CVE-2002-0896
CVSS5.0
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:14
NMCOS    

[原文]The throttle capability in Swatch may fail to report certain events if (1) the same type of event occurs after the throttle period, or (2) when multiple events matching the same "watchfor" expression do not occur after the throttle period, which could allow attackers to avoid detection.


[CNNVD]Swatch抑制事件报告漏洞(CNNVD-200210-218)

        
        Swatch是一款免费开放源代码的日志监察工具,可使用在多种Unix和Linux操作系统下。
        Swatch存在设计漏洞,可导致信息不予报告。
        当SWATCH检测到一个事件多次发生的时候,会对事件的报告产生抑制,也就是不重复报告同样的事件。而且如果被抑制的事件一个月以后再次发生的时候也不会被报告。
        问题存在于swatch源代码的1037行,比较新旧事件的月份,如果新的一事件大,新事件就递减:
        if ($ymdhms[1] > $Msg_Rec{$key}->{ymdhms}[1]) { $ymdhms[0]--; }
        然后1038行获得两个事件日期的差异:
        my @delta_dhms = Delta_DHMS(@{$Msg_Rec{$key}->{ymdhms}}, @ymdhms);
        1039行到1042行判断新事件是否需要报告:
         foreach my $i (0..$#min_dhms_delta) {
         $passed = 0 if ($delta_dhms[$i] < $min_dhms_delta[$i]);
         last unless ($delta_dhms[$i] == $min_dhms_delta[$i]);
         }
        如果$passed为1,事件就必须报告。
        这意味着如果两个事件发生在不同的月份,新事件会被认为比旧的事件还老,两个事件的差异永远是负值,而由于$delta_dhms[$i]一直小于$min_dhms_delta[$i]使的$passed为0,就不被Swatch报告。
        日志不被报告,可使攻击者的攻击不被觉察。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:swatch:swatch:3.0.3
cpe:/a:swatch:swatch:3.0.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0896
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0896
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-218
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4746
(VENDOR_ADVISORY)  BID  4746
http://www.iss.net/security_center/static/9100.php
(VENDOR_ADVISORY)  XF  swatch-event-reporting-failure(9100)
http://online.securityfocus.com/archive/1/272582
(UNKNOWN)  BUGTRAQ  20020515 swatch bug in throttle

- 漏洞信息

Swatch抑制事件报告漏洞
中危 设计错误
2002-10-04 00:00:00 2005-10-20 00:00:00
远程  
        
        Swatch是一款免费开放源代码的日志监察工具,可使用在多种Unix和Linux操作系统下。
        Swatch存在设计漏洞,可导致信息不予报告。
        当SWATCH检测到一个事件多次发生的时候,会对事件的报告产生抑制,也就是不重复报告同样的事件。而且如果被抑制的事件一个月以后再次发生的时候也不会被报告。
        问题存在于swatch源代码的1037行,比较新旧事件的月份,如果新的一事件大,新事件就递减:
        if ($ymdhms[1] > $Msg_Rec{$key}->{ymdhms}[1]) { $ymdhms[0]--; }
        然后1038行获得两个事件日期的差异:
        my @delta_dhms = Delta_DHMS(@{$Msg_Rec{$key}->{ymdhms}}, @ymdhms);
        1039行到1042行判断新事件是否需要报告:
         foreach my $i (0..$#min_dhms_delta) {
         $passed = 0 if ($delta_dhms[$i] < $min_dhms_delta[$i]);
         last unless ($delta_dhms[$i] == $min_dhms_delta[$i]);
         }
        如果$passed为1,事件就必须报告。
        这意味着如果两个事件发生在不同的月份,新事件会被认为比旧的事件还老,两个事件的差异永远是负值,而由于$delta_dhms[$i]一直小于$min_dhms_delta[$i]使的$passed为0,就不被Swatch报告。
        日志不被报告,可使攻击者的攻击不被觉察。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有合适的临时解决方法。
        厂商补丁:
        Swatch
        ------
        暂时的补丁由SUZUKI Yasuhiro <ysuzuki@bb.mbn.or.jp>提供,可在如下地址获得:
        
        http://plaza8.mbn.or.jp/~yswww/myself/swatch-en.html

- 漏洞信息

14447
Swatch Throttled Events Notification Bypass

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-05-15 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Swatch Throttled Event Reporting Vulnerability
Design Error 4746
Yes No
2002-05-15 12:00:00 2009-07-11 12:46:00
Vulnerability discovery credited to SUZUKI Yasuhiro <ysuzuki@bb.mbn.or.jp>.

- 受影响的程序版本

Swatch Swatch 3.0.4
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Server 3.1
- Caldera OpenLinux Workstation 3.1.1
- Caldera OpenLinux Workstation 3.1
- Compaq Tru64 5.1 a
- Compaq Tru64 5.1
- Compaq Tru64 5.0 f
- Compaq Tru64 5.0 a
- Compaq Tru64 5.0
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1.1
- HP HP-UX 11.20
- HP HP-UX 11.11
- HP HP-UX 11.0
- HP HP-UX 10.20
- Mandriva Linux Mandrake 8.2
- Mandriva Linux Mandrake 8.1 ia64
- Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0 ppc
- Mandriva Linux Mandrake 8.0
- NetBSD NetBSD 1.5.2
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5
- OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 3.1
- OpenBSD OpenBSD 3.0
- RedHat Linux 7.3 i386
- RedHat Linux 7.2 ia64
- RedHat Linux 7.2 i386
- RedHat Linux 7.2 alpha
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1 i386
- RedHat Linux 7.0 sparc
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- S.u.S.E. Linux 8.0 i386
- S.u.S.E. Linux 7.3 sparc
- S.u.S.E. Linux 7.3 ppc
- S.u.S.E. Linux 7.3 i386
- S.u.S.E. Linux 7.2 i386
- S.u.S.E. Linux 7.1 x86
- S.u.S.E. Linux 7.1 sparc
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 alpha
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
Swatch Swatch 3.0.3
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Server 3.1
- Caldera OpenLinux Workstation 3.1.1
- Caldera OpenLinux Workstation 3.1
- Compaq Tru64 5.1 a
- Compaq Tru64 5.1
- Compaq Tru64 5.0 f
- Compaq Tru64 5.0 a
- Compaq Tru64 5.0
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1.1
- HP HP-UX 11.20
- HP HP-UX 11.11
- HP HP-UX 11.0
- HP HP-UX 10.20
- Mandriva Linux Mandrake 8.2
- Mandriva Linux Mandrake 8.1 ia64
- Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0 ppc
- Mandriva Linux Mandrake 8.0
- NetBSD NetBSD 1.5.2
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5
- OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 3.1
- OpenBSD OpenBSD 3.0
- RedHat Linux 7.3 i386
- RedHat Linux 7.2 ia64
- RedHat Linux 7.2 i386
- RedHat Linux 7.2 alpha
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1 i386
- RedHat Linux 7.0 sparc
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- S.u.S.E. Linux 8.0 i386
- S.u.S.E. Linux 7.3 sparc
- S.u.S.E. Linux 7.3 ppc
- S.u.S.E. Linux 7.3 i386
- S.u.S.E. Linux 7.2 i386
- S.u.S.E. Linux 7.1 x86
- S.u.S.E. Linux 7.1 sparc
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 alpha
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6

- 漏洞讨论

Swatch is a freely available, open source log watching utility. It is available for the Unix and Linux platforms.

Under some circumstances, a message may not be reported by swatch. When an event occurs on a system numerous times, and swatch has placed a throttle on the event to prevent multiple alerts, swatch does not sufficiently handle events of the same type afterwards. When an event has occurred and alerts for the event are throttled, a bug in the swatch throttle code prevents swatch from reporting the event if it occurs a month later.

- 漏洞利用

No exploit is required for this vulnerability.

- 解决方案

An interim patch for swatch 3.0.4 has been supplied by SUZUKI Yasuhiro <ysuzuki@bb.mbn.or.jp>, available at http://plaza8.mbn.or.jp/~yswww/myself/swatch-en.html.

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站