f-04.DECnet_OSI-OpenVMS-vul
b1e74a8be05cf59fdb5525e5060c0ac8b0a0824ca82dadb163714ad4730dca66 _____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________
INFORMATION BULLETIN
Security Vulnerabilities in DECnet/OSI for OpenVMS
November 28, 1994 0900 PST Number F-04
_____________________________________________________________________________
PROBLEM: Security Vulnerabilities exist in certain versions of
DECnet/OSI for OpenVMS.
PLATFORMS: (1) DEC Alpha AXP OpenVMS systems running DECnet/OSI Version
2.0, 2.0A, or 5.7;
(2) DEC VAX/VMS OpenVMS systems running DECnet/OSI Version
5.5, 5.6, 5.6A, 5.6B, 5.7, 5.7A, or DECnet-VAX Version 5.4
extensions.
DAMAGE: Unprivileged system users may gain unauthorized, expanded
privileges or may crash the operating system.
SOLUTION: Install DECnet/OSI Version 5.8, or apply a patch available
from Digital, or apply the workaround given in the Appendix,
below.
_____________________________________________________________________________
VULNERABILITY Although to date these vulnerabilities are not widely known
ASSESSMENT: nor exploited, CIAC recommends prompt attention.
_____________________________________________________________________________
Critical Information about the Vulnerabilities in DECnet/OSI
CIAC has received information from Digital Equipment Corporation concerning
potential security vulnerabilities for those systems running versions of
DECnet/OSI prior to Version 5.8. These vulnerabilities may be eliminated by
(1) upgrading to DECnet/OSI Version 5.8 or (2) correcting earlier versions
by applying DEC supplied patches or (3) applying the workaround provided in
the DEC advisory reprinted below.
NOTE: An unofficial DEC advisory on this topic that was previously
circulated within some communities should be discarded. The information
presented in this advisory is the most complete and accurate to date.
Patch files are available via the normal Digital support channels: DSNlink
for warranty and contract customers, the local office for all others.
Patch File Information
Name CSCPAT_0597011.A
OpenVMS Checksum 4247567393
MD5 Checksum 79DBE63AC8855D6759EA73B5F419F8ED
Name CSCPAT_0597011.B
OpenVMS Checksum 1811769591
MD5 Checksum 279E735D15915FC66941D5E2595FA932
Name CSCPAT_0615011.A
OpenVMS Checksum 756388445
MD5 Checksum 19E698B26F0FAEF75314891A6FB85A7C
Name CSCPAT_0615011.RELEASE_NOTES
OpenVMS Checksum 38157879
MD5 Checksum 9CEF6DF7DF15FEE539D9159D681C6F12
Name CSCPAT_0618010.A
OpenVMS Checksum 1502668639
MD5 Checksum 35A7F541B209608869ACD8D2086DA4B6
The patches also fix a bug in the Common Trace Facility (CTF) User Interface
which causes systems to crash, as well as correct other problems. If you
need additional information or assistance, contact CIAC at 510-422-8193 or
Mr. Richard Boren of DEC's Software Security Response Team (SSRT) at
719-592-4689.
_____________________________________________________________________________
CIAC thanks Rich Boren of Digital Equipment Corporation and Ron Tencati of
NASA's Automated Systems Incident Response Capability (NAISRC) for providing
information used in this bulletin.
_____________________________________________________________________________
If you require additional assistance or wish to report a vulnerability,
contact CIAC at:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
Previous CIAC notices, anti-virus software, and other information are
available on the Internet via anonymous FTP from ciac.llnl.gov (IP address
128.115.19.53).
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information, and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:
subscribe list-name LastName, FirstName PhoneNumber
as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc@llnl.gov
not to: ciac@llnl.gov
e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36
You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
_____________________________________________________________________________
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
_____________________________________________________________________________
======================= Begin DECnet/OSI Advisory ===========================
|SOURCE: Digital Equipment Corporation
|AUTHOR: Software Security Response Team Colorado Springs, CO.
|PRODUCT: The following products are affected:
|
| o DECnet-VAX, Version 5.4 Extensions
|
| o DECnet/OSI Version 2.0 for OpenVMS AXP
| o DECnet/OSI Version 2.0A for OpenVMS AXP
| o DECnet/OSI Version 5.7 for OpenVMS AXP
|
| o DECnet/OSI Version 5.5 for OpenVMS VAX
| o DECnet/OSI Version 5.6 for OpenVMS VAX
| o DECnet/OSI Version 5.6A for OpenVMS VAX
| o DECnet/OSI Version 5.6B for OpenVMS VAX
| o DECnet/OSI Version 5.7 for OpenVMS VAX
| o DECnet/OSI Version 5.7A for OpenVMS VAX
|
|SYMPTOM: User privileges may be expanded under certain circumstances.
|
|FIX: This potential vulnerability can be removed by installing one of the
|following software updates or Engineering Change Orders (ECO)s available
|from Digital:
|
| Software update:
| ----------------
| DECnet/OSI Version 5.8 for OpenVMS AXP
| DECnet/OSI Version 5.8 for OpenVMS VAX
|
| ECO
| Software version: number CSCPAT number
| ----------------- ------ -------------
| DECnet/OSI Version 5.6B for OpenVMS VAX 10 CSCPAT_0597 V1.1
| DECnet/OSI Version 5.7 for OpenVMS AXP 02 CSCPAT_0615 V1.1
| DECnet/OSI Version 5.7A for OpenVMS VAX 07 CSCPAT_0618 V1.0
|
|Engineering ECO References:
|
| CSCPAT_0597 V1.1 = DNVOSIB_ECO10056
| CSCPAT_0615 V1.1 = DNVOSIAXP_ECO02057
| CSCPAT_0618 V1.0 = DNVOSIA_ECO07057
|
|If you are unable to install one of the above listed updates or ECOs,
|or if there is no ECO available for the version of DECnet that you are
|currently running, see the workaround described later.
|
|Execute the following command to determine which version of DECnet you
|are currently running:
|
| $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION")
|
|If "00040100" or "00040200" is displayed then DECnet-VAX, Version 5.4
|Extensions is installed. If the "version" begins with "0005", it means that
|DECnet/OSI is installed. Use the following command to find the version
|number:
|
| $ MCR NCL SHOW IMPLEMENTATION
|
|and look for the line beginning with "Version =". For example:
|
| $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION")
| 00050300
|
| $ MCR NCL SHOW IMPLEMENTATION
|
| Node 0
| at 1994-08-24-16:29:38.991+02:00I1.690
| Characteristics
| Implementation =
| {
| [
| Name = VMS ,
| Version = "V6.1 "
| ] ,
| [
| Name = DECnet-OSI for OpenVMS ,
| Version = "DECnet-OSI for OpenVMS Version V5.7 14-JAN-1994..."
| ]
| }
|
|Therefore, DECnet/OSI Version 5.7 for OpenVMS (VAX) is running on this
|particular machine.
|
|WORKAROUND: If you are unable to install one of the software updates or
|ECOs listed previously, we strongly recommend that you de-install the
|Common Trace Facility User Interface image (SYS$SYSTEM:CTF$UI.EXE) from
|memory. Execute the following command to determine if this image is
|installed on your system:
|
| $ INSTALL LIST SYS$SYSTEM:CTF$UI.EXE
|
|The following output is displayed if the image is installed:
|
| DISK$OPENVMS061:<SYS0.SYSCOMMON.SYSEXE>.EXE
| CTF$UI;5 Prv
|
|Execute the following command to de-install the image from memory. Note
|that you require the privilege CMKRNL to do this.
|
| $ INSTALL REMOVE SYS$SYSTEM:CTF$UI.EXE
|
|In addition to de-installing the image from memory, steps should be taken
|to ensure that the image is not (re-)installed during a subsequent machine
|reboot, or when the Common Trace Facility startup command file executed.
|
|To do this, edit the Common Trace Facility startup command file
|(SYS$COMMON:[SYSMGR]CTF$STARTUP.COM) and search for the following text:
|
| F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe
|
|Comment out the code that installs the image into memory as follows:
|
| Original code:
|
| $ IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") -
| THEN install create sys$system:ctf$ui.exe -
| /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, -
| world,pswapm,prmmbx,bypass,cmkrnl)
|
| Changed to be comment:
|
| $! IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") -
| $! THEN install create sys$system:ctf$ui.exe -
| $! /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, -
| $! world,pswapm,prmmbx,bypass,cmkrnl)
|
|
|Be aware that de-installing the image from memory means that non-privileged
|users can no longer use the Common Trace Facility User Interface START and
|STOP commands. This is the case even if the NET$TRACE identifiers have been
|granted to the user account. START and STOP commands will only be allowed
|from a privileged account.
|
|AVAILABILITY: If you have a software service or warranty contract, you can
|obtain the required ECO or software update through your regular Digital
|support channels.
| NOTE: For non-contract/non-warranty customers contact your local
| Digital support channels for information regarding these kits.
========================= End DECnet/OSI Advisory =========================
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed