______________________________________________________

                The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
          ____________________________________________________

                  I N F O R M A T I O N   B U L L E T I N
 
                   OpenVMS Security Patch #1084 Problems
                      Addendum to CIAC Advisory D-08
 
MAR 2, 1993  1400 PST                                          Number D-09
___________________________________________________________________________
PROBLEM:  Systems with security patch #1084 installed will not boot after
          performing certain system upgrades.
PLATFORM: VMS, OpenVMS VAX and SEVMS systems.
DAMAGE:   System security is not affected.
SOLUTION: Restore the old files before upgrading or apply a patch to the
          new IMAGE_MANAGEMENT.EXE file.
___________________________________________________________________________
          Critical Information about OpenVMS VAX Patch Problems

  CIAC has learned that applying specific system upgrades to VMS, OpenVMS VAX
and Security Enhanced VMS (SEVMS) which have been patched as described in CIAC
Advisory D-08 "Potential Vulnerability in VMS V5 and Derivative Operating
Systems, February 23, 1993" leaves systems which will not boot. The patch is
#1084 and the specific upgrades are: V5.3 to V5.3-1; V5.3-1 to V5.3-2; V5.5 to
V5.5-2; V5.5-1 to V5.5-2.  All other upgrades are not affected.

  This patch's installation procedure leaves the old IMAGE_MANAGEMENT.EXE and
PAGE_MANAGEMENT.EXE files in the SYS$COMMON:[SYS$LDR] directory.  The system
can be restored for upgrade as long as these files have not been removed.
Prior to system upgrade, use rename to change the old files to a higher
version than the new files.  Otherwise, take the corrective action described
in addendum SSRT 02.25-01 (see below).  DEC requests that 02.25-01 be
redistributed intact.

========================== Begin DEC Addendum 02.25-01 ========================
SSRT 02.25 - 01       01.MAR.1993    Addendum Advisory
RE: SSRT 02.25 dated  23.FEB.1993

                SOURCE: Digital Equipment Corporation
                AUTHOR: Software Security Response Team
                        Colorado Springs, CO.
DESCRIPTION
------------
 Digital has received information concerning a problem while upgrading
 the OpenVMS VAX Version paths listed below.

OpenVMS VAX versions affected:
------------------------------
          upgrade paths  V5.3   to V5.3-1
                         V5.3-1 to V5.3-2
                         V5.5   to V5.5-2
                         V5.5-1 to V5.5-2

 A problem will occur during an upgrade to a system that previously installed
 the Security Kit identified as:

                        CSCPAT_1084010.A   (combined kit for all OpenVMS VAX
                                            Versions affected. DSNlink kit.)
                        VAXSYS01_U2053.A   OpenVMS V5.3, V5.3-1, V5.3-2
                        VAXSYS02_U2055.A   OpenVMS V5.5, V5.5-1, V5.5-2
NOTE:
*****
 All other applicable versions of OpenVMS VAX and their supported upgrade paths
 do not exhibit this symptom if the Security Kit (identified in an advisory
 SSRT 02.25 dated 23.FEB.1993) was installed before upgrading to the next
 higher version.

 The Security Kit must be re-applied after all OpenVMS VAX upgrades for V5.0
 through V5.5-2.   Digital recommends that until OpenVMS VAX V6.0 or OpenVMS
 AXP V1.5 is installed later this year, contact your Digital Services Support
 organization to obtain the most current version of the applicable Security
 Kit.

IMPACT
---------
 Anyone who upgrades from OpenVMS VAX V5.3 to V5.3-1, V5.3-1 to V5.3-2,
 V5.5 to V5.5-2, or V5.5-1 to V5.5-2 will experience an error directly related
 to having the Security Kit installed prior to the OpenVMS VAX upgrades listed
 above.  The system will to fail to boot properly after the completion of the
 upgrade. 

SOLUTION
---------
 If you renamed the images replaced following the installation of the Security
 Kit, restore the saved images prior to upgrading OpenVMS VAX to the next
 higher release then re-apply the Security Kit.   The images replaced by
 the Security Kit identified above are:

                 PAGE_MANAGEMENT.EXE  &  IMAGE_MANAGEMENT.EXE
               and placed in the directory  SYS$COMMON:[SYS$LDR]
 
 WARNING: To prevent a similar problem ensure that no copies of the above
          images exist in the SYS$SPECIFIC:[SYS$LDR] directory.

 
 If the images replaced during the Security Kit installation cannot be restored
 prior to your upgrade, enter the commands (as indicated below) after your
 OpenVMS VAX upgrade completes.

**** IN EACH CASE, THE SOLUTION BELOW IS A POST OpenVMS VAX UPGRADE EVENT  ****

!For OpenVMS VAX V5.3 upgrade paths
!            V5.3   to V5.3-1
!            V5.3-1 to V5.3-2
!
! At the point where the OpenVMS upgrade process has completed:
! From the systems console invoke a conversational boot then enter the
! remaining commands as shown and follow the instructions for re-booting.

>>>
>>> B/1      !YOUR PARTICULAR BOOT FOR CONVERSATIONAL MODE MAY BE DIFFERENT
SYSBOOT> SET/START=OPA0:
SYSBOOT> C
$
$ set noon
$ set default [vms$common.sys$ldr]
$ patch/update=(1) image_management.exe
SET ECO 1
REPL/INST 0A0F='BISB2 #01,B^1F(SP)'
'NOP'
EXIT
UPDATE
EXIT

 Press the HALT button, reboot the system, and re-install the Security Kit and
 reboot again for the installation to become effective.

----------------------------------------------------------------------------

!For OpenVMS VAX V5.5 upgrade paths
!             V5.5   to V5.5-2
!             V5.5-1 to V5.5-2
!
! At the point where the OpenVMS upgrade process has completed:
! From the systems console invoke a conversational boot then enter the
! remaining commands as shown and follow the instructions for re-booting.

>>>
>>> B/1      !YOUR PARTICULAR BOOT FOR CONVERSATIONAL MODE MAY BE DIFFERENT
SYSBOOT> SET/START=OPA0:
SYSBOOT> C

$ set noon
$ set default [vms$common.sys$ldr]
$ patch/update=(1) image_management.exe
SET ECO 1
REPL/INST 0A2F='BISB2 #01,B^1F(SP)'
'NOP'
EXIT
UPDATE
EXIT
$

 Press the HALT button, reboot the system, and re-install the Security Kit and
 reboot again for the installation to become effective.
 -----------------------------------------------------------------------------
 Copyright (c) Digital Equipment Corporation, 1993 All Rights Reserved.
 Published Rights Reserved Under The Copyright Laws Of The United States.
=========================== End DEC Addendum 02.25-01 =========================

CIAC recommends that you follow the DEC advisory addendum if performing an
upgrade for the specific versions indicated.  If you need additional
information, contact Mr. Richard Boren of DEC's Software Security Response
Team (SSRT) at 719-592-4689.  CIAC wishes to thank Rich for supplying the
advisory used in this bulletin. 

If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov.  FAX
messages to: (510) 423-8002.

For emergencies and off-hour assistance call 1-800-SKYPAGE and enter
PIN number 855-0070 (primary) or 855-0074 (secondary).

The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud
at (510) 423-4753 and 9600 baud at (510) 423-3331.  Previous CIAC
bulletins and other information is available via anonymous ftp from
irbis.llnl.gov (ip address 128.115.19.60).

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Your agency's team will coordinate with CIAC.  The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization.  A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.

This document was prepared as an account of work sponsored by an agency of
the United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California.  The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.