Subject VMS MONITOR V5.3 through V5.4-2 Date 22-oct-92
db0dbd5bd8bbc2600ca2aa3f25b578143064ac94c4925f726d55ccb8ca39ed6f
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Teun Nijssen/CERT-NL Index : S-92-18
Distribution : SURFnet constituency Page : 1
Classification: External Version: final
Subject : VMS MONITOR V5.3 through V5.4-2 Date : 22-oct-92
===============================================================================
CERT-NL (SURFnet Computer Emergency Response Team) has received
additional information concerning the previously known security
problem in VMS Monitor. The following text is a verbatim copy of
Digital's advisory:
-------------------------------------------------------------------------
21-OCT-1992 SSRT-0200-1 (ADDENDUM)
21-AUG-1992 SSRT-0200
SOURCE: Digital Equipment Corporation
AUTHOR: Software Security Response Team - U.S.
Colorado Springs USA
PRODUCT: VMS MONITOR V5.3 through V5.4-2
PROBLEM: Potential Security Vulnerability in VMS Monitor Utility
SOLUTION: A VMS V5.3 through V5.4-2 remedial kit is now available
by contacting your normal Digital Services Support
organization.
NOTE: This problem has been corrected in VAX VMS V5.4-3
(released in October 1991).
__________________________________________________________________
The kit may be identified as MONTOR$S01_053 / MONTOR$S01_054,
(or CSCPAT_1047 via DSIN, and DSNlink)
------------------------------------------------------------------
Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved.
Published Rights Reserved Under The Copyright Laws Of The United States.
-------------------------------------------------------------------------
ADVISORY ADDENDUM INFORMATION:
-------------------------------------------------------------------------
In August 1992, an advisory and article was distributed describing poten-
tial security vulnerability discovered in the VMS Monitor utility and
provided suggested workarounds to remove the vulnerability. The advisory
was labeled SSRT-200 "Potential Security Vulnerability in VMS Monitor
Utility".
This addendum follows that advisory with information of the availability
of a kit containing a new sys$share:spishr.exe for VMS V5.3-* through VMS
V5.4-2 and may be identified as MONTOR$S01_053 and MONTOR$S01_054
respectively from your Digital Services organization.
In the U.S.the kit is also identified as CSCPAT_1047 via DSIN and DSNlink.
Note:This potential vulnerability does not exist in VMS V5.4-3 and later
versions of VMS. Digital strongly recommends that you upgrade to a
minimum of VMS V5.4-3, and further, to the latest release of VMS V5.5-1.
(released in July, 1992)
If you cannot upgrade to a minimum of VMS V5.4-3 at this time,
Digital strongly recommends that you install the available V5.3-*
through V5.4-2 kit on your system(s), available from your support
organization, to avoid any potential vulnerability.
You may obtain a kit for VMS V5.3 thru V5.4-2 by contacting your normal
Digital Services support organization. (Customer Support Center, using
DSNlink or DSIN, or your local support office)
As always, Digital recommends that you periodically review your system
management and security procedures. Digital will continue to review and
enhance the security features of its products and work with customers to
maintain and improve the security and integrity of their systems.
End of Advisory
-------------------------------------------------------------------------
CERT-NL wishes to thank Digital's Software Security Response Team for
this information and advises system manager's running relevant versions
of VMS to obtain the mentioned security kit from Digital Netherlands.
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOL6V+zSYjBqwfc9jEQJegQCgiwUsjRfqPyIfLKQOBxhJuRSS9XsAn2nu
PXSv59VhGhoiQeX7bm4JH8i4
=FrAP
-----END PGP SIGNATURE-----