PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER {ISSO},
SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER {IRM} AND
AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
U-1,368/DS-SIM {CSG}
SUBJ:  VAX/VMS SECURITY VULNERABILITY IN MONITOR {AUTOMATED SYSTEMS SECURITY
INCIDENT SUPPORT TEAM {ASSIST} 92-63}.
1.  THE MONITOR UTILITY ON VMS VERSIONS 5.0 THRU 5.4-2 CAN BE USED BY AN
UNPRIVILEGED USER TO OBTAIN UNAUTHORIZED PRIVILEGES.  ASSIST AND DEC
RECOMMEND UPGRADING VMS TO THE LATEST VERSION.  HOWEVER, IF YOU ARE UNABLE TO
UPGRADE, THERE IS A WORKAROUND DESCRIBED IN THIS BULLETIN.  THE PROBLEM HAS
BEEN IDENTIFIED IN VMS VERSIONS: 5.0, 5.0-1, 5.0-2, 5.1, 5.1-B, 5.1-1, 5.1-2,
5.2, 5.2-1, 5.3, 5.3-1, 5.3-2, 5.4, 5.4-1, 5.4-2.  THIS PROBLEM IS NOT
PRESENT IN VMS V5.4-3 (RELEASED IN OCTOBER 1991) THROUGH VMS V5.5-1 (RELEASED
IN JULY, 1992).
2.  UNAUTHORIZED PRIVILEGES MAY BE EXPANDED TO AUTHORIZED USERS OF A SYSTEM
UNDER CERTAIN CONDITIONS, VIA THE MONITOR UTILITY.   SHOULD A SYSTEM BE
COMPROMISED THROUGH UNAUTHORIZED ACCESS, THERE IS A RISK OF POTENTIAL DAMAGE
TO A SYSTEM ENVIRONMENT.  THIS PROBLEM WILL NOT PERMIT UNAUTHORIZED ACCESS
ENTRY, AS INDIVIDUALS ATTEMPTING TO GAIN UNAUTHORIZED ACCESS WILL CONTINUE TO
BE DENIED THROUGH THE STANDARD VMS SECURITY MECHANISMS.
3.  A SUGGESTED WORKAROUND WOULD BE TO REMOVE THE INSTALLED IMAGE
SYS$SHARE:SPISHR.EXE VIA VMS INSTALL AND/OR RESTRICT THE USE OF THE UTILITY
TO "PRIVILEGED" SYSTEM ADMINISTRATORS.  THE MONITOR UTILITY
SYS$SHARE:SPISHR.EXE SHOULD BE DEINSTALLED FROM A PRIVILEGED ACCOUNT:
   $ MC SYSMAN
   SYSMAN> SET ENVIRONMENT/CLUSTER
   SYSMAN> DO INSTALL REMOVE SYS$SHARE:SPISHR.EXE
   SYSMAN> DO RENAME SYS$SHARE:SPISHR.EXE   SPISHR.HOLD
   SYSMAN> EXIT
FOR NON-VAXCLUSTER CONFIGURATIONS:
   $ INSTALL
   INSTALL> REMOVE SYS$SHARE:SPISHR.EXE
   INSTALL> EXIT
   $ RENAME SYS$SHARE:SPISHR.EXE SPISHR.HOLD
IF YOU WISH TO RESTRICT ACCESS TO THE MONITOR COMMAND SO THAT ONLY A LIMITED
NUMBER OF AUTHORIZED (OR PRIVILEGED) USERS HAVE ACCESS TO THE UTILITY, ISSUE
THE FOLLOWING COMMANDS:
   SYSMAN> SET ENVIRONMENT/CLUSTER
   SYSMAN> DO INSTALL REMOVE SYS$SHARE:SPISHR.EXE
   SYSMAN> DO SET FILE/ACL=(ID=*,ACCESS=NONE)                       
   SYS$SHARSR>EL=M,ACCESS=READ+EXECUTE) SYS$SHARE:SPISHR.EXE
   SYSMAN> DO INSTALL ADD SYS$SHARE:SPISHR.EXE/OPEN/HEADER/SHARE/PROTECT
   SYSMAN> EXIT
   $
THIS WILL IMPACT THE MONITOR UTILITY FOR REMOTE MONITORING.  LOCAL USE OF
MONITOR WILL CONTINUE TO WORK FOR PERSONS HOLDING THE ID'S GRANTED ACL
ACCESS.  SEE ADDITIONAL NOTE(S) BELOW.
FOR NON-VAXCLUSTER CONFIGURATIONS;
   $ INSTALL
   INSTALL> REMOVE SYS$SHARE:SPISHR.EXE
   INSTALL> EXIT
   $ SET FILE /ACL=(ID=*,ACCESS=NONE) SYS$SHARE:SPISHR.EXE
   $ SET FILE /ACL=(ID=SYSTEM,ACCESS=READ+EXECUTE) SYS$SHARE:SPISHR.EXE
   $ INSTALL
   INSTALL> ADD SYS$SHARE:SPISHR.EXE/OPEN/HEADER/SHARE/PROTECT
   INSTALL> EXIT
   $
NOTE IN THE ABOVE EXAMPLES: THE "SET FILE /ACL" LINE SHOULD BE REPEATED FOR
ALL ACCOUNTS THAT ARE REQUIRED/ALLOWED TO USE THE DCL MONITOR COMMAND. THE ID
-SYSTEM- SHOULD BE REPLACED WITH VALID USER ID'S THAT ARE TO BE ASSOCIATED
WITH ACCOUNTS YOU WISH TO GRANT ACCESS TO.
4.  POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS
MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55.  ASSIST CAN BE
REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE,  PIN NUMBER
2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK NUMBER AFTER THE PROMPT}
OR AUTOVON DIAL 243-8000 AND ASK TO HAVE THE ASSIST DUTY OFFICER PAGED. 
ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."