=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Teun Nijssen/CERT-NL Index : S-92-19 Distribution : SURFnet constituency Page : 1 Classification: External Version: final Subject : VMS MONITOR V5.0 through V5.4-2 Date : 03-nov-92 =============================================================================== Yet again CERT-NL (SURFnet Computer Emergency Response Team) has received additional information concerning the previously known security problem in VMS Monitor. This time Digital announces a patch kit for older VMS versions than available previously. The following text is a verbatim copy of Digital's advisory: ------------------------------------------------------------------------------ FINAL ADDENDUM ADVISORY The following SSRT-200 addendum is for your information about the availability of new images to address the possible vulnerability with VMS Monitor. You may use the information/advisory for distribution however we request that as before, the attached remain intact. This last and final addendum includes new information about remedial images for VMS V5.0 thru V5.4-2. ------------------------------------------------------------------------- 21-OCT-1992 SSRT-0200-1 (ADDENDUM) 21-AUG-1992 SSRT-0200 SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team - U.S. Colorado Springs USA PRODUCT: VMS MONITOR V5.0 through V5.4-2 PROBLEM: Potential Security Vulnerability in VMS Monitor Utility SOLUTION: A VMS V5.0 through V5.4-2 remedial kit is now available by contacting your normal Digital Services Support organization. NOTE: This problem has been corrected in VAX VMS V5.4-3 (released in October 1991). __________________________________________________________________ The kit may be identified as MONTOR$S01_05* or CSCPAT_1047 via DSIN , and DSNlink. ------------------------------------------------------------------ Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved. Published Rights Reserved Under The Copyright Laws Of The United States. ------------------------------------------------------------------------- ADVISORY ADDENDUM INFORMATION: ------------------------------------------------------------------------- In August 1992, an advisory and article was distributed describing poten- tial security vulnerability discovered in the VMS Monitor utility and provided suggested workarounds to remove the vulnerability. The advisory was labeled SSRT-200 "Potential Security Vulnerability in VMS Monitor Utility". This addendum follows that advisory with information of the availability of a kit containing a new sys$share:spishr.exe for VMS V5.0-* through VMS V5.4-2 and may be identified as MONTOR$S01_050 thru MONTOR$S01_054 respectively from your Digital Services organization. In the U.S.the kit is also identified as CSCPAT_1047 via DSIN and DSNlink. Note:This potential vulnerability does not exist in VMS V5.4-3 and later versions of VMS. Digital strongly recommends that you upgrade to a minimum of VMS V5.4-3, and further, to the latest release of VMS V5.5-1. (released in July, 1992) If you cannot upgrade to a minimum of VMS V5.4-3 at this time, Digital strongly recommends that you install the available V5.0-* through V5.4-2 kit on your system(s), available from your support organization, to avoid any potential vulnerability. You may obtain a kit for VMS V5.0 thru V5.4-2 by contacting your normal Digital Services support organization. (Customer Support Center, using DSNlink or DSIN, or your local support office) As always, Digital recommends that you periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ------------------------------------------------------------------------- End of Advisory CERT-NL wishes to thank Digital's Software Security Response Team for this information and advises system manager's running relevant versions of VMS to obtain the mentioned security kit from Digital Netherlands. ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "netman/cert-nl". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are are one hour ahead of Universal Time Coordinated (i.e. UTC+0100). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7*24h phonenumber is available to SURFnet SSC's and FIRST members on request ==============================================================================