=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL Teun Nijssen Index : S-93-09 Distribution : SURFnet Constituency Page : 1 Classification: External Version: 3 Subject : VMS security advisory Date : 08-mar-93 =============================================================================== CERT-NL recently received an advisory concerning a severe vulnerability in VAX/VMS from SSRT, Digital's partner member of CERT-NL in FIRST. It is distributed after a week of intense cooperation between CERT-NL and SSRT. Instructions on how to get the remedial kits in The Netherlands are at the end of this advisory. Please note version 3 of this advisory contains a large new section start text of original version advisory: ------------------------------------------------------------------------------ ADVISORY INFO: ------------------------------------------------------------------------- 23.FEB.1993 SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team Colorado Springs USA PRODUCT: VMS V5.0 through OpenVMS V5.5-2 & OpenVMS AXP V1.0 PROBLEM: Potential Security Vulnerability - OpenVMS SOLUTION: A remedial kit is now available for OpenVMS AXP V1.0, VMS V5.0 through OpenVMS Version 5.5-2 (including all SEVMS versions V5.1 through V5.5-2 as applicable) by contacting your normal Digital Services Support organization. SEVERITY LEVEL: High This potential vulnerability has been corrected in the next release of OpenVMS, V6.0 and OpenVMS AXP, V1.5 For VMS Versions prior to V5.0, Digital strongly recommends that you upgrade to a minimum of VMS V5.0 and further, to the latest release of OpenVMS V5.5-2. ------------------------------------------------------------------------- The remedial kits may be identified as: VAXSYS01_U2050 VMS V5.0, V5.0-1, V5.0-2 VAXSYS01_U1051 VMS V5.1 VAXSYS01_U1052 VMS V5.2 VAXSYS01_U2053 VMS V5.3 thru V5.3-2 VAXSYS01_U3054 VMS V5.4 thru V5.4-3 VAXSYS02_U2055 OpenVMS V5.5 thru V5.5-2 AXPSYS01_010 OpenVMS AXP V1.0 ------------------------------------------------------------------------- Copyright (c) Digital Equipment Corporation, 1993 All Rights Reserved. Published Rights Reserved Under The Copyright Laws Of The United States. ------------------------------------------------------------------------- ADVISORY INFORMATION: ------------------------------------------------------------------------- This update kit corrects a potential security vulnerability in the VMS, OpenVMS VAX and OpenVMS AXP operating systems. This potential vulnerability may be further exploited in the form of a malicious program that may allow authorized but unprivileged users to obtain all system privileges, potentially giving the unprivileged user control of your OpenVMS system and data. NOTE: The update kit must be applied if an update or installation is performed for all versions prior to OpenVMS V6.0 or OpenVMS AXP V1.5. For VMS Versions prior to VMS V5.0, Digital strongly recommends that you upgrade to a minimum of VMS V5.0 and further to the latest release of OpenVMS V5.5-2. ------------------------------------------------------------------------- INFORMATION: ------------------------------------------------------------------------- Digital strongly recommends that you install the available kit on your system(s), to avoid any potential vulnerability as a result of this problem. Customers with a Digital Services contract may obtain a kit for the affected versions of OpenVMS by contacting your normal support organizations. - In the U.S. Customers may contact the Customer Support Center at 1(800)354-9000 and request the appropriate kit for your version of OpenVMS, or through DSNlink Text Search database using the keyword text "Potential Security Vulnerability", or DSNlink VTX using the patch number 1084 - Customers in other geographies should contact their normal Digital Services support organizations. As always, Digital recommends you to regularly review your system management and security procedures. Digital will continue to review and enhance security features, and work with our customers to further improve the integrity of their systems. ------------------------------------------------------------------------------ end text of original version advisory The following addendum was received by CERT-NL from the Digital Equipment Corporation's Software Security Response Team (SSRT) concerning the security patches to VMS and OpenVMS. It is reproduced unedited. start of update version 3 advisory: ------------------------------------------------------------------------------ SSRT 02.25 - 01 28.FEB.1993 Addendum Advisory RE: SSRT 02.25 dated 23.FEB.1993 SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team Colorado Springs, CO. DESCRIPTION ------------ Digital has received information concerning a problem while upgrading specifically OpenVMS VAX Version 5.3 to V5.3-1 or V5.3 to V5.3-2 and OpenVMS VAX V5.5 to V5.5-2 or OpenVMS VAX V5.5-1 to V5.5-2. ------------------------------ OpenVMS VAX versions affected: ------------------------------ upgrade paths V5.3 to V5.3-1 V5.3-1 to V5.3-2 V5.3 to V5.3-2 V5.5 to V5.5-2 V5.5-1 to V5.5-2 A problem may occur during an upgrade to a system that previously installed the specific Security Kit identified as; CSCPAT_1084010.A (combined kit for all OpenVMS VAX Versions affected. DSNlink kit.) VAXSYS01_U2053.A OpenVMS V5.3, V5.3-1, V5.3-2 VAXSYS02_U2055.A OpenVMS V5.5, V5.5-1 NOTE: ***** All other applicable versions of OpenVMS VAX and their supported upgrade paths do not exhibit this symptom if the Security Kit (identified in an advisory SSRT 02.25 dated 23.FEB.1993) was installed before upgrading to the next higher version. The Security Kit must be re-applied after all OpenVMS VAX upgrades for V5.0 through V5.5-2. Digital recommends that until OpenVMS VAX V6.0 or OpenVMS AXP V1.5 is installed later this year, contact your Digital Services Support organization to obtain the most current version of the applicable Security Kit identified in the SSRT 02.25 advisory dated 23.FEB.1993 IMPACT --------- Following an upgrade from OpenVMS VAX V5.3 to V5.3-1 V5.3-1 to V5.3-2 V5.3 to V5.3-2 V5.5 to V5.5-2 V5.5-1 to V5.5-2 may cause an error directly related to having the Security Kit (identified above) installed prior to the OpenVMS VAX upgrades listed above, and cause the system to fail to boot properly at the completion of the upgrade. SOLUTION --------- If you renamed the images replaced following the installation of the Security Kit, restore the saved images prior to upgrading OpenVMS VAX to the next higher release then re-apply the Security Kit. The images replaced by the Security Kit identified above are; PAGE_MANAGEMENT.EXE & IMAGE_MANAGEMENT.EXE and placed in the directory SYS$LOADABLE_IMAGES: If the images replaced during the Security Kit installation cannot be restored, enter the commands as indicated below after your OpenVMS VAX upgrade completes. **** IN EACH CASE, THE SOLUTION BELOW IS A POST OpenVMS VAX UPGRADE EVENT **** !For OpenVMS VAX V5.3 update paths ! V5.3 to V5.3-1 ! V5.3-1 to V5.3-2 ! V5.3 to V5.3-2 ! ! At the point where the OpenVMS upgrade process has completed. ! ! At the "$" prompt issue the following DCL patch steps exactly, ! at the console terminal, and follow the instrustions for re-booting. $ patch/update=(1) image_management.exe SET ECO 1 REPL/INST 0A0F='BISB2 #01,B^1F(SP)' 'NOP' EXIT UPDATE EXIT Press the HALT button, reboot the system, and re-install the Security Kit and reboot again for the Security Kit installation to become effective. ---------------------------------------------------------------------------- !For OpenVMS VAX V5.5 update paths ! ! V5.5-1 to V5.5-2 ! V5.5 to V5.5-2 ! ! At the point where the OpenVMS upgrade process has completed. ! From the systems console invoke a conversational boot by entering the ! following commands as shown and complete the DCL level steps exactly ! and follow the instrustions for re-booting. >>> B/1 SYSBOOT> SET/START=OPA0: SYSBOOT> C $ set noon $ set default [vms$common.sys$ldr] $ patch/update=(1) image_management.exe SET ECO 1 REPL/INST 0A2F='BISB2 #01,B^1F(SP)' 'NOP' EXIT UPDATE EXIT $ Press the HALT button, reboot the system, and re-install the Security Kit and reboot again for the Security Kit installation to become effective. ------------------------------------------------------------------------------ end of update version 3 advisory ------------------------------------------------------------------------------ CERT-NL has contacted Digital's Customer Service Center in Utrecht (030) 832888. Organisations contacting CSC may refer to the problem as the one solved by CSCPAT_1084. After requesting the relevant version(s) by DSN or telephone, the kits will be downlineloaded via AES or they will be sent on TK50 or MAGTAPE. The patches can be installed with VMSINSTALL. CERT-NL thanks Digital's Software Security Response Team for their cooperation in providing a solution to this problem. Annelies de Wijk (RUG) is complimented on her attentive system management and thanked for providing the answers to numerous questions. CERT-NL advises its constituency to contact Digital Utrecht to obtain the relevant remedial kits and apply them to their systems without delay. houdoe teun ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "netman/cert-nl". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are are one hour ahead of Universal Time Coordinated (i.e. UTC+0100). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7*24h phonenumber is available to SURFnet SSC's and FIRST members on request ==============================================================================