=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : DEC SSRT-US Index : S-92-16 Distribution : SURFnet Constituency Page : 1 Classification: External Version: final Subject : Potential Security Vulnerability Date : 25-aug-92 Identified in Monitor (VMS) =============================================================================== CERT-NL (SURFnet Computer Emergency Response Team) has received information concerning a security problem in Digital Equipoment Corporation VMS Monitor. CERT-NL wishes to thank DEC SSRT-US for bringing this to our attention. =============================================================================== SSRT-0200 PROBLEM: Potential Security Vulnerability Identified in Monitor SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team - U.S. Colorado Springs USA PRODUCT: VMS Symptoms Identified On: VMS, Versions 5.0, 5.0-1, 5.0-2, 5.1, 5.1-B, 5.1-1, 5.1-2, 5.2, 5.2-1, 5.3, 5.3-1, 5.3-2, 5.4, 5.4-1, 5.4-2 ******************************************************* SOLUTION: This problem is not present in VMS V5.4-3 (released in October 1991) through V5.5-1 (released in July, 1992.) ******************************************************* Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved. Published Rights Reserved Under The Copyright Laws Of The United States. ------------------------------------------------------------------------------- PROBLEM/IMPACT: ------------------------------------------------------------------------------- Unauthorized privileges may be expanded to authorized users of a system under certain conditions, via the Monitor utility. Should a system be compromised through unauthorized access, there is a risk of potential damage to a system environment. This problem will not permit unauthorized access entry, as individuals attempting to gain unauthorized access will continue to be denied through the standard VMS security mechanisms. ------------------------------------------------------------------------------- SOLUTION: ------------------------------------------------------------------------------- This potential vulnerability does not exist in VMS V5.4-3 (released in October 1991) and later versions of VMS through V5.5-1. Digital strongly recommends that you upgrade to a minimum of VMS V5.4-3, and further, to the latest release of VMS V5.5-1. (released in July, 1992) ------------------------------------------------------------------------------- INFORMATION: ------------------------------------------------------------------------------- If you cannot upgrade at this time Digital recommends that you implement a workaround (examples attached below) to avoid any potential vulnerability. As always, Digital recommends that you periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ------------------------------------------------------------------------------- WORKAROUND ------------------------------------------------------------------------------- A suggested workaround would be to remove the installed image SYS$SHARE:SPISHR.EXE via VMS INSTALL and/or restrict the use of the MONITOR utility to "privileged" system administrators. Below are the examples of doing both; [1] To disable the MONITOR utility the image SYS$SHARE:SPISHR.EXE should be deinstalled. From a privileged account; For cluster configurations; --------------------------- $ MC SYSMAN SYSMAN> SET ENVIRONMENT/CLUSTER SYSMAN> DO INSTALL REMOVE SYS$SHARE:SPISHR.EXE SYSMAN> DO RENAME SYS$SHARE:SPISHR.EXE SPISHR.HOLD SYSMAN> EXIT For non-VAXcluster configurations; --------------------------------- $INSTALL INSTALL>REMOVE SYS$SHARE:SPISHR.EXE INSTALL>EXIT $RENAME SYS$SHARE:SPISHR.EXE SPISHR.HOLD [2] If you wish to restrict access to the MONITOR command so that only a limited number of authorized (or privileged) persons are granted access to the utility, one method might be to issue the following example commands; From a privileged account; For cluster configurations; --------------------------- $ MC SYSMAN SYSMAN> SET ENVIRONMENT/CLUSTER SYSMAN> DO INSTALL REMOVE SYS$SHARE:SPISHR.EXE SYSMAN> DO SET FILE/ACL=(ID=*,ACCESS=NONE) SYS$SHARE:SPISHR.EXE SYSMAN> DO SET FILE/ACL=(ID=SYSTEM,ACCESS=READ+EXECUTE) SYS$SHARE:SPISHR.EXE SYSMAN> DO INSTALL ADD SYS$SHARE:SPISHR.EXE/OPEN/HEADER/SHARE/PROTECT SYSMAN> EXIT $ THIS WILL IMPACT the MONITOR UTILITY FOR REMOTE MONITORING. LOCAL MONITORING WILL CONTINUE TO WORK FOR PERSONS HOLDING THE ID's GRANTED ACL ACCESS. see additional note(s) below For non-VAXcluster configurations; ---------------------------------- $ INSTALL INSTALL>REMOVE SYS$SHARE:SPISHR.EXE INSTALL>EXIT $ SET FILE /ACL=(ID=*,ACCESS=NONE) SYS$SHARE:SPISHR.EXE $ SET FILE /ACL=(ID=SYSTEM,ACCESS=READ+EXECUTE) SYS$SHARE:SPISHR.EXE $ INSTALL INSTALL>ADD SYS$SHARE:SPISHR.EXE/OPEN/HEADER/SHARE/PROTECT INSTALL>EXIT $ IN THE ABOVE EXAMPLES, THE "SET FILE /ACL" LINE SHOULD BE REPEATED FOR ALL ACCOUNTS THAT ARE REQUIRED/ALLOWED TO USE THE DCL MONITOR COMMAND. NOTE: The ID -SYSTEM- is an example, and should be substituted as necessary with valid user ID's that are associated with accounts you wish to grant access to. ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "netman/cert-nl". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are are one hour ahead of Universal Time Coordinated (i.e. UTC+0100). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7*24h phonenumber is available to SURFnet SSC's and FIRST members on request ==============================================================================