTION: CAN-1999-0407 ACCEPT (5 accept, 0 ack, 0 review)
Current Votes:
ACCEPT(4) Stracener, LeBlanc, Northcutt, Cole
MODIFY(1) Frech
NOOP(2) Christey, Armstrong
Comments:
Frech> ADDREF XF:iis-iisadmpwd
Christey> Q184619 doesn't appear to describe this problem. However,
Christey> Russ Cooper confirms it in a followup email.
=================================
Candidate: CAN-1999-0464
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 19991205-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990104 Tripwire mess..
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91553066310826&w=2
Reference: CONFIRM:http://marc.theaimsgroup.com/?l=bugtraq&m=91592136122066&w=2
Local users can perform a denial of service in Tripwire 1.2 and
earlier using long filenames.
Modifications:
ADDREF BUGTRAQ:19990104 Tripwire mess..
INFERRED ACTION: CAN-1999-0464 ACCEPT (3 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(2) Stracener, Northcutt
MODIFY(1) Frech
NOOP(4) Christey, LeBlanc, Cole, Armstrong
Comments:
Frech> XF:tripwire-long-filename-dos
Christey> XF:tripwire-long-filename-dos doesn't exist.
=================================
Candidate: CAN-1999-0491
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000418-02
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:19990420 Bash Bug
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9904202114070.6623-100000@smooth.Operator.org
Reference: CALDERA:CSSA-1999-008.0
Reference: URL:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-008.0.txt
Reference: BID:119
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=119
The prompt parsing in bash allows a local user to execute commands as
another user by creating a directory with the name of the command
to execute.
Modifications:
CHANGEREF BUGTRAQ [title]
ADDREF CALDERA:CSSA-1999-008.0
INFERRED ACTION: CAN-1999-0491 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(1) Levy
MODIFY(1) Frech
NOOP(3) Christey, Wall, Cole
Comments:
Frech> bash-prompt-pars-dir
Christey> XF:bash-prompt-pars-dir doesn't exist.
Christey>
Christey> ADDREF CALDERA:CSSA-1999-008.0
=================================
Candidate: CAN-1999-0493
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-99-05
Reference: URL:http://www.cert.org/advisories/CA-99-05-statd-automountd.html
Reference: SUN:00186
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/186&type=0&nav=sec.sba
Reference: CIAC:J-045
Reference: BUGTRAQ:19990103 SUN almost has a clue! (automountd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91547759121289&w=2
Reference: BID:450
rpc.statd allows remote attackers to forward RPC calls to the local
operating system via the SM_MON and SM_NOTIFY commands, which in turn
could be used to remotely exploit other bugs such as in automountd.
Modifications:
Added numerous references
ADDREF BID:450
ADDREF CIAC:J-045
INFERRED ACTION: CAN-1999-0493 ACCEPT (3 accept, 3 ack, 0 review)
Current Votes:
ACCEPT(3) Northcutt, Levy, Cole
NOOP(2) Christey, Wall
Comments:
Christey> This candidate has been modified heavily.
Levy> ADDREF: BID:450
Christey> ADDREF CIAC:J-045
=================================
Candidate: CAN-1999-0668
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Reference: BID:598
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=598
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308
The scriptlet.typelib ActiveX control is marked as "safe for
scripting" for Internet Explorer, which allows a remote attacker to
execute arbitrary commands as demonstrated by Bubbleboy.
Modifications:
ADDREF XF:ms-scriptlet-eyedog-unsafe
ADDREF MSKB:Q240308
INFERRED ACTION: CAN-1999-0668 SMC_REVIEW (6 accept, 1 review)
Current Votes:
ACCEPT(4) Cole, Wall, Prosser, Ozancin
MODIFY(2) Frech, Stracener
REVIEWING(1) Christey
Comments:
Frech> XF:ms-scriptlet-eyedog-unsafe
Wall> Note: Was this not CVE 199-0376?
Stracener> Add Ref: MSKB Q240308
Christey> Should CAN-1999-0669 and 668 be merged? If not, then this is
Christey> a reason for not merging CAN-1999-0988 and CAN-1999-0828.
=================================
Candidate: CAN-1999-0696
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990709 Exploit of rpc.cmsd
Reference: SCO:SB-99.12
Reference: SUN:00188
Reference: SUNBUG:4230754
Reference: HP:HPSBUX9908-102
Reference: COMPAQ:SSRT0614U_RPC_CMSD
Reference: CERT:CA-99-08
Reference: CIAC:J-051
Reference: XF:sun-cmsd-bo
Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd)
Modifications:
ADDREF XF:sun-cmsd-bo
ADDREF SUNBUG:4230754
ADDREF BUGTRAQ:19990709 Exploit of rpc.cmsd
ADDREF SCO:SB-99.12
CHANGEREF HP:00102 HP:HPSBUX9908-102
INFERRED ACTION: CAN-1999-0696 RECAST (1 recast, 6 accept, 0 review)
Current Votes:
ACCEPT(3) Cole, Armstrong, Ozancin
MODIFY(3) Frech, Stracener, Dik
NOOP(1) Christey
RECAST(1) Prosser
Comments:
Frech> XF:sun-cmsd-bo
Prosser> Correct me if I am wrong as I don't have the facilities to test this, but
Prosser> Sun originally reported this vulnerability in Sun Bulletin 0166, Mar 1998.
Prosser> The CVE Board accepted it as CVE-1999-0320. The 00188 Sun Bulletin in July
Prosser> 1999 is an exact dupe of the 98 bulletin with the exception of some
Prosser> additional patches for CDE on later versions of SunOS/Solaris. The CERT and
Prosser> other vendor alerts are additional information on this BO for other vendor's
Prosser> systems(why it took over a year?), but we already have a CVE number
Prosser> outstanding for this vulnerability. Are these seperate vulnerabilities? Or
Prosser> the same one just found to affect more than originally thought? If so,
Prosser> recommend merging this CAN into the existing CVE, and just adjust the
Prosser> description in the existing CVE to reflect the additional vulnerable vendor
Prosser> systems.
Prosser> Additional reference: BID 486 and 524
Stracener> Redundant references to J-051.
Christey> The confusion appears to be related to patch versions; 104976-03 is
Christey> recommended for SUN:00166, and 104976-04 is recommended for SUN:00188.
Christey> Did Sun create a new version, with the same patch ID, for the new bug?
Christey> Or was there an error in the patch for the older bug?
Dik> #166 addresses Sun bug 1265008: a file overwrite/remove vulnerability
Dik> #188 addresses Sun bug 4230754: buffer overflows.
Dik>
Dik> (I.e., the reverse from what you state)
Dik>
Dik> These are two separate problems: first one is lack of checking the
Dik> names of calendars for reserved characters (/) the second is lack
Dik> of bounds checking.
Dik>
Dik> Sun typically assigns only one patchid to patch a certain part
Dik> of Solaris. When more problems are found, the patch gets rev'ed.
Dik>
Dik> The #166 problem was addressed, e.g., w/ patch 104976-03; subsequently,
Dik> we address the #188 problem w/ 104976-04.
Dik>
Dik> The history is recorded in the README file of each patch.
Dik>
Dik> ADDREF SUNBUG 4230754
Christey> ADDREF SCO:SB-99.12
Christey> URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-99.12a
Christey>
Christey> ADDREF BUGTRAQ:19990709 Exploit of rpc.cmsd
Christey> http://marc.theaimsgroup.com/?l=bugtraq&m=93154214531199&w=2
Christey>
Christey> CHANGEREF HP:00102 HP:HPSBUX9908-102
=================================
Candidate: CAN-1999-0719
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990802 Gnumeric potential security hole.
Reference: REDHAT:RHSA-1999:023-01
Reference: XF:gnu-guile-plugin-export
Reference: BID:563
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=563
The Guile plugin for the Gnumeric spreadsheet package allows attackers
to execute arbitrary code.
Modifications:
ADDREF BUGTRAQ:19990802 Gnumeric potential security hole.
ADDREF XF:gnu-guile-plugin-export
ADDREF REDHAT:RHSA-1999:023-01
DESC include "gnumeric spreadsheet package"
INFERRED ACTION: CAN-1999-0719 ACCEPT_ACK (2 accept, 1 ack, 0 review)
Current Votes:
MODIFY(3) Stracener, Frech, Christey
Comments:
Stracener> Add Ref: BUGTRAQ:19990803 Gnumeric Potential Security Hole
Stracener> Add Ref: REDHAT:RHSA-1999:023-01
Frech> XF:gnu-guile-plugin-export
Christey> BUGTRAQ:19990802 Gnumeric potential security hole.
Christey> http://www.securityfocus.com/templates/archive.pike?list=1&msg=199908031423.JAA12210@erandi.nuclecu.unam.mx
Christey>
Christey> Change desc to include "gnumeric spreadsheet package"
=================================
Candidate: CAN-1999-0754
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000418-01
Proposed: 19991222
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990511 INN 2.0 and higher. Root compromise potential
Reference: CALDERA:CSSA-1999-011.0
Reference: SUSE:19990518 Security hole in INN
Reference: MISC:http://www.redhat.com/corp/support/errata/inn99_05_22.html
Reference: BID:255
Reference: XF:inn-innconf-env
The INN inndstart program allows local users to gain privileges by
specifying an alternate configuration file using the INNCONF
environmental variable.
Modifications:
ADDREF CALDERA:CSSA-1999-011.0
ADDREF SUSE:19990518 Security hole in INN
ADDREF MISC:http://www.redhat.com/corp/support/errata/inn99_05_22.html
ADDREF BID:255
INFERRED ACTION: CAN-1999-0754 ACCEPT_ACK (2 accept, 2 ack, 0 review)
Current Votes:
ACCEPT(2) Stracener, Frech
NOOP(2) Ozancin, Christey
Comments:
Christey> BID:255 and BID:254 have a good explanation for why this is
Christey> different than CAN-1999-0785
Christey>
Christey> ADDREF CALDERA:CSSA-1999-011.0
Christey> ADDREF SUSE:19990518 Security hole in INN
Christey> Also see http://www.redhat.com/corp/support/errata/inn99_05_22.html
=================================
Candidate: CAN-1999-0874
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-019
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-019.asp
Reference: MSKB:Q234905
Reference: EEYE:AD06081999
Reference: CERT:CA-99-07
Reference: CIAC:J-048
Reference: XF:iis-htr-overflow
Buffer overflow in IIS 4.0 allows remote attackers to cause a denial
of service via a malformed request for files with .HTR, .IDC, or .STM
extensions.
Modifications:
ADDREF XF:iis-htr-overflow
DESC Add version number, remote, DoS
INFERRED ACTION: CAN-1999-0874 RECAST (1 recast, 5 accept, 0 review)
Current Votes:
ACCEPT(4) Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
RECAST(1) Cole
Comments:
Frech> XF:iis-htr-overflow
Cole> This description is very general and covers about 5 different
Cole> exploits with IIS.
Cole> The thing to remember is that with Microsoft there are so many
Cole> vulenrabilities that
Cole> you must be very specific. I would add the following:
Cole> Microsoft has released a patch that eliminates a vulnerability in
Cole> the Taskpads feature, which is provided as
Cole> part of the Microsoft® Windows® 98 Resource Kit, Windows 98
Cole> Resource Kit Sampler, and BackOffice®
Cole> Resource Kit, second edition. The vulnerability could allow a
Cole> malicious web site operator to run executables
Cole> on the computer of a visiting user. Only customers who have
Cole> installed one of the affected products and who
Cole> surf the web using the machines on which they are installed are at
Cole> risk from this vulnerability.
=================================
Candidate: CAN-1999-1011
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 19991221
Category: SF
Reference: MS:MS98-004
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-004.asp
Reference: MS:MS99-025
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
Reference: CIAC:J-054
Reference: ISS:19990809 Vulnerabilities in Microsoft Remote Data Service
Reference: BID:529
Reference: URL:http://www.ciac.org/ciac/bulletins/j-054.shtml
Reference: XF:nt-iis-rds
The Remote Data Service (RDS) DataFactory component of Microsoft Data
Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods,
which allows remote attackers to execute arbitrary commands.
Modifications:
ADDREF XF:nt-iis-rds
ADDREF BID:529
ADDREF ISS:19990809 Vulnerabilities in Microsoft Remote Data Service
INFERRED ACTION: CAN-1999-1011 ACCEPT (5 accept, 3 ack, 0 review)
Current Votes:
ACCEPT(4) LeBlanc, Cole, Prosser, Wall
MODIFY(1) Frech
NOOP(2) Christey, Armstrong
Comments:
Frech> XF:nt-iis-rds
Frech> ISS:ISS Security Advisory #32, Vulnerabilities in Microsoft Remote Data
Frech> Service, http://xforce.iss.net/alerts/advise32.php3
Christey> ADDREF BID:529
=================================
Candidate: CAN-2000-0323
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: BUGTRAQ:19990728 Alert : MS Office 97 Vulnerability
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=19990729195531.25108.qmail@underground.org
Reference: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=D1A11CCE78ADD111A35500805FD43F58019792A3@RED-MSG-04
Reference: MS:MS99-030
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-030.asp
Reference: XF:jet-text-isam
Reference: BID:595
Reference: URL:http://www.securityfocus.com/level2/?go=vulnerabilities&id=595
The Microsoft Jet database engine allows an attacker to modify text
files via a database query, aka the "Text I-ISAM" vulnerability.
Modifications:
ADDREF XF:jet-text-isam
INFERRED ACTION: CAN-2000-0323 ACCEPT (6 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(5) LeBlanc, Cole, Prosser, Wall, Armstrong
MODIFY(1) Frech
Comments:
Frech> XF:jet-text-isam
=================================
Candidate: CAN-2000-0327
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: BUGTRAQ:19991014 Another Microsoft Java Flaw Disovered
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93993545118416&w=2
Reference: MS:MS99-045
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-045.asp
Reference: XF:msvm-verifier-java
Microsoft Virtual Machine (VM) allows remote attackers to escape the
Java sandbox and execute commands via an applet containing an illegal
cast operation, aka the "Virtual Machine Verifier" vulnerability.
Modifications:
ADDREF XF:msvm-verifier-java
INFERRED ACTION: CAN-2000-0327 ACCEPT (5 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(4) LeBlanc, Cole, Prosser, Wall
MODIFY(1) Frech
NOOP(1) Armstrong
Comments:
Frech> XF:msvm-verifier-java
Frech> (Note: this XF tag is also assigned to "CVE-1999-0766: The Microsoft Java
Frech> Virtual Machine allows a malicious Java applet to execute arbitrary commands
Frech> outside of the sandbox environment." Reason: MS99-031 is vague and refers to
Frech> the same Java issue.)
=================================
Candidate: CAN-2000-0328
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: BUGTRAQ:19990824 NT Predictable Initial TCP Sequence numbers - changes observed with SP4
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.19990824165629.00abcb40@192.168.124.1
Reference: MS:MS99-046
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-046.asp
Reference: BID:604
Reference: URL:http://www.securityfocus.com/vdb/bottom.html?vid=604
Reference: XF:nt-sequence-prediction-sp4
Reference: XF:tcp-seq-predict
Windows NT 4.0 generates predictable random TCP initial sequence
numbers (ISN), which allows remote attackers to perform spoofing and
session hijacking.
Modifications:
ADDREF XF:nt-sequence-prediction-sp4
ADDREF XF:tcp-seq-predict
INFERRED ACTION: CAN-2000-0328 ACCEPT (6 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(5) LeBlanc, Cole, Prosser, Wall, Armstrong
MODIFY(1) Frech
Comments:
Frech> XF:nt-sequence-prediction-sp4
Frech> XF:tcp-seq-predict
Cole> ACTUALLY A DOUBLE ACCEPT:)
=================================
Candidate: CAN-2000-0329
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: MS:MS99-048
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-048.asp
Reference: XF:ie-active-setup-control
A Microsoft ActiveX control allows a remote attacker to execute a
malicious cabinet file via an attachment and an embedded script in an
HTML mail, aka the "Active Setup Control" vulnerability.
Modifications:
ADDREF XF:ie-active-setup-control
INFERRED ACTION: CAN-2000-0329 ACCEPT (4 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(3) LeBlanc, Prosser, Wall
MODIFY(1) Frech
NOOP(2) Cole, Armstrong
Comments:
Frech> XF:ie-active-setup-control
=================================
Candidate: CAN-2000-0330
Published:
Final-Decision:
Interim-Decision: 20000530
Modified: 20000526-01
Proposed: 20000518
Assigned: 20000511
Category: SF
Reference: MS:MS99-049
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-049.asp
Reference: XF:win-fileurl-overflow
The networking software in Windows 95 and Windows 98 allows remote
attackers to execute commands via a long file name string, aka the
"File Access URL" vulnerability.
Modifications:
ADDREF XF:win-fileurl-overflow
INFERRED ACTION: CAN-2000-0330 ACCEPT (6 accept, 1 ack, 0 review)
Current Votes:
ACCEPT(5) LeBlanc, Cole, Prosser, Wall, Armstrong
MODIFY(1) Frech
Comments:
Frech> XF:win-fileurl-overflow