1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
USNs need a consistent feel. Eg:
[<name> discovered that....] <problem>. <kinds of exploits
possible>. Spell out things like denial of service or man
in the middle.
(CVE-XXXX-XXXX) -- only if multiple CVEs
Be specific, but not overly detailed. Examples:
Temporary file race:
<name> discovered that <pkg> created temporary files in an insecure way.
<Local|Remote> users could exploit a race condition to create or overwrite
files with the privileges of the user invoking the program.
User-assisted:
<name> discovered that <pkg> did <error condition>. If a user were tricked
into opening a specially crafted <file type>, an attacker could <result>
in <pkg>.
It was discovered that libpng did not properly perform bounds checking and
comparisons in certain operations. If a user were tricked into opening a
specially crafted PNG image, an attacker could cause a denial of service in
applications linked against libpng.
Remote vulnerability:
<name> discovered that <pkg> did <error condition>. A remote attacker could
<attack technique> to the server and <result>.
Nahuel Riva and Gerardo Richarte discovered that the DHCP server did not
correctly handle certain client options. A remote attacker could send malicious
DHCP replies to the server and execute arbitrary code.
Remote authenticated user vulnerability:
<name> discovered that <pkg> did <error condition>. An authenticated user could
<attack technique> to <result>.
Neil Kettle discovered that MySQL could be made to dereference a NULL pointer
and divide by zero. An authenticated user could exploit this with a crafted IF
clause, leading to a denial of service. (CVE-2007-2583)
Automated system:
<name> discovered that <pkg> did <error condition>. If a user or automated
system were tricked...
It was discovered that bzip2 did not correctly handle certain malformed
archives. If a user or automated system were tricked into processing a
specially crafted bzip2 archive, applications linked against libbz2 could be
made to crash, possibly leading to a denial of service.
Local vulnerability:
<name> discovered that <pkg> did <error condition>. A local user could <attack
technique> and <result>.
Ludwig Nussel discovered that mount and umount did not properly drop privileges
when using helper programs. Local users may be able to bypass security
restrictions and gain root privileges using programs such as mount.nfs or
mount.cifs.
Man in the Middle
-----------------
<name> discovered that <pkg> did not <error condition> when using a secure
connection. If a remote attacker were able to perform a man-in-the-middle
attack, this flaw could be exploited to view sensitive information.
It was discovered that Pidgin did not validate SSL certificates when using a
secure connection. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information.
In the above:
<result> might be:
* what privileges the attacker ends up with. e.g. "..and execute arbitrary
code with root privileges" or "... with user privileges"
* denial of service
* escalated priviliges
Tips:
use "authenticated user" instead of "attacker" for the stuff that needs a live
connection to give a better sense of the scope.
don't capitalize things like "denial of service"
do capitalize when there is an official upstream name (eg MySQL vs mysql)
write the USN in past tense. Eg "MySQL had a vulnerability" vs "MySQL has a
vulnerability"
|