_____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN Security Vulnerabilities in DECnet/OSI for OpenVMS November 28, 1994 0900 PST Number F-04 _____________________________________________________________________________ PROBLEM: Security Vulnerabilities exist in certain versions of DECnet/OSI for OpenVMS. PLATFORMS: (1) DEC Alpha AXP OpenVMS systems running DECnet/OSI Version 2.0, 2.0A, or 5.7; (2) DEC VAX/VMS OpenVMS systems running DECnet/OSI Version 5.5, 5.6, 5.6A, 5.6B, 5.7, 5.7A, or DECnet-VAX Version 5.4 extensions. DAMAGE: Unprivileged system users may gain unauthorized, expanded privileges or may crash the operating system. SOLUTION: Install DECnet/OSI Version 5.8, or apply a patch available from Digital, or apply the workaround given in the Appendix, below. _____________________________________________________________________________ VULNERABILITY Although to date these vulnerabilities are not widely known ASSESSMENT: nor exploited, CIAC recommends prompt attention. _____________________________________________________________________________ Critical Information about the Vulnerabilities in DECnet/OSI CIAC has received information from Digital Equipment Corporation concerning potential security vulnerabilities for those systems running versions of DECnet/OSI prior to Version 5.8. These vulnerabilities may be eliminated by (1) upgrading to DECnet/OSI Version 5.8 or (2) correcting earlier versions by applying DEC supplied patches or (3) applying the workaround provided in the DEC advisory reprinted below. NOTE: An unofficial DEC advisory on this topic that was previously circulated within some communities should be discarded. The information presented in this advisory is the most complete and accurate to date. Patch files are available via the normal Digital support channels: DSNlink for warranty and contract customers, the local office for all others. Patch File Information Name CSCPAT_0597011.A OpenVMS Checksum 4247567393 MD5 Checksum 79DBE63AC8855D6759EA73B5F419F8ED Name CSCPAT_0597011.B OpenVMS Checksum 1811769591 MD5 Checksum 279E735D15915FC66941D5E2595FA932 Name CSCPAT_0615011.A OpenVMS Checksum 756388445 MD5 Checksum 19E698B26F0FAEF75314891A6FB85A7C Name CSCPAT_0615011.RELEASE_NOTES OpenVMS Checksum 38157879 MD5 Checksum 9CEF6DF7DF15FEE539D9159D681C6F12 Name CSCPAT_0618010.A OpenVMS Checksum 1502668639 MD5 Checksum 35A7F541B209608869ACD8D2086DA4B6 The patches also fix a bug in the Common Trace Facility (CTF) User Interface which causes systems to crash, as well as correct other problems. If you need additional information or assistance, contact CIAC at 510-422-8193 or Mr. Richard Boren of DEC's Software Security Response Team (SSRT) at 719-592-4689. _____________________________________________________________________________ CIAC thanks Rich Boren of Digital Equipment Corporation and Ron Tencati of NASA's Automated Systems Incident Response Capability (NAISRC) for providing information used in this bulletin. _____________________________________________________________________________ If you require additional assistance or wish to report a vulnerability, contact CIAC at: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC notices, anti-virus software, and other information are available on the Internet via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53). CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send requests of the following form: subscribe list-name LastName, FirstName PhoneNumber as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc@llnl.gov not to: ciac@llnl.gov e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address and initial PIN, and information on how to change either of them, cancel your subscription, or get help. _____________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________________________________ ======================= Begin DECnet/OSI Advisory =========================== |SOURCE: Digital Equipment Corporation |AUTHOR: Software Security Response Team Colorado Springs, CO. |PRODUCT: The following products are affected: | | o DECnet-VAX, Version 5.4 Extensions | | o DECnet/OSI Version 2.0 for OpenVMS AXP | o DECnet/OSI Version 2.0A for OpenVMS AXP | o DECnet/OSI Version 5.7 for OpenVMS AXP | | o DECnet/OSI Version 5.5 for OpenVMS VAX | o DECnet/OSI Version 5.6 for OpenVMS VAX | o DECnet/OSI Version 5.6A for OpenVMS VAX | o DECnet/OSI Version 5.6B for OpenVMS VAX | o DECnet/OSI Version 5.7 for OpenVMS VAX | o DECnet/OSI Version 5.7A for OpenVMS VAX | |SYMPTOM: User privileges may be expanded under certain circumstances. | |FIX: This potential vulnerability can be removed by installing one of the |following software updates or Engineering Change Orders (ECO)s available |from Digital: | | Software update: | ---------------- | DECnet/OSI Version 5.8 for OpenVMS AXP | DECnet/OSI Version 5.8 for OpenVMS VAX | | ECO | Software version: number CSCPAT number | ----------------- ------ ------------- | DECnet/OSI Version 5.6B for OpenVMS VAX 10 CSCPAT_0597 V1.1 | DECnet/OSI Version 5.7 for OpenVMS AXP 02 CSCPAT_0615 V1.1 | DECnet/OSI Version 5.7A for OpenVMS VAX 07 CSCPAT_0618 V1.0 | |Engineering ECO References: | | CSCPAT_0597 V1.1 = DNVOSIB_ECO10056 | CSCPAT_0615 V1.1 = DNVOSIAXP_ECO02057 | CSCPAT_0618 V1.0 = DNVOSIA_ECO07057 | |If you are unable to install one of the above listed updates or ECOs, |or if there is no ECO available for the version of DECnet that you are |currently running, see the workaround described later. | |Execute the following command to determine which version of DECnet you |are currently running: | | $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION") | |If "00040100" or "00040200" is displayed then DECnet-VAX, Version 5.4 |Extensions is installed. If the "version" begins with "0005", it means that |DECnet/OSI is installed. Use the following command to find the version |number: | | $ MCR NCL SHOW IMPLEMENTATION | |and look for the line beginning with "Version =". For example: | | $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION") | 00050300 | | $ MCR NCL SHOW IMPLEMENTATION | | Node 0 | at 1994-08-24-16:29:38.991+02:00I1.690 | Characteristics | Implementation = | { | [ | Name = VMS , | Version = "V6.1 " | ] , | [ | Name = DECnet-OSI for OpenVMS , | Version = "DECnet-OSI for OpenVMS Version V5.7 14-JAN-1994..." | ] | } | |Therefore, DECnet/OSI Version 5.7 for OpenVMS (VAX) is running on this |particular machine. | |WORKAROUND: If you are unable to install one of the software updates or |ECOs listed previously, we strongly recommend that you de-install the |Common Trace Facility User Interface image (SYS$SYSTEM:CTF$UI.EXE) from |memory. Execute the following command to determine if this image is |installed on your system: | | $ INSTALL LIST SYS$SYSTEM:CTF$UI.EXE | |The following output is displayed if the image is installed: | | DISK$OPENVMS061:.EXE | CTF$UI;5 Prv | |Execute the following command to de-install the image from memory. Note |that you require the privilege CMKRNL to do this. | | $ INSTALL REMOVE SYS$SYSTEM:CTF$UI.EXE | |In addition to de-installing the image from memory, steps should be taken |to ensure that the image is not (re-)installed during a subsequent machine |reboot, or when the Common Trace Facility startup command file executed. | |To do this, edit the Common Trace Facility startup command file |(SYS$COMMON:[SYSMGR]CTF$STARTUP.COM) and search for the following text: | | F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe | |Comment out the code that installs the image into memory as follows: | | Original code: | | $ IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") - | THEN install create sys$system:ctf$ui.exe - | /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, - | world,pswapm,prmmbx,bypass,cmkrnl) | | Changed to be comment: | | $! IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") - | $! THEN install create sys$system:ctf$ui.exe - | $! /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, - | $! world,pswapm,prmmbx,bypass,cmkrnl) | | |Be aware that de-installing the image from memory means that non-privileged |users can no longer use the Common Trace Facility User Interface START and |STOP commands. This is the case even if the NET$TRACE identifiers have been |granted to the user account. START and STOP commands will only be allowed |from a privileged account. | |AVAILABILITY: If you have a software service or warranty contract, you can |obtain the required ECO or software update through your regular Digital |support channels. | NOTE: For non-contract/non-warranty customers contact your local | Digital support channels for information regarding these kits. ========================= End DECnet/OSI Advisory =========================