[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TECH] High-level candidates for recent SNMP problems

The LDAP problems that were found using PROTOS are probably the
closest precedent for the current situation, though there have been
other less dramatic cases in which a problem has been discovered
simultaneously in many products (consider last year's "strange
attractors" paper by Michal Zalewski, which dealt with new methods of
TCP sequence number prediction).

While it took me a few hours to grasp the initial LDAP report when it
came out, my general approach of distinguishing between flaw types and
vendors works rather cleanly.  This is expected to produce somewhere
between 30 and 45 candidates without major headaches (unless you ask
the poor content team member who's still working to create the actual
CANs.)

The detailed SNMP analysis as published on the PROTOS site identifies
several test groups.  This might be a natural breakdown for
candidates.

These SNMP issues are on a larger scale than the LDAP problems, with
approximately 40 affected vendors.  At 1-4 candidates each, that's
between 40 and 160 candidates.

The number of candidates may feel wrong simply because of the volume,
but it's a reflection of the fact that many vendors make the exact
same mistake in implementing the same protocol.

There are at least 24 CVE's or candidates that describe buffer
overflows in the GET commands of HTTP servers.  As Sean Hernan
suggested, these were discovered over time.  I suspect there's a
similar issue with FTP GET, SMTP VRFY, etc., since I seem to run into
them a lot.

I don't think many people would like to see a single candidate for
HTTP GET buffer overflows.  Most security products and databases that
I know of will distinguish between these.  (For IDS people who are
thinking about "generic" attack signatures on HTTP GET, that will be
covered by CIEL.)

And how many researchers who found the GET overflow also tried long
MIME headers, format strings, ".." encodings, etc.?  Not many, I don't
think, based on all the later discoveries of new types of problems in
the same protocol command of the same software.  The PROTOS approach
tests many products and many vulnerabilities all at once, not
haphazardly.  I think that the fact that they generate a large number
of candidates reflects the power of their approach.

If we tried to apply the CVE content decisions as they were written a
year and a half ago, we would be trying to distinguish between every
single buffer overflow.  That obviously isn't practical.  But a
principled breakdown, by either test suite or high-level problem
types, is much more feasible.

I think that there is a quantifiable difference between what PROTOS
did and what Jane.Doe@hotmail.com does in her spare time.  CVE content
decisions, if applied properly, reflect that difference.

David LeBlanc said:

>I well understand the academic arguments, but there's a pragmatic
>concern - I don't think we want to double the size of the CVE database
>(oops, list pretending not to be a database, sorry) just to cover a
>bazillion variants of this particular bug.


If a vulnerability database maintainer or product vendor wants to make
this simplification, they can do so without worrying too much about
the repurcussions to their users.  I think that there is a stronger
need for CVE to be as consistent as possible, and the reasons are more
than academic.

There are at least 2 main uses for CVE:

1) Making sure that everyone uses the same name for the same
   vulnerability (all together, now! ;-)

2) Providing a consistent mechanism to facilitate quantitative
   comparisons of vulnerability data.

We all know and understand the reason for #1, but this email thread is
about deciding what "same vulnerability" means.

There hasn't been much consideration of #2, but I think that in the
long term, it is pretty important.

Consider:

- There are quantifiable differences in the level of abstraction used
  by CVE and its 4 primary data sources, which affects about 15% of
  all CVE entries/candidates.  Examples are included below.

- We have dozens of security vendors who have declared their
  intentions to become CVE-compatible (BTW, our updated requirements
  are now on the CVE web site).  Once real CVE compatibility happens,
  this will enable product comparisons on an unprecedented level of
  detail, for hundreds of vulnerabilities, not just a dozen or two.
  We haven't seen vendors actively advertising how many CVE's they
  check yet, but I think that will happen.

- I think that there will be an increasing emphasis on objectively
  evaluating software products based on the severity and frequency of
  the security problems that are discovered in them.  It appears that
  the insurance industry is moving in this direction.  For another
  example, look at any recent issue of Information Security magazine -
  there is a firewall vendor that touts their security over others by
  saying how many vulnerabilities have been discovered in their
  competitors' products.  CVE is well-positioned to be part of the
  metrics used in comparative analysis.  It then becomes more
  important that CVE be consistent, at least within itself.

We won't be able to make CVE perfectly consistent.  That would require
perfect knowledge and far more time and resources than is available.
But CVE's major abstraction-related content decisions have been stable
for a year, to the point where I'm almost ready to promote the
affected candidates to entries, or recast the ones that we initially
got wrong.  The CVE content team applies the abstraction CD's
consistently, which is good evidence that determining the level of
abstraction may be a repeatable process.

The practical solution is to do what's reasonable and document places
where we may have made an error in our analysis.  One way to do that
is by more closely associating CVE candidates with their related
content decisions, so that people who care about metrics can
understand how CVE tries to be consistent.  These CDs have become
better documented internally, and I plan to publish them on the CVE
web site so that Candidate Numbering Authorities and others may
reference them.

This would be a way to recognize the serious problem of distinguishing
between codebases in the SNMP implementations.  We make our best guess
about codebases, and all related CVE items are "labeled" with the
CD:SF-CODEBASE content decision.  The experienced CVE consumer would
then know the potential issues related to the abstraction choices made
for that item and others.

I tried to think of a clean way to wrap up this email, but I couldn't.
But take a look at the candidates below to see some examples that
demonstrate how CVE can act as a normalizer.  Feedback is welcome, as
always.

- Steve


VARIANCES IN ABSTRACTION
------------------------

Note: these examples merely illustrate differences.  They are not
meant to criticize how ISS and SecurityFocus decide to distinguish
between issues in their own databases.

Example 1:
   single X-Force record, multiple Bugtraq IDs, single CAN
   content decision: CD:SF-LOC

Example 2:
   single X-Force record, multiple Bugtraq IDs, multiple CANs
   content decision: CD:SF-CODEBASE

Example 3:
   multiple X-Force records, single Bugtraq ID, multiple CANs
   content decision: CD:SF-LOC

Example 4:
   multiple X-Force records, multiple Bugtraq IDs, single CAN
   content decisions: various

Example 5:
   single X-Force record, single Bugtraq ID, multiple CANs
   content decisions: various


********************************************************
Example 1:
   single X-Force record, multiple Bugtraq IDs, single CAN
   content decision: CD:SF-LOC
********************************************************

======================================================
Candidate: CAN-2001-0949
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0949
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011204 NMRC Advisory - Multiple Valicert Problems
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100749428517090&w=2
Reference: CONFIRM:http://www.valicert.com/support/security_advisory_eva.html
Reference: XF:eva-forms-bo(7652)
Reference: URL:http://xforce.iss.net/static/7652.php
Reference: BID:3621
Reference: URL:http://www.securityfocus.com/bid/3621
Reference: BID:3622
Reference: URL:http://www.securityfocus.com/bid/3622
Reference: BID:3624
Reference: URL:http://www.securityfocus.com/bid/3624
Reference: BID:3625
Reference: URL:http://www.securityfocus.com/bid/3625
Reference: BID:3627
Reference: URL:http://www.securityfocus.com/bid/3627
Reference: BID:3628
Reference: URL:http://www.securityfocus.com/bid/3628
Reference: BID:3629
Reference: URL:http://www.securityfocus.com/bid/3629
Reference: BID:3630
Reference: URL:http://www.securityfocus.com/bid/3630
Reference: BID:3631
Reference: URL:http://www.securityfocus.com/bid/3631
Reference: BID:3632
Reference: URL:http://www.securityfocus.com/bid/3632
Reference: BID:3633
Reference: URL:http://www.securityfocus.com/bid/3633
Reference: BID:3634
Reference: URL:http://www.securityfocus.com/bid/3634
Reference: BID:3635
Reference: URL:http://www.securityfocus.com/bid/3635
Reference: BID:3636
Reference: URL:http://www.securityfocus.com/bid/3636

Buffer overflows in forms.exe CGI program in ValiCert Enterprise
Validation Authority (EVA) Administration Server 3.3 through 4.2.1
allows remote attackers to execute arbitrary code via long arguments
to the parameters (1) Mode, (2) Certificate_File, (3) useExpiredCRLs,
(4) listenLength, (5) maxThread, (6) maxConnPerSite, (7) maxMsgLen,
(8) exitTime, (9) blockTime, (10) nextUpdatePeriod, (11) buildLocal,
(12) maxOCSPValidityPeriod, (13) extension, and (14) a particular
combination of parameters associated with private key generation that
form a string of a certain length.

Analysis
----------------
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ABSTRACTION: CF:SF-LOC suggests combining problems of the same type in
the same version, so all buffer overflows are included in this item.
This is a good example of CVE's "content decisions" at work - XF chose
one level of abstraction and BID chose another.  CD:SF-LOC also
suggests splitting between problems of different types, so the
Valicert overflows, path disclosure, and other types of problems are
separated.






********************************************************
Example 2:
   single X-Force record, multiple Bugtraq IDs, multiple CANs
   content decision: CD:SF-CODEBASE
********************************************************


======================================================
Candidate: CAN-2001-1049
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1049
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html
Reference: CONFIRM:http://phorecast.org/
Reference: BID:3388
Reference: URL:http://www.securityfocus.com/bid/3388
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php

Phorecast PHP script before 0.40 allows remote attackers to include
arbitrary files from remote web sites via an HTTP request that sets
the includedir variable.

Analysis
----------------
Vendor Acknowledgement: yes advisory

ACKNOWLEDGEMENT: on the home page in the News section, the news item
dated 2001-10-14 says "IMPORTANT SECURITY NEWS" and includes a link to
the Bugtraq post. The entry for 2001-12-22 says "version 0.40 ...
corrects the security flaw."


======================================================
Candidate: CAN-2001-1050
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1050
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html
Reference: BID:3389
Reference: URL:http://www.securityfocus.com/bid/3389
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php

CCCSoftware CCC PHP script allows remote attackers to include
arbitrary files from remote web sites via an HTTP request that sets
the includedir variable.

Analysis
----------------
Vendor Acknowledgement: no

ACKNOWLEDGEMENT: information about this product cannot be found on the
web, so acknowledgement cannot be determined.


======================================================
Candidate: CAN-2001-1051
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1051
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html
Reference: MISC:http://sourceforge.net/tracker/index.php?func=detail&aid=440666&group_id=20971&atid=120971
Reference: BID:3390
Reference: URL:http://www.securityfocus.com/bid/3390
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php

Dark Hart Portal (darkportal) PHP script allows remote attackers to
include arbitrary files from remote web sites via an HTTP request that
sets the includedir variable.

Analysis
----------------
Vendor Acknowledgement: unknown vague


======================================================
Candidate: CAN-2001-1052
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1052
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html
Reference: BID:3391
Reference: URL:http://www.securityfocus.com/bid/3391
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php

Empris PHP script allows remote attackers to include arbitrary files
from remote web sites via an HTTP request that sets the includedir
variable.

Analysis
----------------
Vendor Acknowledgement:


======================================================
Candidate: CAN-2001-1053
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1053
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010713 AdCycle SQL Command Insertion Vulnerability - qDefense Advisory Number QDAV-2001-7-2
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-07/0249.html
Reference: CONFIRM:http://www.adcycle.com/cgi-bin/download.cgi?type=UNIX&version=1.17
Reference: XF:adcycle-insert-sql-command(6837)
Reference: URL:http://xforce.iss.net/static/6837.php
Reference: BID:3032
Reference: URL:http://www.securityfocus.com/bid/3032
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php

AdLogin.pm in AdCycle 1.15 and earlier allows remote attackers to
bypass authentication and gain privileges by injecting SQL code in the
$password argument.

Analysis
----------------
Vendor Acknowledgement: yes changelog

ACKNOWLEDGEMENT: In the README.txt file bundled with the software, the
"[v1.16] July 5, 2001" entry states "fixed security hole (with help
from qDefense.com)."


======================================================
Candidate: CAN-2001-1054
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1054
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20011002 results of semi-automatic source code audit
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?thread_id=148900&forum_id=117952
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=117952
Reference: BID:3392
Reference: URL:http://www.securityfocus.com/bid/3392
Reference: XF:php-includedir-code-execution(7215)
Reference: URL:http://xforce.iss.net/static/7215.php

PHPAdsNew PHP script allows remote attackers to include arbitrary
files from remote web sites via an HTTP request that sets the
includedir variable.

Analysis
----------------
Vendor Acknowledgement: yes



********************************************************
Example 3:
   multiple X-Force records, single Bugtraq ID, multiple CANs
   content decision: CD:SF-LOC
********************************************************


======================================================
Candidate: CAN-1999-0833
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0833
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: BID:788
Reference: XF:bind-nxt-bo

Buffer overflow in BIND 8.2 via NXT records.


Modifications:
  ADDREF BID:788
  ADDREF XF:bind-nxt-bo

Analysis
----------------
Vendor Acknowledgement: yes


======================================================
Candidate: CAN-1999-0835
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0835
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-sigrecord-dos
Reference: BID:788

Denial of service in BIND named via malformed SIG records.


Modifications:
  DESC Add "malformed"
  ADDREF XF:bind-sigrecord-dos
  ADDREF BID:788

Analysis
----------------
Vendor Acknowledgement: unknown


======================================================
Candidate: CAN-1999-0837
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0837
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-solinger-dos
Reference: BID:788

Denial of service in BIND by improperly closing TCP sessions via
so_linger.


Modifications:
  ADDREF XF:bind-solinger-dos
  ADDREF BID:788

Analysis
----------------
Vendor Acknowledgement: yes


======================================================
Candidate: CAN-1999-0848
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0848
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: BID:788
Reference: XF:bind-fdmax-dos

Denial of service in BIND named via consuming more than "fdmax" file
descriptors.


Modifications:
  ADDREF XF:bind-fdmax-dos
  ADDREF BID:788

Analysis
----------------
Vendor Acknowledgement: yes


======================================================
Candidate: CAN-1999-0849
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0849
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-maxdname-bo

Denial of service in BIND named via maxdname.


Modifications:
  ADDREF XF:bind-maxdname-bo

Analysis
----------------
Vendor Acknowledgement: yes


======================================================
Candidate: CAN-1999-0851
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0851
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: CERT:CA-99-14
Reference: XF:bind-naptr-dos

Denial of service in BIND named via naptr.


Modifications:
  ADDREF XF:bind-naptr-dos

Analysis
----------------
Vendor Acknowledgement: unknown




********************************************************
Example 4:
   multiple X-Force records, multiple Bugtraq IDs, single CAN
   content decisions: various
********************************************************


======================================================
Candidate: CAN-2001-0955
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0955
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: VULN-DEV:20010922 XFree86 DOS / Buffer overflow local and remote.
Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=100118958310463&w=2
Reference: BUGTRAQ:20011207 Crashing X
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100776624224549&w=2
Reference: BUGTRAQ:20011208 Re: Crashing X
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=100784290015880&w=2
Reference: CONFIRM:http://www.xfree86.org/4.2.0/RELNOTES2.html#2
Reference: CONFIRM:http://www.xfree86.org/security/
Reference: MISC:http://cvsweb.xfree86.org/cvsweb/xc/programs/Xserver/fb/fbglyph.c
Reference: BID:3663
Reference: URL:http://www.securityfocus.com/bid/3663
Reference: BID:3657
Reference: URL:http://www.securityfocus.com/bid/3657
Reference: XF:xfree86-konqueror-bo(7673)
Reference: URL:http://xforce.iss.net/static/7673.php
Reference: XF:xfree86-xterm-title-bo(7683)
Reference: URL:http://xforce.iss.net/static/7683.php

Buffer overflow in fbglyph.c in XFree86 before 4.2.0, related to glyph
clipping for large origins, allows attackers to cause a denial of
service and possibly gain privileges via a large number of characters,
possibly through the web page search form of KDE Konqueror or from an
xterm command with a long title.

Analysis
----------------
Vendor Acknowledgement: yes
Content Decisions: SF-EXEC, SF-CODEBASE

ABSTRACTION: It is possible that the Konqueror and xterm bugs have
different issues, both of which may or may not be due to the same
problem in XFree86.  However, both of the reports involve X clients
that crash the server - which shouldn't be doable by a client - so
that suggests a common problem that is "exploitable" through different
means.  Various Bugtraq discussions seem to eventually agree that it
is something in XFree86.  However, the XFree86 security reports do not
provide sufficient details to be certain that it is the same
underlying problem.
ACKNOWLEDGEMENT: Some posts on Bugtraq imply that there are patches in
the fbglyph.c file.  The XFree86 security page has the following
comment for version 4.2.0: "Fix a buffer overflow in glyph clipping
for large origin" which could be the same as the issue being discussed
here.
Section 2.3 in the release notes for 4.2.0 says "A security problem
related to glyph clipping for large origins is fixed."
However, the patch was applied on September 16th - a week before the
problem was initially posted to VULN-DEV.
While the vendor's descriptions of the problems do not cleanly match
the exploit scenarios described in the mailing lists - which affects
the certainty of this candidate's description - there seems to be
enough evidence that XFree86 was aware of and fixed this problem.



======================================================
Candidate: CAN-2001-1047
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1047
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20020131
Assigned: 20020131
Category: SF
Reference: BUGTRAQ:20010602 Locally exploitable races in OpenBSD VFS
Reference: URL:http://www.securityfocus.com/archive/1/188474
Reference: BID:2817
Reference: URL:http://www.securityfocus.com/bid/2817
Reference: BID:2818
Reference: URL:http://www.securityfocus.com/bid/2818
Reference: XF:openbsd-pipe-race-dos(6661)
Reference: URL:http://xforce.iss.net/static/6661.php
Reference: XF:openbsd-dup2-race-dos(6660)
Reference: URL:http://xforce.iss.net/static/6660.php

Race condition in OpenBSD VFS allows local users to cause a denial of
service (kernel panic) by (1) creating a pipe in one thread and
causing another thread to set one of the file descriptors to NULL via
a close, or (2) calling dup2 on a file descriptor in one process, then
setting the descriptor to NULL via a close in another process that is
created via rfork.

Analysis
----------------
Vendor Acknowledgement: unknown
Content Decisions: SF-LOC

ABSTRACTION: CD:SF-LOC suggests that problems of the same type (in
this case, race condition) that appear in the same version should be
combined into a single item.


======================================================
Candidate: CAN-2000-0384
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0384
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000615
Assigned: 20000614
Category: CF
Reference: L0PHT:20000508 NetStructure 7180 remote backdoor vulnerability
Reference: URL:http://www.lopht.com/advisories/ipivot7110.html
Reference: L0PHT:20000508 NetStructure 7110 console backdoor
Reference: URL:http://www.l0pht.com/advisories/ipivot7180.html
Reference: CONFIRM:http://216.188.41.136/
Reference: XF:netstructure-root-compromise
Reference: XF:netstructure-wizard-mode
Reference: BID:1182
Reference: URL:http://www.securityfocus.com/bid/1182
Reference: BID:1183
Reference: URL:http://www.securityfocus.com/bid/1183

NetStructure 7110 and 7180 have undocumented accounts (servnow, root,
and wizard) whose passwords are easily guessable from the
NetStructure's MAC address, which could allow remote attackers to gain
root access.

Analysis
----------------
Vendor Acknowledgement: yes
Content Decisions: CF-PASS



********************************************************
Example 5:
   single X-Force record, single Bugtraq ID, multiple CANs
   content decisions: SF-EXEC, SF-CODEBASE
********************************************************


======================================================
Candidate: CAN-2000-1020
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1020
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2
Reference: BID:1689
Reference: URL:http://www.securityfocus.com/bid/1689
Reference: XF:mdaemon-url-dos
Reference: URL:http://xforce.iss.net/static/5250.php

Heap overflow in Worldclient in Mdaemon 3.1.1 and earlier allows
remote attackers to cause a denial of service and possibly execute
arbitrary commands via a long URL.

Analysis
----------------
Vendor Acknowledgement: unknown claimed
Content Decisions: SF-EXEC

This would appear to be a duplicate of CAN-1999-0844 at first glance,
but VIGILANTE says this is not the case in their advisory.  CD:SF-EXEC
also suggests that separate entries might need to be created for
WorldClient and WebConfig.  Since Board members have voted to RECAST
CAN-1999-0844 (which combines WorldClient and WebConfig), that also
suggests that separate items should be recorded for WorldClient versus
WebConfig.


======================================================
Candidate: CAN-2000-1021
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1021
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001129
Assigned: 20001124
Category: SF
Reference: BUGTRAQ:20000917 VIGILANTE-2000012: Mdaemon Web Services Heap Overflow DoS
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=96925269716274&w=2
Reference: BID:1689
Reference: URL:http://www.securityfocus.com/bid/1689
Reference: XF:mdaemon-url-dos
Reference: URL:http://xforce.iss.net/static/5250.php

Heap overflow in WebConfig in Mdaemon 3.1.1 and earlier allows remote
attackers to cause a denial of service and possibly execute arbitrary
commands via a long URL.

Analysis
----------------
Vendor Acknowledgement: unknown claimed
Content Decisions: SF-EXEC

This would appear to be a duplicate of CAN-1999-0844 at first glance,
but VIGILANTE says this is not the case in their advisory.  CD:SF-EXEC
also suggests that separate entries might need to be created for
WorldClient and WebConfig.  Since Board members have voted to RECAST
CAN-1999-0844 (which combines WorldClient and WebConfig), that also
suggests that separate items should be recorded for WorldClient versus
WebConfig.
Page Last Updated or Reviewed: May 22, 2007