=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL (Don Stikvoort) Index : S-94-22 Distribution : World Page : 1 Classification: External Version: Final Subject : DECnet/OSI vulnerabilities Date : 05-Dec-94 =============================================================================== By courtesy of Digital Equipment Corporation, NASIRC and CIAC we received information about DECnet/OSI vulnerabilities. Below problem and solution are described. If this applies to your situation we strongly advise to follow the suggested steps! How to get other CERT-NL advisories and how to contact us, you will find at the very bottom of this document. =============================================================================== Security Vulnerabilities in DECnet/OSI for OpenVMS _____________________________________________________________________________ PROBLEM: Security Vulnerabilities exist in certain versions of DECnet/OSI for OpenVMS. PLATFORMS: (1) DEC Alpha AXP OpenVMS systems running DECnet/OSI Version 2.0, 2.0A, or 5.7; (2) DEC VAX/VMS OpenVMS systems running DECnet/OSI Version 5.5, 5.6, 5.6A, 5.6B, 5.7, 5.7A, or DECnet-VAX Version 5.4 extensions. DAMAGE: Unprivileged system users may gain unauthorized, expanded privileges or may crash the operating system. SOLUTION: Install DECnet/OSI Version 5.8, or apply a patch available from Digital, or apply the workaround given in the Appendix, below. _____________________________________________________________________________ VULNERABILITY Although to date these vulnerabilities are not widely known ASSESSMENT: nor exploited, we recommend prompt attention. _____________________________________________________________________________ Critical Information about the Vulnerabilities in DECnet/OSI We have received information from Digital Equipment Corporation concerning potential security vulnerabilities for those systems running versions of DECnet/OSI prior to Version 5.8. These vulnerabilities may be eliminated by (1) upgrading to DECnet/OSI Version 5.8 or (2) correcting earlier versions by applying DEC supplied patches or (3) applying the workaround provided in the DEC advisory reprinted below. NOTE: An unofficial DEC advisory on this topic that was previously circulated within some communities should be discarded. The information presented in this advisory is the most complete and accurate to date. Patch files are available via the normal Digital support channels: DSNlink for warranty and contract customers, the local office for all others. Patch File Information Name CSCPAT_0597011.A OpenVMS Checksum 4247567393 MD5 Checksum 79DBE63AC8855D6759EA73B5F419F8ED Name CSCPAT_0597011.B OpenVMS Checksum 1811769591 MD5 Checksum 279E735D15915FC66941D5E2595FA932 Name CSCPAT_0615011.A OpenVMS Checksum 756388445 MD5 Checksum 19E698B26F0FAEF75314891A6FB85A7C Name CSCPAT_0615011.RELEASE_NOTES OpenVMS Checksum 38157879 MD5 Checksum 9CEF6DF7DF15FEE539D9159D681C6F12 Name CSCPAT_0618010.A OpenVMS Checksum 1502668639 MD5 Checksum 35A7F541B209608869ACD8D2086DA4B6 The patches also fix a bug in the Common Trace Facility (CTF) User Interface which causes systems to crash, as well as correct other problems. If you need additional information or assistance, contact your local DEC representative or Mr. Richard Boren of DEC's Software Security Response Team (SSRT) at +1 719 592 4689. ++++++++++++++++++++ Begin DECnet/OSI Advisory +++++++++++++++++++++++ |SOURCE: Digital Equipment Corporation |AUTHOR: Software Security Response Team Colorado Springs, CO. |PRODUCT: The following products are affected: | | o DECnet-VAX, Version 5.4 Extensions | | o DECnet/OSI Version 2.0 for OpenVMS AXP | o DECnet/OSI Version 2.0A for OpenVMS AXP | o DECnet/OSI Version 5.7 for OpenVMS AXP | | o DECnet/OSI Version 5.5 for OpenVMS VAX | o DECnet/OSI Version 5.6 for OpenVMS VAX | o DECnet/OSI Version 5.6A for OpenVMS VAX | o DECnet/OSI Version 5.6B for OpenVMS VAX | o DECnet/OSI Version 5.7 for OpenVMS VAX | o DECnet/OSI Version 5.7A for OpenVMS VAX | |SYMPTOM: User privileges may be expanded under certain circumstances. | |FIX: This potential vulnerability can be removed by installing one of the |following software updates or Engineering Change Orders (ECO)s available |from Digital: | | Software update: | ---------------- | DECnet/OSI Version 5.8 for OpenVMS AXP | DECnet/OSI Version 5.8 for OpenVMS VAX | | ECO | Software version: number CSCPAT number | ----------------- ------ ------------- | DECnet/OSI Version 5.6B for OpenVMS VAX 10 CSCPAT_0597 V1.1 | DECnet/OSI Version 5.7 for OpenVMS AXP 02 CSCPAT_0615 V1.1 | DECnet/OSI Version 5.7A for OpenVMS VAX 07 CSCPAT_0618 V1.0 | |Engineering ECO References: | | CSCPAT_0597 V1.1 = DNVOSIB_ECO10056 | CSCPAT_0615 V1.1 = DNVOSIAXP_ECO02057 | CSCPAT_0618 V1.0 = DNVOSIA_ECO07057 | |If you are unable to install one of the above listed updates or ECOs, |or if there is no ECO available for the version of DECnet that you are |currently running, see the workaround described later. | |Execute the following command to determine which version of DECnet you |are currently running: | | $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION") | |If "00040100" or "00040200" is displayed then DECnet-VAX, Version 5.4 |Extensions is installed. If the "version" begins with "0005", it means that |DECnet/OSI is installed. Use the following command to find the version |number: | | $ MCR NCL SHOW IMPLEMENTATION | |and look for the line beginning with "Version =". For example: | | $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION") | 00050300 | | $ MCR NCL SHOW IMPLEMENTATION | | Node 0 | at 1994-08-24-16:29:38.991+02:00I1.690 | Characteristics | Implementation = | { | [ | Name = VMS , | Version = "V6.1 " | ] , | [ | Name = DECnet-OSI for OpenVMS , | Version = "DECnet-OSI for OpenVMS Version V5.7 14-JAN-1994..." | ] | } | |Therefore, DECnet/OSI Version 5.7 for OpenVMS (VAX) is running on this |particular machine. | |WORKAROUND: If you are unable to install one of the software updates or |ECOs listed previously, we strongly recommend that you de-install the |Common Trace Facility User Interface image (SYS$SYSTEM:CTF$UI.EXE) from |memory. Execute the following command to determine if this image is |installed on your system: | | $ INSTALL LIST SYS$SYSTEM:CTF$UI.EXE | |The following output is displayed if the image is installed: | | DISK$OPENVMS061:.EXE | CTF$UI;5 Prv | |Execute the following command to de-install the image from memory. Note |that you require the privilege CMKRNL to do this. | | $ INSTALL REMOVE SYS$SYSTEM:CTF$UI.EXE | |In addition to de-installing the image from memory, steps should be taken |to ensure that the image is not (re-)installed during a subsequent machine |reboot, or when the Common Trace Facility startup command file executed. | |To do this, edit the Common Trace Facility startup command file |(SYS$COMMON:[SYSMGR]CTF$STARTUP.COM) and search for the following text: | | F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe | |Comment out the code that installs the image into memory as follows: | | Original code: | | $ IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") - | THEN install create sys$system:ctf$ui.exe - | /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, - | world,pswapm,prmmbx,bypass,cmkrnl) | | Changed to be comment: | | $! IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") - | $! THEN install create sys$system:ctf$ui.exe - | $! /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, - | $! world,pswapm,prmmbx,bypass,cmkrnl) | | |Be aware that de-installing the image from memory means that non-privileged |users can no longer use the Common Trace Facility User Interface START and |STOP commands. This is the case even if the NET$TRACE identifiers have been |granted to the user account. START and STOP commands will only be allowed |from a privileged account. | |AVAILABILITY: If you have a software service or warranty contract, you can |obtain the required ECO or software update through your regular Digital |support channels. | NOTE: For non-contract/non-warranty customers contact your local | Digital support channels for information regarding these kits. +++++++++++++++++++++++++++ End DECnet/OSI Advisory +++++++++++++++++++++++++ ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/docs/bulletin This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are one (when DST is in effect two) hour(s) ahead of Universal Time Coordinated (i.e. UTC+0100 (UTC+0200)). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ==============================================================================