=============================================================================
AA-94.06      AUSCERT Advisory
          01-Dec-1994
          DECnet/OSI Vulnerabilities for OpenVMS
-----------------------------------------------------------------------------

Potential security vulnerabilities for OpenVMS systems running versions of
DECnet/OSI prior to Version 5.8.

1.  Description

Security vulnerabilities exist in the following versions of DECnet/OSI on
the following platforms: 
  *  DEC Alpha AXP OpenVMS systems 
  Versions 2.0, 2.0A and 5.7 
  *  DEC VAX/VMS OpenVMS systems 
  Versions 5.5, 5.6, 5.6A, 5.6B, 5.7 and 5.7A  
  DECnet-VAX Version 5.4 extensions


2.  Impact

Unprivileged system users may gain unauthorized, expanded privileges or may
crash the operating system.


3.  Proposed Solutions

These vulnerabilities may be eliminated by:
  *  upgrading to DECnet/OSI Version 5.8 (see Section 3.1); or
  *  by applying DEC supplied patches to versions earlier than 5.8
     (see Section 3.2); or 
  *  by applying the workaround provided in the DEC advisory below 
     (see Section 3.3).


3.1 Upgrade to DECnet/OSI Version 5.8

DEC customers who have a maintenance agreement with the media and
documentation update service will receive DECnet/OSI Version 5.8
automatically.  

DEC customers who do not have a maintenance agreement with update service
may buy DECnet/OSI Version 5.8 by contacting DECdirect on 008 021 393.


3.2 Patch File Information

Patch files are available via DSNlink for warranty and contract customers. 

All other DEC customers may obtain patches by placing a service call with
the Customer Support Centre (CSC) by calling 008 252 277.

Name             CSCPAT_0597011.A
OpenVMS Checksum 4247567393
MD5 Checksum     79DBE63AC8855D6759EA73B5F419F8ED

Name             CSCPAT_0597011.B
OpenVMS Checksum 1811769591
MD5 Checksum     279E735D15915FC66941D5E2595FA932

Name             CSCPAT_0615011.A
OpenVMS Checksum 756388445
MD5 Checksum     19E698B26F0FAEF75314891A6FB85A7C

Name             CSCPAT_0615011.RELEASE_NOTES
OpenVMS Checksum 38157879
MD5 Checksum     9CEF6DF7DF15FEE539D9159D681C6F12

Name             CSCPAT_0618010.A
OpenVMS Checksum 1502668639
MD5 Checksum     35A7F541B209608869ACD8D2086DA4B6

The patches also fix a bug in the Common Trace Facility (CTF) User
Interface which causes systems to crash, and correct other problems.


3.3 Workaround

Digital Equipment Corporation has requested that their Advisory be reprinted
exactly as it was received:

========  Reprint of Digital Equipment Corporation Advisory begins  ========

SOURCE: Digital Equipment Corporation
AUTHOR: Software Security Response Team Colorado Springs, CO.
PRODUCT: The following products are affected:

       o  DECnet-VAX, Version 5.4 Extensions

       o  DECnet/OSI Version 2.0  for OpenVMS AXP
       o  DECnet/OSI Version 2.0A for OpenVMS AXP
       o  DECnet/OSI Version 5.7  for OpenVMS AXP

       o  DECnet/OSI Version 5.5  for OpenVMS VAX
       o  DECnet/OSI Version 5.6  for OpenVMS VAX
       o  DECnet/OSI Version 5.6A for OpenVMS VAX
       o  DECnet/OSI Version 5.6B for OpenVMS VAX
       o  DECnet/OSI Version 5.7  for OpenVMS VAX
       o  DECnet/OSI Version 5.7A for OpenVMS VAX

SYMPTOM: User privileges may be expanded under certain circumstances.

FIX: This potential vulnerability can be removed by installing one of the
following software updates or Engineering Change Orders (ECO)s available
from Digital:

    Software update:
    ----------------
    DECnet/OSI Version 5.8 for OpenVMS AXP
    DECnet/OSI Version 5.8 for OpenVMS VAX

                                                ECO
    Software version:                           number    CSCPAT number
    -----------------                           ------    -------------
    DECnet/OSI Version 5.6B for OpenVMS VAX       10      CSCPAT_0597 V1.1
    DECnet/OSI Version 5.7  for OpenVMS AXP       02      CSCPAT_0615 V1.1
    DECnet/OSI Version 5.7A for OpenVMS VAX       07      CSCPAT_0618 V1.0

Engineering ECO References:

    CSCPAT_0597 V1.1  = DNVOSIB_ECO10056
    CSCPAT_0615 V1.1  = DNVOSIAXP_ECO02057
    CSCPAT_0618 V1.0  = DNVOSIA_ECO07057

If you are unable to install one of the above listed updates or ECOs,
or if there is no ECO available for the version of DECnet that you are
currently running, see the workaround described later.

Execute the following command to determine which version of DECnet you
are currently running:

    $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION")

If "00040100" or "00040200" is displayed then DECnet-VAX, Version 5.4
Extensions is installed. If the "version" begins with "0005", it means that
DECnet/OSI is installed. Use the following command to find the version
number:

    $ MCR NCL SHOW IMPLEMENTATION

and look for the line beginning with "Version =". For example:

    $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION")
    00050300

    $ MCR NCL SHOW IMPLEMENTATION

    Node 0
    at 1994-08-24-16:29:38.991+02:00I1.690
    Characteristics
        Implementation                    =
           {
              [
              Name = VMS ,
              Version = "V6.1    "
              ] ,
              [
              Name = DECnet-OSI for OpenVMS ,
              Version = "DECnet-OSI for OpenVMS Version V5.7 14-JAN-1994..."
              ]
           }

Therefore, DECnet/OSI Version 5.7 for OpenVMS (VAX) is running on this
particular machine.

WORKAROUND: If you are unable to install one of the software updates or
ECOs listed previously, we strongly recommend that you de-install the
Common Trace Facility User Interface image (SYS$SYSTEM:CTF$UI.EXE) from
memory. Execute the following command to determine if this image is
installed on your system:

    $ INSTALL LIST SYS$SYSTEM:CTF$UI.EXE

The following output is displayed if the image is installed:

    DISK$OPENVMS061:<SYS0.SYSCOMMON.SYSEXE>.EXE
       CTF$UI;5                       Prv

Execute the following command to de-install the image from memory. Note
that you require the privilege CMKRNL to do this.

    $ INSTALL REMOVE SYS$SYSTEM:CTF$UI.EXE

In addition to de-installing the image from memory, steps should be taken
to ensure that the image is not (re-)installed during a subsequent machine
reboot, or when the Common Trace Facility startup command file executed.

To do this, edit the Common Trace Facility startup command file
(SYS$COMMON:[SYSMGR]CTF$STARTUP.COM) and search for the following text:

    F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe

Comment out the code that installs the image into memory as follows:

  Original code:

    $  IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") -
       THEN install create sys$system:ctf$ui.exe -
           /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, -
                        world,pswapm,prmmbx,bypass,cmkrnl)

  Changed to be comment:

    $!  IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") -
    $!  THEN install create sys$system:ctf$ui.exe -
    $!     /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, -
    $!                  world,pswapm,prmmbx,bypass,cmkrnl)


Be aware that de-installing the image from memory means that non-privileged
users can no longer use the Common Trace Facility User Interface START and
STOP commands. This is the case even if the NET$TRACE identifiers have been
granted to the user account. START and STOP commands will only be allowed
from a privileged account.

AVAILABILITY: If you have a software service or warranty contract, you can
obtain the required ECO or software update through your regular Digital
support channels.
   NOTE: For non-contract/non-warranty customers contact your local
   Digital support channels for information regarding these kits.

=========  Reprint of Digital Equipment Corporation Advisory ends  =========

----------------------------------------------------------------------------
The AUSCERT team wishes to thank the U.S. Department of Energy Computer
Incident Advisory Capability (CIAC), Rich Boren of Digital Equipment
Corporation and Ron Tencati of NASA's Automated Systems Incident Response
Capability (NAISRC) for providing information used in this bulletin.
----------------------------------------------------------------------------

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is the Australian Computer Emergency Response Team, funded by the
Australian Academic Research Network (AARNet) for its members.  It is
located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security
Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is currently based at
ftp.sert.edu.au:/security.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

Internet Email:  auscert@auscert.org.au
Facsimile:  (07) 365 4477
Telephone:  (07) 365 4417 (International: +61 7 365 4417)
    AUSCERT personnel answer during Queensland business hours
    which are GMT+10:00 (AEST).
    On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA