============================================================================= AA-94.06 AUSCERT Advisory 01-Dec-1994 DECnet/OSI Vulnerabilities for OpenVMS ----------------------------------------------------------------------------- Potential security vulnerabilities for OpenVMS systems running versions of DECnet/OSI prior to Version 5.8. 1. Description Security vulnerabilities exist in the following versions of DECnet/OSI on the following platforms: * DEC Alpha AXP OpenVMS systems Versions 2.0, 2.0A and 5.7 * DEC VAX/VMS OpenVMS systems Versions 5.5, 5.6, 5.6A, 5.6B, 5.7 and 5.7A DECnet-VAX Version 5.4 extensions 2. Impact Unprivileged system users may gain unauthorized, expanded privileges or may crash the operating system. 3. Proposed Solutions These vulnerabilities may be eliminated by: * upgrading to DECnet/OSI Version 5.8 (see Section 3.1); or * by applying DEC supplied patches to versions earlier than 5.8 (see Section 3.2); or * by applying the workaround provided in the DEC advisory below (see Section 3.3). 3.1 Upgrade to DECnet/OSI Version 5.8 DEC customers who have a maintenance agreement with the media and documentation update service will receive DECnet/OSI Version 5.8 automatically. DEC customers who do not have a maintenance agreement with update service may buy DECnet/OSI Version 5.8 by contacting DECdirect on 008 021 393. 3.2 Patch File Information Patch files are available via DSNlink for warranty and contract customers. All other DEC customers may obtain patches by placing a service call with the Customer Support Centre (CSC) by calling 008 252 277. Name CSCPAT_0597011.A OpenVMS Checksum 4247567393 MD5 Checksum 79DBE63AC8855D6759EA73B5F419F8ED Name CSCPAT_0597011.B OpenVMS Checksum 1811769591 MD5 Checksum 279E735D15915FC66941D5E2595FA932 Name CSCPAT_0615011.A OpenVMS Checksum 756388445 MD5 Checksum 19E698B26F0FAEF75314891A6FB85A7C Name CSCPAT_0615011.RELEASE_NOTES OpenVMS Checksum 38157879 MD5 Checksum 9CEF6DF7DF15FEE539D9159D681C6F12 Name CSCPAT_0618010.A OpenVMS Checksum 1502668639 MD5 Checksum 35A7F541B209608869ACD8D2086DA4B6 The patches also fix a bug in the Common Trace Facility (CTF) User Interface which causes systems to crash, and correct other problems. 3.3 Workaround Digital Equipment Corporation has requested that their Advisory be reprinted exactly as it was received: ======== Reprint of Digital Equipment Corporation Advisory begins ======== SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team Colorado Springs, CO. PRODUCT: The following products are affected: o DECnet-VAX, Version 5.4 Extensions o DECnet/OSI Version 2.0 for OpenVMS AXP o DECnet/OSI Version 2.0A for OpenVMS AXP o DECnet/OSI Version 5.7 for OpenVMS AXP o DECnet/OSI Version 5.5 for OpenVMS VAX o DECnet/OSI Version 5.6 for OpenVMS VAX o DECnet/OSI Version 5.6A for OpenVMS VAX o DECnet/OSI Version 5.6B for OpenVMS VAX o DECnet/OSI Version 5.7 for OpenVMS VAX o DECnet/OSI Version 5.7A for OpenVMS VAX SYMPTOM: User privileges may be expanded under certain circumstances. FIX: This potential vulnerability can be removed by installing one of the following software updates or Engineering Change Orders (ECO)s available from Digital: Software update: ---------------- DECnet/OSI Version 5.8 for OpenVMS AXP DECnet/OSI Version 5.8 for OpenVMS VAX ECO Software version: number CSCPAT number ----------------- ------ ------------- DECnet/OSI Version 5.6B for OpenVMS VAX 10 CSCPAT_0597 V1.1 DECnet/OSI Version 5.7 for OpenVMS AXP 02 CSCPAT_0615 V1.1 DECnet/OSI Version 5.7A for OpenVMS VAX 07 CSCPAT_0618 V1.0 Engineering ECO References: CSCPAT_0597 V1.1 = DNVOSIB_ECO10056 CSCPAT_0615 V1.1 = DNVOSIAXP_ECO02057 CSCPAT_0618 V1.0 = DNVOSIA_ECO07057 If you are unable to install one of the above listed updates or ECOs, or if there is no ECO available for the version of DECnet that you are currently running, see the workaround described later. Execute the following command to determine which version of DECnet you are currently running: $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION") If "00040100" or "00040200" is displayed then DECnet-VAX, Version 5.4 Extensions is installed. If the "version" begins with "0005", it means that DECnet/OSI is installed. Use the following command to find the version number: $ MCR NCL SHOW IMPLEMENTATION and look for the line beginning with "Version =". For example: $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION") 00050300 $ MCR NCL SHOW IMPLEMENTATION Node 0 at 1994-08-24-16:29:38.991+02:00I1.690 Characteristics Implementation = { [ Name = VMS , Version = "V6.1 " ] , [ Name = DECnet-OSI for OpenVMS , Version = "DECnet-OSI for OpenVMS Version V5.7 14-JAN-1994..." ] } Therefore, DECnet/OSI Version 5.7 for OpenVMS (VAX) is running on this particular machine. WORKAROUND: If you are unable to install one of the software updates or ECOs listed previously, we strongly recommend that you de-install the Common Trace Facility User Interface image (SYS$SYSTEM:CTF$UI.EXE) from memory. Execute the following command to determine if this image is installed on your system: $ INSTALL LIST SYS$SYSTEM:CTF$UI.EXE The following output is displayed if the image is installed: DISK$OPENVMS061:.EXE CTF$UI;5 Prv Execute the following command to de-install the image from memory. Note that you require the privilege CMKRNL to do this. $ INSTALL REMOVE SYS$SYSTEM:CTF$UI.EXE In addition to de-installing the image from memory, steps should be taken to ensure that the image is not (re-)installed during a subsequent machine reboot, or when the Common Trace Facility startup command file executed. To do this, edit the Common Trace Facility startup command file (SYS$COMMON:[SYSMGR]CTF$STARTUP.COM) and search for the following text: F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe Comment out the code that installs the image into memory as follows: Original code: $ IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") - THEN install create sys$system:ctf$ui.exe - /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, - world,pswapm,prmmbx,bypass,cmkrnl) Changed to be comment: $! IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") - $! THEN install create sys$system:ctf$ui.exe - $! /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, - $! world,pswapm,prmmbx,bypass,cmkrnl) Be aware that de-installing the image from memory means that non-privileged users can no longer use the Common Trace Facility User Interface START and STOP commands. This is the case even if the NET$TRACE identifiers have been granted to the user account. START and STOP commands will only be allowed from a privileged account. AVAILABILITY: If you have a software service or warranty contract, you can obtain the required ECO or software update through your regular Digital support channels. NOTE: For non-contract/non-warranty customers contact your local Digital support channels for information regarding these kits. ========= Reprint of Digital Equipment Corporation Advisory ends ========= ---------------------------------------------------------------------------- The AUSCERT team wishes to thank the U.S. Department of Energy Computer Incident Advisory Capability (CIAC), Rich Boren of Digital Equipment Corporation and Ron Tencati of NASA's Automated Systems Incident Response Capability (NAISRC) for providing information used in this bulletin. ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is the Australian Computer Emergency Response Team, funded by the Australian Academic Research Network (AARNet) for its members. It is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is currently based at ftp.sert.edu.au:/security. This archive contains past SERT and AUSCERT Advisories, and other computer security information. Internet Email: auscert@auscert.org.au Facsimile: (07) 365 4477 Telephone: (07) 365 4417 (International: +61 7 365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA