-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL Teun Nijssen Index : S-93-07 Distribution : SURFnet Constituency Page : 1 Classification: External Version: Final Subject : VAX/VMS failure to disable user accounts Date : 13-Feb-93 =============================================================================== CERT-NL has received information concerning a vulnerability in VAX/VMS. The following information comes from CIAC, a partner member of FIRST. - ---------------------------------------------------------------------- PROBLEM: VMS systems configured to disable user accounts experiencing break-in attempts may not disable those accounts, as required. PLATFORM: VAXstations using DECwindows or Motif, VMS versions 5.3 through Open VMS 5.5-2. DAMAGE: Unauthorized users could gain access given sufficient time. SOLUTION: Apply patch CSCPAT_0239019 or physically secure workstations if accounts are so configured. ________________________________________________________________________ Critical Facts about potential vulnerability in VMS VAXstations CIAC has learned of a vulnerability in VAXstations running (Open) VMS versions 5.3 through 5.5-2 when using VMS DECwindows or VMS DECwindows MOTIF. The vulnerability applies to systems where the SYSGEN parameter for disabling accounts under attack is enabled (i.e., LGI_BRK_DISUSER is set to 1). If the "break-in limit," i.e, log-in failure count threshold (SYSGEN parameter LGI_BRK_LIM) is exceeded during an interval determined by an algorithm using LGI_BRK_TMO, the account will NOT be disabled, allowing repeated attacks. Other security functions will continue to work correctly, such as evasion and SYSUAF counts for log-in failures, as well as security audit recording. The vulnerability is not present when using non-local DECwindows or MOTIF access via DECnet. If you are not required to invoke automatic account disabling, CIAC recommends that you secure your systems by prudently managing passwords and effectively setting break-in detection and evasion SYSGEN parameters. In most cases the default parameter settings are adequate. You may further strengthen evasion security by o reducing LGI_BRK_LIM (default 5 log-in attempts) o increasing LGI_HID_TIM (default 300 seconds) o increasing LGI_BRK_TMO (default 300 seconds) o changing LGI_BRK_TERM to 0 (default is 1) Be advised that each parameter change may increase the risk of denial of service to legitimate users. If you have dial up access, make certain that the parameter LGI_RETRY_LIM is not increased beyond its default value of three. In all cases, CIAC recommends that you first upgrade to the latest version of Open VMS and windowing software (to correct other potential vulnerabilities). To correct the potential vulnerability identified in this bulletin, apply patch suite CSCPAT_0239019, available from Digital. If you have DSNlink for VMS, use the DSNlink VTX Patch Application. When prompted for a search string, use the keyword CSCPAT_0239019. If you do not have DSNlink for VMS, contact your local Digital office or your Digital Support Center for the patch. If you cannot obtain or apply the patch, you should restrict workstation physical access to authorized users. CIAC wishes to acknowledge Tom Moore and Mona Wecksung of Los Alamos National Laboratory for bringing the vulnerability to our attention, and Rich Boren of Digital's Software Security Response Team for leading problem resolution efforts. - ------------------------------------------------------------------------------ CERT-NL thanks CIAC for bringing this information to our attention. We advise the SURFnet CERT constituency to check whether their VAX/VMS user disabling policy is affected by the problems mentioned in CIAC's advisory and to act according to the advise given. houdoe teun ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6WAjSYjBqwfc9jEQK44QCgvIgrkxT77QNqq+kKw1iETJrXmY0AnjMY wJrIwUM9BxuypkP6m2wkx5pA =wsA7 -----END PGP SIGNATURE-----