[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-66 - 34 candidates



I have proposed cluster RECENT-66 for review and voting by the
Editorial Board.

Name: RECENT-66
Description: Candidates announced between 6/4/2001 and 7/24/2001
Size: 34

You may vote on candidates by modifying this email ballot and sending
it back to me, or by using the CVE voting web site.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.



Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2001-0340
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0340
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010510
Category: SF/CF/MP/SA/AN/unknown
Reference: MS:MS01-030
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-030.asp

An interaction between the Outlook Web Access (OWA) service in
Microsoft Exchange 2000 Server and Internet Explorer allows attackers
to execute malicious script code against a user's mailbox via a
message attachment that contains HTML code, which is executed
automatically.

Analysis
----------------
ED_PRI CAN-2001-0340 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0344
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0344
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010516
Category: SF
Reference: MS:MS01-032
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms01-032.asp

An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using
Mixed Mode allows local database users to gain privileges by reusing a
cached connection of the sa administrator account.

Analysis
----------------
ED_PRI CAN-2001-0344 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0345
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0345
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010516
Category: SF
Reference: MS:MS01-031
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-031.asp

Microsoft Windows 2000 telnet service allows attackers to prevent idle
Telnet sessions from timing out, causing a denial of service by
creating a large number of idle sessions.

Analysis
----------------
ED_PRI CAN-2001-0345 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0347
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0347
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010516
Category: SF
Reference: MS:MS01-031
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-031.asp

Information disclosure vulnerability in Microsoft Windows 2000 telnet
service allows remote attackers to determine Guest accounts.

Analysis
----------------
ED_PRI CAN-2001-0347 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0348
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0348
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010516
Category: SF/CF/MP/SA/AN/unknown
Reference: MS:MS01-031
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-031.asp

Microsoft Windows 2000 telnet service allows attackers to cause a
denial of service via a malformed logon command.

Analysis
----------------
ED_PRI CAN-2001-0348 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0351
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0351
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010516
Category: SF/CF/MP/SA/AN/unknown
Reference: MS:MS01-031
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-031.asp

Microsoft Windows 2000 telnet service allows a local user to make a
certain system call that allows the user to terminate a Telnet session
and cause a denial of service.

Analysis
----------------
ED_PRI CAN-2001-0351 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0353
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0353
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010523
Category: SF
Reference: ISS:20010619 Remote Buffer Overflow Vulnerability in Solaris Print Protocol Daemon

Buffer overflow in the line printer daemon (in.lpd) for Solaris 8 and
earlier allows local and remote attackers to gain root privileges via
a "transfer job" routine.

Analysis
----------------
ED_PRI CAN-2001-0353 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0497
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0497
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010604
Category: SF
Reference: ISS:20010611 BIND Inadvertent Local Exposure of HMAC-MD5 (TSIG) Keys

dnskeygen in BIND 8.2.4 and earlier, and dnssec-keygen in BIND 9.1.2
and earlier, set insecure permissions for a HMAC-MD5 shared secret key
file used for DNS Transactional Signatures (TSIG), which allows
attackers to obtain the keys and perform dynamic DNS updates.

Analysis
----------------
ED_PRI CAN-2001-0497 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0500
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0500
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010608
Category: SF
Reference: MS:MS01-033
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
Reference: CERT:CA-2001-13
Reference: URL:http://www.cert.org/advisories/CA-2001-13.html

Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and
Indexing Service 2000 in IIS 6.0 beta and earlier allows remote
attackers to execute arbitrary commands via a long argument to
Internet Data Administration (.ida) and Internet Data Query (.idq)
files.

Analysis
----------------
ED_PRI CAN-2001-0500 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0501
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0501
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010608
Category: SF
Reference: BUGTRAQ:20010622 Fwd: Microsoft Word macro vulnerability advisory MS01-034
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99325144322224&w=2
Reference: MS:MS01-034
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-034.asp
Reference: BID:2876
Reference: URL:http://www.securityfocus.com/bid/2876

Microsoft Word 2002 and earlier allows attackers to automatically
execute macros without warning the user by embedding the macros in a
manner that escapes detection by the security scanner.

Analysis
----------------
ED_PRI CAN-2001-0501 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0502
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0502
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010608
Category: SF
Reference: MS:MS01-036
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-036.asp

Running Windows 2000 LDAP Server over SSL, a function does not
properly check the permissions of a user request when the directory
principal is a domain user and the data attribute is the domain
password, which allows local users to modify the login password of
other users.

Analysis
----------------
ED_PRI CAN-2001-0502 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0503
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0503
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010608
Category: SF
Reference: MS:MS00-077
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-077.asp

Microsoft NetMeeting with Remote Desktop Sharing enabled allows remote
attackers to cause a denial of service via a malformed string to the
NetMeeting service port, aka a variant of the "NetMeeting Desktop
Sharing" vulnerability.

Analysis
----------------
ED_PRI CAN-2001-0503 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0504
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0504
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010608
Category: SF
Reference: MS:MS01-037
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms01-037.asp

Vulnerability in authentication process for SMTP service in Microsoft
Windows 2000 allows remote attackers to use incorrect credentials to
gain privileges and conduct activites such as mail relaying.

Analysis
----------------
ED_PRI CAN-2001-0504 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0513
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0513
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010613
Category: SF/CF/MP/SA/AN/unknown
Reference: ISS:20010619 Oracle Redirect Denial of Service

Oracle listener process on Windows NT redirects connection requests to
another port and creates a separate thread to process the request,
which allows remote attackers to cause a denial of service by
repeatedly connecting to the Oracle listener but not connecting to the
redirected port.

Analysis
----------------
ED_PRI CAN-2001-0513 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0514
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0514
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010613
Category: SF
Reference: ISS:20010620 Multiple Vendor 802.11b Access Point SNMP authentication flaw

SNMP service in Atmel 802.11b VNET-B Access Point 1.3 and earlier, as
used in Netgear ME102 and Linksys WAP11, accepts arbitrary community
strings with requested MIB modifications, which allows remote
attackers to obtain sensitive information such as WEP keys, cause a
denial of service, or gain access to the network.

Analysis
----------------
ED_PRI CAN-2001-0514 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0517
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0517
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010613
Category: SF
Reference: ISS:20010515 Multiple Oracle Listener Denial of Service Vulnerabilities

Oracle listener in Oracle 8i on Solaris allows remote attackers to
cause a denial of service via a malformed connection packet with a
maximum transport data size that is set to 0.

Analysis
----------------
ED_PRI CAN-2001-0517 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0518
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0518
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010613
Category: SF
Reference: ISS:20010515 Multiple Oracle Listener Denial of Service Vulnerabilities

Oracle listener before Oracle 9i allows attackers to cause a denial of
service by repeatedly sending the first portion of a fragmented Oracle
command without sending the remainder of the command, which causes the
listener to hang.

Analysis
----------------
ED_PRI CAN-2001-0518 1
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0529
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0529
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010618
Category: SF
Reference: BUGTRAQ:20010604 SSH allows deletion of other users files...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-05/0322.html
Reference: BUGTRAQ:20010604 Re: SSH allows deletion of other users files...
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-06/0007.html
Reference: NETBSD:NetBSD-SA2001-010
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-010.txt.asc
Reference: CALDERA:CSSA-2001-023.0
Reference: URL:http://www.calderasystems.com/support/security/advisories/CSSA-2001-023.0.txt
Reference: BID:2825
Reference: URL:http://www.securityfocus.com/bid/2825

OpenSSH version 2.9 and earlier, with X forwarding enabled, allows a
local attacker to delete any file named 'cookies' via a symlink
attack.

Analysis
----------------
ED_PRI CAN-2001-0529 1
Vendor Acknowledgement: yes followup

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0533
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0533
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010619
Category: SF/CF/MP/SA/AN/unknown
Reference: IBM:MSS-OAR-E01-2001:271.1
Reference: URL:http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/85256A3400529A8685256A8D00804A37/$file/oar271.txt

Buffer overflow in libi18n library in IBM AIX 5.1 and 4.3.x allows
local users to gain root privileges via a long LANG environmental
variable.

Analysis
----------------
ED_PRI CAN-2001-0533 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0537
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0537
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010628
Category: SF
Reference: CISCO:20010627 IOS HTTP authorization vulnerability
Reference: URL:http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
Reference: CERT:CA-2001-14
Reference: URL:http://www.cert.org/advisories/CA-2001-14.html

HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass
authentication and execute arbitrary commands, when local
authorization is being used, via a .... (modified dot dot) in the URL.

Analysis
----------------
ED_PRI CAN-2001-0537 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0538
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0538
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010710
Category: SF
Reference: BUGTRAQ:20010712 MS Office XP - the more money I give to Microsoft, the more vulnerable my Windows computers are
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99496431214078&w=2
Reference: MS:MS01-038
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-038.asp

Microsoft Outlook View ActiveX Control in Microsoft Outlook 2002 and
earlier allows remote attackers to execute arbitrary commands via a
malicious HTML e-mail message or web page.

Analysis
----------------
ED_PRI CAN-2001-0538 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0554
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0554
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010724
Category: SF
Reference: BUGTRAQ:20010718 multiple vendor telnet daemon vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/197804	
Reference: CERT:CA-2000-21
Reference: URL:http://www.cert.org/advisories/CA-2001-21.html
Reference: FREEBSD:FreeBSD-SA-01:49
Reference: URL:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc
Reference: NETBSD:NetBSD-SA2001-012
Reference: URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc
Reference: BID:3064
Reference: URL:http://www.securityfocus.com/bid/3064

Buffer overflow in BSD-based telnetd telnet daemon on various
operating systems allows remote attackers to execute arbitrary
commands via a set of options including AYT (Are You There), which is
not properly handled by the telrcv function.

Analysis
----------------
ED_PRI CAN-2001-0554 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0349
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0349
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010516
Category: SF
Reference: MS:MS01-031
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-031.asp

Microsoft Windows 2000 telnet service creates named pipes with
predictable names and does not properly verify them, which allows
local users to execute arbitrary commands by creating a named pipe
with the predictable name and associating a malicious program with it,
the first of two variants of this vulnerability.

Analysis
----------------
ED_PRI CAN-2001-0349 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Microsoft identifies two separate vulnerabilities that are extremely
similar, but the security bulletin states that "The two
vulnerabilities differ primarily in the way they exploit the
underlying problem regarding named pipe creation."  So, it may be
necessary to merge CAN-2001-0350 with CAN-2001-0349.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0350
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0350
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010516
Category: SF/CF/MP/SA/AN/unknown
Reference: MS:MS01-031
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-031.asp

Microsoft Windows 2000 telnet service creates named pipes with
predictable names and does not properly verify them, which allows
local users to execute arbitrary commands by creating a named pipe
with the predictable name and associating a malicious program with it,
the second of two variants of this vulnerability.

Analysis
----------------
ED_PRI CAN-2001-0350 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Microsoft identifies two separate vulnerabilities that are extremely
similar, but the security bulletin states that "The two
vulnerabilities differ primarily in the way they exploit the
underlying problem regarding named pipe creation."  So, it may be
necessary to merge CAN-2001-0350 with CAN-2001-0349.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0352
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0352
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010523
Category: SF
Reference: ISS:20010620 Wired-side SNMP WEP key exposure in 802.11b Access Points

SNMP agents in 3Com AirConnect AP-4111 and Symbol 41X1 Access Point
allow remote attackers to obtain the WEP encryption key by reading it
from a MIB when the value should be write-only, via (1)
dot11WEPDefaultKeyValue in the dot11WEPDefaultKeysTable of the IEEE
802.11b MIB, or (2) ap128bWepKeyValue in the ap128bWEPKeyTable in the
Symbol MIB.

Analysis
----------------
ED_PRI CAN-2001-0352 3
Vendor Acknowledgement: yes
Content Decisions: SF-LOC, SF-EXEC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0498
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0498
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010605
Category: SF
Reference: NAI:20010627 Oracle 8i SQLNet Header Vulnerability
Reference: URL:http://www.pgp.com/research/covert/advisories/049.asp

Transparent Network Substrate (TNS) over Net8 (SQLNet) in Oracle 8i
8.1.7 and earlier allows remote attackers to cause a denial of service
via a malformed SQLNet connection request with a large offset in the
header extension.

Analysis
----------------
ED_PRI CAN-2001-0498 3
Vendor Acknowledgement: yes
Content Decisions: SF-LOC

This is clearly a different type of vulnerability than CAN-2001-0499,
so CD:SF-LOC suggests keeping these two candidates separate.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0499
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0499
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010605
Category: SF
Reference: NAI:20010627 Vulnerability in Oracle 8i TNS Listener
Reference: URL:http://www.pgp.com/research/covert/advisories/050.asp

Buffer overflow in Transparent Network Substrate (TNS) Listener in
Oracle 8i 8.1.7 and earlier allows remote attackers to gain privileges
via a long argument to the commands (1) STATUS, (2) PING, (3)
SERVICES, (4) TRC_FILE, (5) SAVE_CONFIG, or (6) RELOAD.

Analysis
----------------
ED_PRI CAN-2001-0499 3
Vendor Acknowledgement: yes
Content Decisions: SF-LOC

This is clearly a different type of vulnerability than CAN-2001-0498,
so CD:SF-LOC suggests keeping these two candidates separate.  But
since the long STATUS, PING, and other commands all exhibit the same
type of problem (i.e. buffer overflow), then CD:SF-LOC suggests
combining them into the same candidate.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0515
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0515
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010613
Category: SF
Reference: ISS:20010515 Multiple Oracle Listener Denial of Service Vulnerabilities

Oracle Listener in Oracle 7.3 and 8i allows remote attackers to cause
a denial of service via a malformed connection packet with a large
offset_to_data value.

Analysis
----------------
ED_PRI CAN-2001-0515 3
Vendor Acknowledgement: yes
Content Decisions: SF-LOC

One might argue that CAN-2001-0515 and CAN-2001-0516 contain the same
basic type of problem (related to bad offsets), and thus CD:SF-LOC
would suggest merging them.  However, CAN-2001-0516 appears in Oracle
8.0 and later, and CAN-2001-0515 appears in Oracle 7.3 and 8i but
*NOT* 8.0.  In this case, because the bugs appear in different
software versions, CD:SF-LOC says that they must remain split.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0516
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0516
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010613
Category: SF
Reference: ISS:20010515 Multiple Oracle Listener Denial of Service Vulnerabilities

Oracle listener between Oracle 9i and Oracle 8.0 allows remote
attackers to cause a denial of service via a malformed connection
packet that contains an incorrect requester_version value that does
not match an expected offset to the data.

Analysis
----------------
ED_PRI CAN-2001-0516 3
Vendor Acknowledgement: yes
Content Decisions: SF-LOC

One might argue that CAN-2001-0515 and CAN-2001-0516 contain the same
basic type of problem (related to bad offsets), and thus CD:SF-LOC
would suggest merging them.  However, CAN-2001-0516 appears in Oracle
8.0 and later, and CAN-2001-0515 appears in Oracle 7.3 and 8i but
*NOT* 8.0.  In this case, because the bugs appear in different
software versions, CD:SF-LOC says that they must remain split.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0534
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0534
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010626
Category: SF
Reference: ISS:20010705 Remote Buffer Overflow in Multiple RADIUS Implementations
Reference: URL:http://xforce.iss.net/alerts/alerts.php

Multiple buffer overflows in RADIUS daemon radiusd in (1) Merit 3.6b
and (2) Lucent 2.1-2 RADIUS allow remote attackers to cause a denial
of service or execute arbitrary commands.

Analysis
----------------
ED_PRI CAN-2001-0534 3
Vendor Acknowledgement: unknown
Content Decisions: SF-CODEBASE, SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0548
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0548
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010717
Category: SF
Reference: BUGTRAQ:20010724 NSFOCUS SA2001-04 : Solaris dtmail Buffer Overflow Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=99598918914068&w=2

Buffer overflow in dtmail in Solaris 2.6 and 7, and possibly other
operating systems, allows local users to gain privileges via the MAIL
environmental variable.

Analysis
----------------
ED_PRI CAN-2001-0548 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0549
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0549
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010718
Category: SF
Reference: CERT-VN:VU#814187
Reference: URL:http://www.kb.cert.org/vuls/id/814187
Reference: CONFIRM:http://www.sarc.com/avcenter/security/Content/2001_07_20.html

Symantec LiveUpdate 1.5 stores proxy passwords in cleartext in a
registry key, which could allow local users to obtain the passwords.

Analysis
----------------
ED_PRI CAN-2001-0549 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0553
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0553
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010724
Category: SF
Reference: BUGTRAQ:20010720 URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0486.html

SSH Secure Shell 3.0.0 on Unix systems does not properly perform
password authentication to the sshd2 daemon, which allows local users
to gain access to accounts with short password fields, such as locked
accounts that use "NP" in the password field.

Analysis
----------------
ED_PRI CAN-2001-0553 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2001-0555
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0555
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20010727
Assigned: 20010727
Category: SF
Reference: BUGTRAQ:20010613 ScreamingMedia SITEWare source code disclosure vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-06/0166.html
Reference: BUGTRAQ:20010613 ScreamingMedia SITEWare arbitrary file retrieval vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-06/0165.html
Reference: CONFIRM:http://www01.screamingmedia.com/en/security/sms1001.php

ScreamingMedia SITEWare versions 2.5 through 3.1 allows a remote
attacker to read world-readable files via a ..  (dot dot) attack
through (1) the SITEWare Editor's Desktop or (2) the template
parameter in SWEditServlet.

Analysis
----------------
ED_PRI CAN-2001-0555 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

Page Last Updated or Reviewed: May 22, 2007