=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL (Rene Ritzen) Index : S-93-17 Distribution : World Page : 1 Classification: External Version: Final Subject : Vulnerabilities in VM/CMS and VM/CMS ESA Date : 31-Aug-93 ============================================================================== CERT-NL has received information concerning a vulnerability in the DMSDDL command (NETDATA command after release 5). This vulnerability affects release 4 through 8 of IBM's VM/CMS and VM/CMS ESA operating systems. CERT-NL recommends to any sites running CMS versions 4 through 8 to immediately take corrective action. This vulnaribility is fixed by IBM. Fixes can be obtained by contacting your local IBM Software Service Representative. Customers using VM/CMS SP5 or SP6 should reference Authorized Program Analysis Report (APAR) number VM54148. Customers using VM/CMS ESA should reference APAR number VM54760. Program Trouble Fixes (PTFs) which correct the problem for the respective release can be requested in this way. --------------------------------------------------------------------------- I. Description Under certain circumstances the command: DMSDDL RECEIVE TEMPFILE CMSUT1 D1 is a serious vulnerability. It allows anyone to replace any file with a self-specified filename on the minidisk of the "service machines", which are accepting files from the spool. Note: the DMSDDL command was renamed to NETDATA with CMS release 6, but the problem must be reported for CMS release 5 so that it can be sysrouted to all versions of CMS. The problem has been observed on all versions of CMS from 4 to 8. II. Impact This vulnaribility makes it possible to corrupt critical files III. Solution Obtain and install the PTFs mentioned above --------------------------------------------------------------------------- CERT-NL wishes to thank part of the EARN-NOG (Network Operations Group) for informing us of these vulnerabilities. CERT-NL wishes to thank Tom Russell and Julie L. Craft from IBM for their response to this problem. ---------------------------------------------------------------------------- ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "surfnet/net-security/cert-nl/docs/bulletin". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are one (when DST is in effect two) hour(s) ahead of Universal Time Coordinated (i.e. UTC+0100 (UTC+0200)). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7*24h phonenumber is available to SURFnet SSC's and FIRST members on request ============================================================================= ----- End of Advisory ----------------------------------------------------------------------------- Rene Ritzen, Dep. of Telecommunications | Phone : +31 30 533785 Academic Computer Centre Utrecht (ACCU) | Fax : +31 30 531633 P.O. Box 80011 | E-mail: Rene.Ritzen@cc.ruu.nl 3508 TA Utrecht | X.400 : G=Rene;S=Ritzen; the Netherlands | OU=cc;O=ruu;PRMD=surf | ADMD=400net;C=nl -----------------------------------------------------------------------------