-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Teun Nijssen/CERT-NL                        Index  :    S-92-18
Distribution  : SURFnet constituency                        Page   :          1
Classification: External                                    Version:      final
Subject       : VMS MONITOR V5.3 through V5.4-2             Date   :  22-oct-92
===============================================================================

CERT-NL (SURFnet Computer Emergency Response Team) has received
additional information concerning the previously known security
problem in VMS Monitor. The following text is a verbatim copy of
Digital's advisory:

     -------------------------------------------------------------------------  
     21-OCT-1992 SSRT-0200-1 (ADDENDUM)
     21-AUG-1992 SSRT-0200
  
     SOURCE:     Digital Equipment Corporation
     AUTHOR:     Software Security Response Team - U.S.
                        Colorado Springs USA

       PRODUCT: VMS MONITOR V5.3 through V5.4-2 

             PROBLEM: Potential Security Vulnerability in VMS Monitor Utility
            SOLUTION: A VMS V5.3 through V5.4-2 remedial kit is now available 
                      by contacting your normal Digital Services Support 
                      organization.     

            NOTE:     This problem has been corrected in VAX VMS V5.4-3
                      (released in October 1991).  
                      
           __________________________________________________________________
           The kit may be identified as MONTOR$S01_053 / MONTOR$S01_054,
           (or CSCPAT_1047 via DSIN, and DSNlink)
     ------------------------------------------------------------------
  
     Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved.
     Published Rights Reserved Under The Copyright Laws Of The United States.

     -------------------------------------------------------------------------  
     ADVISORY ADDENDUM INFORMATION:
     -------------------------------------------------------------------------  


     In August 1992, an advisory and article was distributed describing poten-
     tial security vulnerability discovered in the VMS Monitor utility and
     provided suggested workarounds to remove the vulnerability. The advisory
     was labeled SSRT-200 "Potential Security Vulnerability in VMS Monitor
     Utility".

     This addendum follows that advisory with information of the availability 
     of a kit containing a new sys$share:spishr.exe for VMS V5.3-* through VMS 
     V5.4-2 and may be identified as MONTOR$S01_053 and MONTOR$S01_054
     respectively from your Digital Services organization. 
     In the U.S.the kit is also identified as CSCPAT_1047 via DSIN and DSNlink.

Note:This potential vulnerability does not exist in VMS V5.4-3 and later
     versions of VMS.  Digital strongly recommends that you upgrade to a
     minimum of VMS V5.4-3, and further, to the latest release of VMS V5.5-1.
     (released in July, 1992)

     If you cannot upgrade to a minimum of VMS V5.4-3 at this time,
     Digital strongly recommends that you install the available V5.3-* 
     through V5.4-2 kit on your  system(s), available from your support 
     organization, to avoid any potential vulnerability. 

     You may obtain a kit for VMS V5.3 thru V5.4-2 by contacting your normal
     Digital Services support organization. (Customer Support Center, using 
     DSNlink or DSIN, or your local support office)   

     As always, Digital recommends that you periodically review your system
     management and security procedures.  Digital will continue to review and
     enhance the security features of its products and work with customers to
     maintain and improve the security and integrity of their systems.

     End of Advisory
     -------------------------------------------------------------------------  


CERT-NL wishes to thank Digital's Software Security Response Team for
this information and advises system manager's running relevant versions
of VMS to obtain the mentioned security kit from Digital Netherlands.

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6V+zSYjBqwfc9jEQJegQCgiwUsjRfqPyIfLKQOBxhJuRSS9XsAn2nu
PXSv59VhGhoiQeX7bm4JH8i4
=FrAP
-----END PGP SIGNATURE-----