=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL Teun Nijssen Index : S-93-06 Distribution : World Page : 1 Classification: External Version: final Subject : Calendar Manager, Russell Inform. Sciences Date : 10-feb-93 =============================================================================== CERT-NL (the SURFnet Computer Emergency Response Team) has received information concerning a serious security problem in a software product running on VAX/VMS. The software concerned is "Calendar Manager", produced by Russell Information Sciences, Inc. 115 Columbia Suite 100, Laguna Hills, CA, USA. Tel +1 714 362-4000 FAX +1 714 362 4040 The problems have become clear running Calendar Manager in combination with VMS Version V5.5 and Pathworks for VMS S4.1C. However it is firmly believed neither VMS nor Pathworks is the cause of the problems. Presumably the security of any version of VMS and Pathworks will be affected by Calendar Manager in the same way. Description of the problem in all versions of Calendar Manager preceding version V4.0-10 : . Calendar Manager's startup procedure installs images with enhanced privileges. Installing images with privileges is a frequently used way to share information between users in a VMS environment. . A method that exploits these installed images in an unintended manner has been discovered, giving rise to security problems. . removing privileges from the installed images seriously restricts the functionality of the software. Effectively this opens up a VAX/VMS system to methods that can obtain full privileges for any user with access to Calendar Manager. Recognizing the security issues in the Calendar Manager software, Russell Information Sciences has responded by producing version V4.0-10. Experienced users of Calendar Manager in The Netherlands have confirmed that this version solves the problems exhibited in all previous versions. CERT-NL wishes to thank Willem Bast and Leo de Lange of PTT Research, The Netherlands, for bringing this information to the attention of CERT-NL. CERT-NL also thanks Russell Information Sciences, Inc. for their cooperation in solving the security problems by producing the new version. CERT-NL advises organisations running any version of Calendar Manager up to V4.0-9 to obtain and install the latest version. houdoe, teun ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "netman/cert-nl". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are are one hour ahead of Universal Time Coordinated (i.e. UTC+0100). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7*24h phonenumber is available to SURFnet SSC's and FIRST members on request ==============================================================================