f-18.ciac-HP-MPE-iX
2fd86e0a95bfbf6ef4d7f416077e7648f85a4e61e1bb8867010de1045b5da9cb
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________
INFORMATION BULLETIN
MPE/iX Vulnerabilities
March 24, 1995 1500 PST Number F-18
_____________________________________________________________________________
PROBLEM: Three security vulnerabilities exist in the MPE/iX operating
system.
PLATFORMS: HP3000 Series 900 systems running any release of MPE through
and including the Limited Release of MPE/iX 5.0 (X.50.20).
DAMAGE: Users can gain additional privileges and/or special
capabilities.
SOLUTION: Update all systems to the General Release of MPE/iX 5.0, or
Apply patch MPEHX26A (MPE/iX Release 4.0 B.40.00), or
patch MPEHX26B (Limited Release MPE/iX 5.0 X.50.20).
FIX: The problem is fixed in the General Release of MPE/iX 5.0
(C.50.00).
AVAILABILITY: The 5.0 General Release and all patches are available now.
_____________________________________________________________________________
VULNERABILITY The security vulnerabilities in the MPE/iX operating system
ASSESSMENT: can be used by local users to gain unauthorized access
privileges which may result in system compromise. CIAC urges
affected sites to install the appropriate patch as soon as
possible.
_____________________________________________________________________________
CRITICAL Information about MPE/iX Vulnerabilities
CIAC has obtained information from Hewlett Packard regarding new security
vulnerabilities in the MPE/iX operaing system which will allow local users
to gain unauthorized access privileges. Specific patch details are provided
below.
Following are the copies of the HP bulletins (HPSBMP9503-00x):
[Begin HP Bulletin]
-------------------------------------------------------------------------------
Summary of 'Daily Security Bulletins Digest' documents
-------------------------------------------------------------------------------
Document Id Description Page 1
-------------------------------------------------------------------------------
HPSBMP9503-003 Security Vulnerability (HPSBMP9503-003) in MPE/iX releases
HPSBMP9503-002 Security Vulnerability (HPSBMP9503-002) in MPE/iX releases
HPSBMP9503-001 Security Vulnerability (HPSBMP9503-001) in MPE/iX releases
===============================================================================
Detailed list of 'Daily Security Bulletins Digest' documents
===============================================================================
Document Id: [HPSBMP9503-003]
Date Loaded: [03-20-95]
Description: Security Vulnerability (HPSBMP9503-003) in MPE/iX releases
===============================================================================
-------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: (MPE/iX) #00003, 20 March 95
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard will not be liable for
any consequences to any customer resulting from customer's failure
to fully implement instructions in this Security Bulletin as soon
as possible.
_______________________________________________________________________
PROBLEM: Security vulnerability in the MPE/iX operating system
PLATFORM: HP3000 Series 900 systems running any release of MPE through and
including the Limited Release of MPE/iX 5.0 (X.50.20)
DAMAGE: Users can gain additional privileges and/or special capabilities
SOLUTION: Update all systems to the General Release of MPE/iX 5.0, or
Apply patch MPEHX26A (MPE/iX Release 4.0 B.40.00), or
patch MPEHX26B (Limited Release MPE/iX 5.0 X.50.20)
FIX: The problem is fixed in the General Release of MPE/iX 5.0 (C.50.00)
AVAILABILITY: The 5.0 General Release and all patches are available now.
_______________________________________________________________________
A. Nature of the problem
It has been found that HP 3000 systems running MPE/iX Release 4.0
(B.40.00), Release 4.5 (C.45.00), and the Limited Release of
MPE/iX 5.0 (X.50.20) have a vulnerability that can be exploited by
users to gain additional privileges and/or capabilities, but only if
the users are already logged on to the system. This problem does not
permit a user to gain additional privileges by accident. However, a
user can exploit this vulnerability to gain System Manager (SM)
capability.
B. Fixing the problem
Hewlett-Packard recommends that you update your HP 3000 Series 900
computer systems to the General Release of MPE/iX 5.0 (C.50.00), as
this problem is fixed in that release. Updating to the 5.0 General
Release is the easiest and safest way to get the fix for this security
problem. Customers with HP System Support contracts should have
already received their shipments of the General Release of MPE/iX 5.0
(C.50.00).
However, if you feel that you cannot update to the 5.0 General
Release at this time, the proper corrective measure depends on which
release of MPE/iX your HP 3000 system is running.
The vulnerability can be eliminated from Release 4.0 and the Limited
Release of MPE/iX 5.0 by applying a patch, MPEHX26A or MPEHX26B.
Release 4.5 (C.45.00) MUST be updated to the General Release of
MPE/iX 5.0 (C.50.00), as no patch will be created for Release 4.5.
No patches will be available for versions of MPE/iX prior to
Release 4.0. Instead, you must update to a supported release. HP
recommends that you update such systems to the General Release of
MPE/iX 5.0. If you update to one of the other supported releases,
you will have to follow the patch instructions described in the next
section of this bulletin.
C. How to Install the Patch (for MPE/iX 4.0 & Limited Release MPE/iX 5.0)
1. Determine which patch is appropriate for your operating system release:
MPEHX26A for Series 900, MPE/iX 4.0 (B.40.00)
MPEHX26B for Series 900, Limited Release MPE/iX 5.0 (X.50.20)
2. Obtaining the patch.
If you have an HP System Support contract, you should be receiving a
security notification packet that includes a FAX-back form for
ordering the patches that fix the problems described in the following
three Security Bulletins -- HPSBMP9503-001, HPSBMP9503-002, and
HPSBMP9503-003.
If you do not have an HP System Support contract, you can obtain the
same patches by ordering MPE/iX SECURITY PATCH, Product Number B5116AA.
This product is available at no charge. When ordering the product,
you need to know which MPE/iX release you are patching and on what
media you want the patch delivered. The following chart shows the
two product options:
Option Table for Product Number B5116AA
1600BPI 6250BPI
Tape Tape DDS
|---------|---------|---------|
B.40.00 | 240,AA1 | 240,AA2 | 240,AAH |
|---------|---------|---------|
X.50.20 | 250,AA1 | 250,AA2 | 250,AAH |
|---------|---------|---------|
Phone numbers to HP Direct and other HP Country Sales offices have
been included at the end of this bulletin for your convenience.
3. Apply the patch to your MPE/iX system.
Installation instructions are included with the MPE/iX SECURITY PATCH
product.
D. Impact of the patch and workaround
Application of the patch will eliminate the vulnerability.
E. Obtaining General Security Information
To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine mail service via electronic
mail, send an email message to:
support@support.mayfield.hp.com (no Subject is required)
Multiple instructions are allowed in the TEXT PORTION OF THE
MESSAGE, here are some basic instructions you may want to use:
To add your name to the subscription list for new Security
Bulletins, send the following in the TEXT PORTION OF THE MESSAGE:
subscribe security_info
To retrieve the index of all HP Security Bulletins issued to date,
send the following in the TEXT PORTION OF THE MESSAGE:
send security_info_list
World Wide Web service for browsing of bulletins is available via
the HPSL URL:
http://support.mayfield.hp.com
Choose "Support news", then under Support news,
choose "Security Bulletins"
F. To report new security vulnerabilities, send email to
security-alert@hp.com
===============================================================================
Document Id: [HPSBMP9503-002]
Date Loaded: [03-20-95]
Description: Security Vulnerability (HPSBMP9503-002) in MPE/iX releases
===============================================================================
-------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: (MPE/iX) #00002, 20 March 95
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard will not be liable for
any consequences to any customer resulting from customer's failure
to fully implement instructions in this Security Bulletin as soon
as possible.
_______________________________________________________________________
PROBLEM: Security vulnerability in the MPE/iX operating system
PLATFORM: HP3000 Series 900 systems running the Limited Release of MPE/iX 5.0
DAMAGE: Users can gain access to a higher TurboImage privilege
SOLUTION: Update all systems to the General Release of MPE/iX 5.0, or
Apply patch MPEHX25A (Limited Release MPE/iX 5.0 X.50.20).
FIX: The problem is fixed in the General Release of MPE/iX 5.0 (C.50.00)
AVAILABILITY: The 5.0 General Release and all patches are available now.
_______________________________________________________________________
A. Nature of the problem
It has been found that HP 3000 systems running the Limited Release of
MPE/iX 5.0 (X.50.20) have a vulnerability that can be exploited by
logged on users to gain a higher TurboImage privilege. This problem
does not permit a user to gain additional privileges by accident.
B. Fixing the problem
Hewlett-Packard recommends that you update your HP 3000 Series 900
computer systems to the General Release of MPE/iX 5.0 (C.50.00), as
this problem is fixed in that release. Updating to the 5.0 General
Release is the easiest and safest way to get the fix for this security
problem. Customers with HP System Support contracts should have
already received their shipments of the General Release of MPE/iX 5.0
(C.50.00).
However, if you feel that you cannot update to the 5.0 General
Release at this time, the vulnerability can be eliminated from the
Limited Release of MPE/iX 5.0 by applying a patch, MPEHX25A.
C. How to Install the Patch (for the Limited Release MPE/iX 5.0)
1. Determine which patch is appropriate for your operating system release:
MPEHX25A for Series 900, Limited Release MPE/iX 5.0 (X.50.20)
2. Obtaining the patch.
If you have an HP System Support contract, you should be receiving a
security notification packet that includes a FAX-back form for
ordering the patches that fix the problems described in the following
three Security Bulletins -- HPSBMP9503-001, HPSBMP9503-002, and
HPSBMP9503-003.
If you do not have an HP System Support contract, you can obtain the
same patches by ordering MPE/iX SECURITY PATCH, Product Number B5116AA.
This product is available at no charge. When ordering the product,
you need to know which MPE/iX release you are patching and on what
media you want the patch delivered. The following chart shows the
two product options:
Option Table for Product Number B5116AA
1600BPI 6250BPI
Tape Tape DDS
|---------|---------|---------|
B.40.00 | 240,AA1 | 240,AA2 | 240,AAH |
|---------|---------|---------|
X.50.20 | 250,AA1 | 250,AA2 | 250,AAH |
|---------|---------|---------|
Phone numbers to HP Direct and other HP Country Sales offices have
been included at the end of this bulletin for your convenience.
3. Apply the patch to your MPE/iX system.
Installation instructions are included with the MPE/iX SECURITY PATCH
product.
D. Impact of the patch and workaround
Application of the patch will eliminate the vulnerability.
E. Obtaining General Security Information
To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine mail service via electronic
mail, send an email message to:
support@support.mayfield.hp.com (no Subject is required)
Multiple instructions are allowed in the TEXT PORTION OF THE
MESSAGE, here are some basic instructions you may want to use:
To add your name to the subscription list for new Security
Bulletins, send the following in the TEXT PORTION OF THE MESSAGE:
subscribe security_info
To retrieve the index of all HP Security Bulletins issued to date,
send the following in the TEXT PORTION OF THE MESSAGE:
send security_info_list
World Wide Web service for browsing of bulletins is available via
the HPSL URL:
http://support.mayfield.hp.com
Choose "Support news", then under Support news,
choose "Security Bulletins"
F. To report new security vulnerabilities, send email to
security-alert@hp.com
===============================================================================
Document Id: [HPSBMP9503-001]
Date Loaded: [03-20-95]
Description: Security Vulnerability (HPSBMP9503-001) in MPE/iX releases
===============================================================================
-------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: (MPE/iX) #00001, 20 March 95
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard will not be liable for
any consequences to any customer resulting from customer's failure
to fully implement instructions in this Security Bulletin as soon
as possible.
_______________________________________________________________________
PROBLEM: Security vulnerability in the MPE/iX operating system
PLATFORM: HP3000 Series 900 systems running Release 4.0, Release 4.5, and
the 5.0 Limited Release of MPE/iX
DAMAGE: Users can gain additional privileges and/or special capabilities
SOLUTION: Update all systems to the General Release of MPE/iX 5.0, or
Apply patch MPEHX24A (MPE/iX Release 4.0 B.40.00), or
patch MPEHX24B (Limited Release MPE/iX 5.0 X.50.20)
FIX: The problem is fixed in the General Release of MPE/iX 5.0 (C.50.00)
AVAILABILITY: The 5.0 General Release and all patches are available now.
_______________________________________________________________________
A. Nature of the problem
It has been found that HP 3000 systems running MPE/iX Release 4.0
(B.40.00), Release 4.5 (C.45.00), and the Limited Release of
MPE/iX 5.0 (X.50.20) have a vulnerability that can be exploited by
users to gain additional privileges and/or capabilities, but only if
the users are already logged on to the system. This problem does not
permit a user to gain additional privileges by accident. However, a
user can exploit this vulnerability to gain System Manager (SM)
capability.
B. Fixing the problem
Hewlett-Packard recommends that you update your HP 3000 Series 900
computer systems to the General Release of MPE/iX 5.0 (C.50.00), as
this problem is fixed in that release. Updating to the 5.0 General
Release is the easiest and safest way to get the fix for this security
problem. Customers with HP System Support contracts should have
already received their shipments of the General Release of MPE/iX 5.0
(C.50.00).
However, if you feel that you cannot update to the 5.0 General
Release at this time, the proper corrective measure depends on which
release of MPE/iX your HP 3000 system is running.
The vulnerability can be eliminated from Release 4.0 and the Limited
Release of MPE/iX 5.0 by applying a patch, MPEHX24A/B. Release 4.5
(C.45.00) MUST be updated to the General Release of MPE/iX 5.0
(C.50.00), as no patch will be created for Release 4.5.
C. How to Install the Patch (for MPE/iX 4.0 & Limited Release MPE/iX 5.0)
1. Determine which patch is appropriate for your operating system release:
MPEHX24A for Series 900, MPE/iX 4.0 (B.40.00)
MPEHX24B for Series 900, Limited Release MPE/iX 5.0 (X.50.20)
2. Obtaining the patch.
If you have an HP System Support contract, you should be receiving a
security notification packet that includes a FAX-back form for
ordering the patches that fix the problems described in the following
three Security Bulletins -- HPSBMP9503-001, HPSBMP9503-002, and
HPSBMP9503-003.
If you do not have an HP System Support contract, you can obtain the
same patches by ordering MPE/iX SECURITY PATCH, Product Number B5116AA.
This product is available at no charge. When ordering the product,
you need to know which MPE/iX release you are patching and on what
media you want the patch delivered. The following chart shows the
two product options:
Option Table for Product Number B5116AA
1600BPI 6250BPI
Tape Tape DDS
|---------|---------|---------|
B.40.00 | 240,AA1 | 240,AA2 | 240,AAH |
|---------|---------|---------|
X.50.20 | 250,AA1 | 250,AA2 | 250,AAH |
|---------|---------|---------|
Phone numbers to HP Direct and other HP Country Sales offices have
been included at the end of this bulletin for your convenience.
3. Apply the patch to your MPE/iX system.
Installation instructions are included with the MPE/iX SECURITY PATCH
product.
NOTE: IF YOU DECIDE TO APPLY ONE OF THE TWO PATCHES MENTIONED
ABOVE RATHER THAN UPDATE YOUR HP 3000 TO THE GENERAL RELEASE OF
MPE/iX 5.0, YOU MUST RE-APPLY ALL MPE/iX PATCHES PREVIOUSLY INSTALLED
ON YOUR SYSTEM.
Patch MPEHX24A/B replaces the Operating System SOM (OS SOM) in
NL.PUB.SYS. This process has the effect of removing all previously
installed MPE/iX patches from the OS SOM. You can obtain all prior
General Release patches by ordering the current MPE/iX PowerPatch tape
(B.40.09) for Release 4.0 or the current MPE/iX PowerPatch tape
(X.50.24) for the Limited Release of 5.0. If you have an HP System
Support contract, call your local Hewlett-Packard support contact.
Otherwise, call your local HP Sales representative and order Product
Number 50757A -- PowerPatch Tape. Be sure to indicate which version
of the PowerPatch tape you require and the correct media type.
PowerPatch tapes are available free of charge to customers who have an
HP System Support contract and at a nominal charge to customers who
do not.
D. Impact of the patch and workaround
Application of the patch will eliminate the vulnerability. See the
NOTE above for the patch impact.
E. Obtaining General Security Information
To subscribe to automatically receive future NEW HP Security
Bulletins from the HP SupportLine mail service via electronic
mail, send an email message to:
support@support.mayfield.hp.com (no Subject is required)
Multiple instructions are allowed in the TEXT PORTION OF THE
MESSAGE, here are some basic instructions you may want to use:
To add your name to the subscription list for new Security
Bulletins, send the following in the TEXT PORTION OF THE MESSAGE:
subscribe security_info
To retrieve the index of all HP Security Bulletins issued to date,
send the following in the TEXT PORTION OF THE MESSAGE:
send security_info_list
World Wide Web service for browsing of bulletins is available via
the HPSL URL:
http://support.mayfield.hp.com
Choose "Support news", then under Support news,
choose "Security Bulletins"
F. To report new security vulnerabilities, send email to
security-alert@hp.com
_______________________________________________________________________
United States Canada
Tel: 800-386-1117 Tel: 800-387-3154
Fax: 800-386-1118
Austria Netherlands
Tel: 43 222/250 00-200 Tel: 31 20-5476040
Fax: 43 222/250 00-311 Fax: 31 20-5477778
Belgium Norway
Tel: 32 2/778.33.99 Tel: 47 2 273 5767
Fax: 32 2/778.33.88 Fax: 47 2 273 5620
Czech Republic Poland
Tel: 42/2/4717230 Tel: 48/22/375085
Fax: 42/2/4717611 Fax: 48/22/374783
Denmark Portugal
Tel: 45 45 99 11 45 Tel: 351(1)301 7343
Fax: 45 45 82 11 46 Fax: 351(1)301 7568
Finland Russia
Tel: 358 0-8872 2000 Tel: 7095-923-5001
Fax: 358 0-8872 2002 Fax: 7095-230-2611
France Slovenia
Tel: 33(1)60 77 30 04 Tel: 386(61)159-3322
Fax: 33(1)69 91 86 79 Fax: 386(61)558-597
Germany Slovak Republic
Tel: 49 70 31/14-55 40 Tel: 42/7/765896
Fax: 49 70 31/14-10 80 Fax: 42/7/763408
Greece Spain
Tel: 30/1/6896411 Tel: 34(1)631 11 11
Fax: 30/1/6896512 Fax: 34(1)631 11 22
Hungary Sweden
Tel: 36/1/1420986 Tel: 46 8-750 22 10
Fax: 36/1/1223692 Fax: 46 8-793 90 50
Iceland Switzerland (French)
Tel: 354/1/671000 Tel: 41(22)780 44 65
Fax: 354/1/673031 Fax: 41(22)780 42 20
Ireland Switzerland (German)
Tel: 353/1/2844633 Tel: 41 1/735 72 70
Fax: 353/1/2844622 Fax: 41 1/735 77 11
Italy Turkey
Tel: Tel: 90-1-224 59 25
Fax: 39 2/75.30.645 Fax: 90-1-224 59 39
Mexico UK
Tel: (+52 5) 326-4684 Tel: 44-344-369231
Fax: 44 344-361014
European Headquarters & Middle East and
Multicountry Sales Region Afrika Operation
Tel: 41/22/780/8111 Tel: 41/22/780/4111
Fax: 41/22/780/8609 Fax: 41/22/780/4770
Australia Korea
Tel: (61-2)950-7491 Tel: (822)769-0612
Fax: (61-2)878-5596 Fax: (822)769-0523
Asia Pacific Headquarters Malaysia
Tel: (65) 290-6217 Tel: (60-3)295-2315
Fax: (65) 291-9697 Fax: (60-3)291-5495
Hong Kong Singapore
Tel: (852)599-7571 Tel: (65) 290-6005
Fax: (852)506-9261 Fax: (65) 296-9023
Japan Taiwan
Tel: (81-423)30-7888 Tel: (886-2)717-9620
Fax: (81-426)45-4312 Fax: (886-2)714-8793
Other Countries
Call your local HP Country Sales office or distributor
-----------------------------------------------------------------------------
[End HP Bulletin]
CIAC is the computer security incident response team for the U.S.
Department of Energy. Services are available free of charge to DOE and DOE
contractors.
DOE and DOE contractor sites can contact CIAC at:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
For DOE and DOE contract site emergencies only, call 1-800-SKYPAGE
(1-800-759-7243) and enter PIN number 8550070 (primary) or 8550074
(secondary).
Previous CIAC notices, anti-virus software, and other information are
available via WWW (http://ciac.llnl.gov/) and anonymous FTP from
ciac.llnl.gov (IP address 128.115.19.53).
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information, and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:
subscribe list-name LastName, FirstName PhoneNumber
as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc@llnl.gov
not to: ciac@llnl.gov
e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36
You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
_____________________________________________________________________________
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
_____________________________________________________________________________