_____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                           INFORMATION BULLETIN 

          VAX/VMS Security Vulnerability in MONITOR

August 24, 1992, 1200 PDT                               Number C-30

________________________________________________________________________
PROBLEM:   The MONITOR utility on VMS versions 5.0 thru 5.4-2 can be
           used to obtain unauthorized privileges.
PLATFORM:  VAX systems running the VMS operating system.
DAMAGE:    An unprivileged user can obtain all privileges.
SOLUTION:  Upgrade to VMS version 5.4-3 (or higher); alternatively
           disable or restrict access to MONITOR.
________________________________________________________________________
     Critical Information About MONITOR Vulnerability

           CIAC is forwarding Digital Equipment Corporation's Software
           Security Response Team's (SSRT) advisory regarding this 
           problem. While CIAC believes the information contained to
           be accurate, SSRT is fully responsible for its contents. DEC
           requires its advisory be redistributed intact.

           CIAC and DEC recommend upgrading VMS to the latest version.
           However, if you are unable to upgrade, there is a
           workaround described in the following DEC Advisory:
===============================================================================
SSRT-0200      PROBLEM: Potential Security Vulnerability Identified in MONITOR
    SOURCE: Digital Equipment Corporation
    AUTHOR: Software Security Response Team - U.S.
                        Colorado Springs USA

           PRODUCT:  VMS 
Symptoms Identified On:  VMS, Versions 5.0, 5.0-1, 5.0-2, 5.1, 5.1-B, 
                                       5.1-1, 5.1-2, 5.2, 5.2-1, 5.3, 
                                       5.3-1, 5.3-2, 5.4, 5.4-1, 5.4-2

            *******************************************************
            SOLUTION: This problem is not present in
                      VMS V5.4-3 (released in October 1991) through
                      VMS V5.5-1 (released in July, 1992).
            *******************************************************

Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved.
Published Rights Reserved Under The Copyright Laws Of The United States.
-------------------------------------------------------------------------------
PROBLEM/IMPACT:
-------------------------------------------------------------------------------
    Unauthorized privileges may be expanded to authorized users of a system
    under certain conditions, via the MONITOR utility.   Should a system be
    compromised through unauthorized access, there is a risk of potential
    damage to a system environment.  This problem will not permit unauthorized
    access entry, as individuals attempting to gain unauthorized access will 
    continue to be denied through the standard VMS security mechanisms.
-------------------------------------------------------------------------------
SOLUTION:
-------------------------------------------------------------------------------
    This potential vulnerability does not exist in VMS V5.4-3 
    (released in October 1991) and later versions of VMS through V5.5-1.     

    Digital strongly recommends that you upgrade to a minimum of VMS V5.4-3,
    and further, to the latest release of VMS V5.5-1 (released in July, 1992).
-------------------------------------------------------------------------------
INFORMATION:
-------------------------------------------------------------------------------
    If you cannot upgrade at this time, Digital recommends that you
    implement a workaround (examples attached below) to avoid any potential 
    vulnerability. 
   
    As always, Digital recommends that you periodically review your system
    management and security procedures.  Digital will continue to review and
    enhance the security features of its products and work with customers to
    maintain and improve the security and integrity of their systems.
-------------------------------------------------------------------------------
WORKAROUND
-------------------------------------------------------------------------------
    A suggested workaround would be to remove the installed image
    SYS$SHARE:SPISHR.EXE via VMS INSTALL and/or restrict the use of 
    the MONITOR utility to "privileged" system administrators.  
    Below are the examples of doing both.

[1] To disable the MONITOR utility the image SYS$SHARE:SPISHR.EXE should be 
    deinstalled from a privileged account.

    For cluster configurations;
    ---------------------------

   $ MC SYSMAN
   SYSMAN> SET ENVIRONMENT/CLUSTER
   SYSMAN> DO INSTALL REMOVE SYS$SHARE:SPISHR.EXE
   SYSMAN> DO RENAME SYS$SHARE:SPISHR.EXE   SPISHR.HOLD
   SYSMAN> EXIT

    For non-VAXcluster configurations;
    ---------------------------------

   $ INSTALL
   INSTALL> REMOVE SYS$SHARE:SPISHR.EXE
   INSTALL> EXIT
   $ RENAME SYS$SHARE:SPISHR.EXE SPISHR.HOLD


[2] If you wish to restrict access to the MONITOR command so that only a
    limited number of authorized (or privileged) persons are granted access 
    to the utility, one method might be to issue the following commands
    from a privileged account;

    For cluster configurations;
    ---------------------------

   $ MC SYSMAN
   SYSMAN> SET ENVIRONMENT/CLUSTER
   SYSMAN> DO INSTALL REMOVE SYS$SHARE:SPISHR.EXE
   SYSMAN> DO SET FILE/ACL=(ID=*,ACCESS=NONE) SYS$SHARE:SPISHR.EXE
   SYSMAN> DO SET FILE/ACL=(ID=SYSTEM,ACCESS=READ+EXECUTE) SYS$SHARE:SPISHR.EXE
   SYSMAN> DO INSTALL ADD SYS$SHARE:SPISHR.EXE/OPEN/HEADER/SHARE/PROTECT
   SYSMAN> EXIT
   $
  THIS WILL IMPACT the MONITOR UTILITY FOR REMOTE MONITORING.
  LOCAL USE OF MONITOR WILL CONTINUE TO WORK FOR PERSONS HOLDING
        THE ID's GRANTED ACL ACCESS.

see additional note(s) below
          
    For non-VAXcluster configurations;
    ----------------------------------

   $ INSTALL
   INSTALL> REMOVE SYS$SHARE:SPISHR.EXE
   INSTALL> EXIT
   $ SET FILE /ACL=(ID=*,ACCESS=NONE) SYS$SHARE:SPISHR.EXE
   $ SET FILE /ACL=(ID=SYSTEM,ACCESS=READ+EXECUTE) SYS$SHARE:SPISHR.EXE
   $ INSTALL
   INSTALL> ADD SYS$SHARE:SPISHR.EXE/OPEN/HEADER/SHARE/PROTECT
   INSTALL> EXIT
   $

    NOTE in the above examples: The "SET FILE /ACL" line should be repeated
        for all accounts that are required/allowed to use the DCL MONITOR
        command. The ID -SYSTEM- should be replaced with valid user ID's
        that are to be associated with accounts you wish to grant access to.

                               End of DEC Advisory
===============================================================================
If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193/FTS or send e-mail to ciac@llnl.gov.
FAX messages to: (510) 423-8002/FTS.

For emergencies only, call 1-800-SKYPAGE and enter PIN number
855-0070 (primary) or 855-0074 (secondary).

The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400
baud at (510) 423-4753/FTS and 9600 baud at (510) 423-3331/FTS.
Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).  

CIAC wishes to thank Rich Boren of DEC's SSRT for assistance and
the advisory used in this bulletin.

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.
Your agency's team will coordinate with CIAC.

This document was prepared as an account of work sponsored by an agency
of the United States Government.  Neither the United States Government
nor the University of California nor any of their employees, makes any
warranty, expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use
would not infringe privately owned rights. Reference herein to any
specific commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily constitute or
imply its endorsement, recommendation, or favoring by the United States
Government or the University of California.  The views and opinions of
authors expressed herein do not necessarily state or reflect those of
the United States Government nor the University of California, and shall
not be used for advertising or product endorsement purposes.