-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL Teun Nijssen                        Index  :    S-93-07
Distribution  : SURFnet Constituency                        Page   :          1
Classification: External                                    Version:      Final
Subject       : VAX/VMS failure to disable user accounts    Date   :  13-Feb-93
===============================================================================

CERT-NL has received information concerning a vulnerability in VAX/VMS.
The following information comes from CIAC, a partner member of FIRST.

- ----------------------------------------------------------------------
PROBLEM: VMS systems configured to disable user accounts experiencing
break-in attempts may not disable those accounts, as required.
PLATFORM: VAXstations using DECwindows or Motif, VMS versions 5.3
through Open VMS 5.5-2.
DAMAGE: Unauthorized users could gain access given sufficient time.
SOLUTION: Apply patch CSCPAT_0239019 or physically secure workstations
if accounts are so configured.
________________________________________________________________________
    Critical Facts about potential vulnerability in VMS VAXstations

CIAC has learned of a vulnerability in VAXstations running (Open) VMS
versions 5.3 through 5.5-2 when using VMS DECwindows or VMS DECwindows
MOTIF.  The vulnerability applies to systems where the SYSGEN
parameter for disabling accounts under attack is enabled (i.e.,
LGI_BRK_DISUSER is set to 1).  If the "break-in limit," i.e, log-in
failure count threshold (SYSGEN parameter LGI_BRK_LIM) is exceeded
during an interval determined by an algorithm using LGI_BRK_TMO, the
account will NOT be disabled, allowing repeated attacks.  Other
security functions will continue to work correctly, such as evasion
and SYSUAF counts for log-in failures, as well as security audit
recording.  The vulnerability is not present when using non-local
DECwindows or MOTIF access via DECnet.

If you are not required to invoke automatic account disabling, CIAC
recommends that you secure your systems by prudently managing
passwords and effectively setting break-in detection and evasion
SYSGEN parameters.  In most cases the default parameter settings are
adequate.  You may further strengthen evasion security by

  o reducing LGI_BRK_LIM (default 5 log-in attempts)
  o increasing LGI_HID_TIM (default 300 seconds)
  o increasing LGI_BRK_TMO (default 300 seconds)
  o changing LGI_BRK_TERM to 0 (default is 1)

Be advised that each parameter change may increase the risk of denial
of service to legitimate users.  If you have dial up access, make
certain that the parameter LGI_RETRY_LIM is not increased beyond its
default value of three.

In all cases, CIAC recommends that you first upgrade to the latest
version of Open VMS and windowing software (to correct other potential
vulnerabilities).  To correct the potential vulnerability identified
in this bulletin, apply patch suite CSCPAT_0239019, available from
Digital.  If you have DSNlink for VMS, use the DSNlink VTX Patch
Application.  When prompted for a search string, use the keyword
CSCPAT_0239019.  If you do not have DSNlink for VMS, contact your
local Digital office or your Digital Support Center for the patch.

If you cannot obtain or apply the patch, you should restrict
workstation physical access to authorized users.

CIAC wishes to acknowledge Tom Moore and Mona Wecksung of Los Alamos
National Laboratory for bringing the vulnerability to our attention,
and Rich Boren of Digital's Software Security Response Team for
leading problem resolution efforts.

- ------------------------------------------------------------------------------ 

CERT-NL thanks CIAC for bringing this information to our attention.
We advise the SURFnet CERT constituency to check whether their
VAX/VMS user disabling policy is affected by the problems mentioned
in CIAC's advisory and to act according to the advise given.

houdoe

teun

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WAjSYjBqwfc9jEQK44QCgvIgrkxT77QNqq+kKw1iETJrXmY0AnjMY
wJrIwUM9BxuypkP6m2wkx5pA
=wsA7
-----END PGP SIGNATURE-----