______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ ______________________________________________________ A D V I S O R Y N O T I C E Potential Vulnerability in VMS V5 and Derivative Operating Systems FEB 23, 1993 1200 PST Number D-08 ___________________________________________________________________________ PROBLEM: Malicious program simplifies exploitation of VMS vulnerability. PLATFORM: Systems running VMS V5.0 through OpenVMS V5.5-2 and OpenVMS AXP V1.0 (including all SEVMS V5.1 through V5.5-2). DAMAGE: Authorized unprivileged users could obtain all system privileges. SOLUTION: Apply patch available from Digital Equipment Corporation. ___________________________________________________________________________ Critical Information about Potential Vulnerability in VMS CIAC has learned of a potential vulnerability in VMS, OpenVMS and Security Enhanced VMS (SEVMS) as described in the following advisory (which was requested to be distributed intact) from Digital Equipment Corporation: ========================== Begin DEC Advisory ============================= DATE: 23.FEB.1993 SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team Colorado Springs USA PRODUCT: VMS V5.0 through OpenVMS V5.5-2 & OpenVMS AXP V1.0 PROBLEM: Potential Security Vulnerability - OpenVMS SOLUTION: A remedial kit is now available for OpenVMS AXP V1.0, VMS V5.0 through OpenVMS Version 5.5-2 (including all SEVMS versions V5.1 through V5.5-2 as applicable) by contacting your normal Digital Services Support organization. SEVERITY LEVEL: High This potential vulnerability has been corrected in the next release of OpenVMS, V6.0 and OpenVMS AXP, V1.5. For VMS Versions prior to V5.0, Digital strongly recommends that you upgrade to a minimum of VMS V5.0 and further, to the latest release of OpenVMS V5.5-2. _________________________________________________________________________ The remedial kits may be identified as: VAXSYS01_U2050 VMS V5.0, V5.0-1, V5.0-2 VAXSYS01_U1051 VMS V5.1 thru V5.1-1 VAXSYS01_U1052 VMS V5.2, V5.2-1 VAXSYS01_U2053 VMS V5.3 thru V5.3-2 VAXSYS01_U3054 VMS V5.4 thru V5.4-3 VAXSYS02_U2055 OpenVMS V5.5 thru V5.5-2 AXPSYS01_010 OpenVMS AXP V1.0 _________________________________________________________________________ Copyright (c) Digital Equipment Corporation, 1993 All Rights Reserved. Published Rights Reserved Under The Copyright Laws Of The United States. _________________________________________________________________________ ADVISORY INFORMATION: _________________________________________________________________________ This update kit corrects a potential security vulnerability in the VMS, OpenVMS VAX and OpenVMS AXP operating systems. This potential vulnerability may be further exploited in the form of a malicious program that may allow authorized but unprivileged users to obtain all system privileges, potentially giving the unprivileged user control of your OpenVMS system and data. NOTE: The update kit must be applied if an update or installation is performed for all versions prior to OpenVMS V6.0 or OpenVMS AXP V1.5. For VMS Versions prior to VMS V5.0, Digital strongly recommends that you upgrade to a minimum of VMS V5.0 and further to the latest release of OpenVMS V5.5-2. _________________________________________________________________________ PATCH KIT INFORMATION: _________________________________________________________________________ Digital strongly recommends that you install the available kit on your system(s), to avoid any potential vulnerability as a result of this problem. Customers with a Digital Services contract may obtain a kit for the affected versions of OpenVMS by contacting your normal support organizations. - In the U.S. Customers may contact the Customer Support Center at 1(800)354-9000 and request the appropriate kit for your version of OpenVMS, or through DSNlink Text Search database using the keyword text "Potential Security Vulnerability", or DSNlink VTX using the patch number 1084 - Customers in other geographies should contact their normal Digital Services support organizations. As always, Digital recommends you to regularly review your system management and security procedures. Digital will continue to review and enhance security features, and work with our customers to further improve the integrity of their systems. =========================== End DEC Advisory ============================== CIAC recommends that you follow the DEC advisory to obtain and install the appropriate patch. If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies and off-hour assistance call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.