PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
(ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER
(IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS
SUBJECT:  FAILURE OF VMS 5.3 TO 5.5-2 TO DISABLE USER ACCOUNTS
(AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM (ASSIST) BULLETIN
93-07).
1.  A SECURITY PROBLEM EXISTS IN VMS SYSTEMS CONFIGURED TO DISABLE
USER ACCOUNTS EXPERIENCING BREAK-IN ATTEMPTS, WHICH MAY RESULT IN THE
ACCOUNTS NOT BEING DISABLED, AS DESIRED.  THIS PROBLEM AFFECTS
VAXSTATIONS USING DECWINDOWS OR MOTIF, VMS VERSIONS 5.3 THROUGH OPEN
VMS 5.5-2.  THE VULNERABILITY COULD ALLOW UNAUTHORIZED USERS TO GAIN
ACCESS TO SYSTEM RESOURCES.  DOD SITES AFFECTED BY THIS PROBLEM
SHOULD APPLY PATCH CSCPAT_0239019, OR PHYSICALLY SECURE WORKSTATIONS
IF ACCOUNTS ARE CONFIGURED IN THIS MANNER, AS SOON AS POSSIBLE.
2.  THE VULNERABILITY AFFECTS SYSTEMS WHERE THE SYSGEN PARAMETER FOR
DISABLING ACCOUNTS IS ENABLED (LGI_BRK_DISUSER IS SET TO 1), AND
TRUSTED TO DISABLE ACCOUNTS UNDER ATTACK.  IF THE "BREAK-IN LIMIT"
(SYSGEN PARAMETER LGI_BRK_LIM), IS EXCEEDED DURING AN INTERVAL
DETERMINED BY AN ALGORITHM USING LGI_BRK_TMO, THE SYSTEM DOES NOT
DISABLE THE ACCOUNT, WHICH WOULD ALLOW REPEATED ATTACKS ON THE
ACCOUNT.  OTHER SECURITY FUNCTIONS CONTINUE TO WORK CORRECTLY, SUCH
AS EVASION AND SYSUAF COUNTS FOR LOG-IN FAILURES, AS WELL AS SECURITY
AUDIT RECORDING.  THE VULNERABILITY IS NOT PRESENT WHEN USING
NON-LOCAL DECWINDOWS OR MOTIF ACCESS VIA DECNET.
3.  TO CORRECT THE POTENTIAL VULNERABILITY IDENTIFIED IN THIS
BULLETIN, APPLY PATCH SUITE CSCPAT_0239019, AVAILABLE FROM DIGITAL. 
IF YOU HAVE DSNLINK FOR VMS, USE THE DSNLINK VTX PATCH APPLICATION. 
WHEN PROMPTED FOR A SEARCH STRING, USE THE KEYWORD CSCPAT_0239019. 
IF YOU DO NOT HAVE DSNLINK FOR VMS, CONTACT YOUR LOCAL DIGITAL OFFICE
OR YOUR DIGITAL SUPPORT CENTER FOR THE PATCH.  UNTIL THE PATCH IS
INSTALLED, PHYSICAL ACCESS TO WORKSTATIONS SHOULD BE RESTRICTED TO
AUTHORIZED USERS ONLY.
4.  YOU MAY FURTHER STRENGTHEN EVASION SECURITY BY IMPLEMENTING THE
FOLLOWING RESTRICTIONS:
-REDUCING LGI_BRK_LIM (DEFAULT 5 LOG-IN ATTEMPTS)
-INCREASING LGI_HID_TIM (DEFAULT 300 SECONDS)
-INCREASING LGI_BRK_TMO (DEFAULT 300 SECONDS)
-CHANGING LGI_BRK_TERM TO 0 (DEFAULT IS 1)
IF YOU HAVE DIAL UP ACCESS, MAKE CERTAIN THAT THE PARAMETER
LGI_RETRY_LIM IS NOT INCREASED BEYOND ITS DEFAULT VALUE OF THREE. 
ALL VMS SYSTEMS SHOULD ALSO BE UPGRADED TO THE LATEST VERSION OF OPEN
VMS AND WINDOWING SOFTWARE AS SOON AS POSSIBLE TO CORRECT OTHER
POTENTIAL VULNERABILITIES.
5.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
PETE HAMMES, COMM (703) 696-1924/5/6 OR DSN 226-1924/5/6.  ASSIST CAN
BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (800) SKY-PAGE (800-
759-7243), PIN NUMBER 2133937.  WHEN CALLING THE PAGER SERVICE,
FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK
NUMBER AFTER THE PROMPT.  THE ASSIST DUTY OFFICER WILL CALL YOU BACK
WITHIN 30 MINUTES.  IF FASTER SERVICE IS REQUIRED, PREFIX YOUR
TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL
BACK WITHIN 5 MINUTES.  ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-
CERT(AT-SIGN)DDN-CONUS.DDN.MIL".
BT