[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Revised VMS Monitor Vulnerability

Title: Revised VMS Monitor Vulnerability
Released by: CERT
Date: 17th November 1992
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





CA-92:18

Last Revised: September 19,1997

                Attached copyright statement





                             CERT Advisory

                           November 17, 1992

                    Revised VMS Monitor Vulnerability 



- ---------------------------------------------------------------------------

                                   

               *** THIS IS A REVISED CERT ADVISORY ***

*** IT CONTAINS NEW INFORMATION REGARDING AVAILABILITY OF IMAGE KITS ***

              *** SUPERSEDES CERT ADVISORY CA-92:16 ***





The CERT Coordination Center received information concerning a

potential vulnerability with Digital Equipment Corporation's VMS

Monitor. This vulnerability is present in V5.0 through V5.4-2 but has

been corrected in V5.4-3 through V5.5-1.  The Software Security 

Response Team at Digital has provided the following information

concerning this vulnerability.



The remedial image kit was not available at the time CERT distributed

the CA-92:16.VMS.monitor.vulnerability advisory (dated September 22,

1992).  At that time, Digital strongly suggested that customers either

upgrade to VMS V5.4-3 (preferably to V5.5-1) or implement the provided

workaround if unable to upgrade.



The following SSRT-200-1 addendum contains information about the

availability of new images to address the possible vulnerability with

VMS Monitor.



This last and final addendum includes new information about remedial

images for VMS V5.0 through V5.4-2.

 

Digital strongly suggests that those customers who were unable to

upgrade their systems (i.e., VMS V5.0 through V5.4-2) obtain and

install the remedial image kit on their system(s).



For additional information, please contact your normal Digital 

Services Support Organization.





           The information separated by the hash (#) line is

         excerpted from the previously published CERT Advisory

##############################################################################



SSRT-0200      PROBLEM: Potential Security Vulnerability Identified in Monitor

                SOURCE: Digital Equipment Corporation

                AUTHOR: Software Security Response Team - U.S.

                        Colorado Springs USA



               PRODUCT:  VMS

Symptoms Identified On:  VMS, Versions 5.0, 5.0-1, 5.0-2, 5.1, 5.1-B,

                                       5.1-1, 5.1-2, 5.2, 5.2-1, 5.3,

                                       5.3-1, 5.3-2, 5.4, 5.4-1, 5.4-2



            *******************************************************

            SOLUTION: This problem is not present in VMS V5.4-3

                      (released in October 1991) through V5.5-1

                      (released in July, 1992.)

            *******************************************************

Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved.

Published Rights Reserved Under The Copyright Laws Of The United States.

- -------------------------------------------------------------------------------

PROBLEM/IMPACT:

- -------------------------------------------------------------------------------

     Unauthorized privileges may be expanded to authorized users of a system

     under certain conditions, via the Monitor utility.   Should a system be

     compromised through unauthorized access, there is a risk of potential

     damage to a system environment.  This problem will not permit unauthorized

     access entry, as individuals attempting to gain unauthorized access will

     continue to be denied through the standard VMS security mechanisms.

- -------------------------------------------------------------------------------

SOLUTION:

- -------------------------------------------------------------------------------

     This potential vulnerability does not exist in VMS V5.4-3

     (released in October 1991) and later versions of VMS through V5.5-1.



     Digital strongly recommends that you upgrade to a minimum of VMS V5.4-3,

     and further, to the latest release of VMS V5.5-1. (released in July, 1992)



################################################################################

        End of material excerpted from previously published CERT Advisory





          Beginning of Text Provided by Digital Equipment Corporation

================================================================================

     21-OCT-1992 SSRT-0200-1 (ADDENDUM)

     21-AUG-1992 SSRT-0200

        

     SOURCE:            Digital Equipment Corporation

     AUTHOR:            Software Security Response Team - U.S.

                        Colorado Springs USA



             PRODUCT: VMS MONITOR V5.0 through V5.4-2 



             PROBLEM: Potential Security Vulnerability in VMS Monitor Utility

            SOLUTION: A VMS V5.0 through V5.4-2 remedial kit is now available 

                      by contacting your normal Digital Services Support 

                      organization.     



            NOTE:     This problem has been corrected in VAX VMS V5.4-3

                      (released in October 1991).  

           __________________________________________________________________

           The kit may be identified as MONTOR$S01_05* or CSCPAT_1047 

           via DSIN , and DSNlink.

           ------------------------------------------------------------------

        

     Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved.

     Published Rights Reserved Under The Copyright Laws Of The United States.



     -------------------------------------------------------------------------  

     ADVISORY ADDENDUM INFORMATION:

     -------------------------------------------------------------------------  



     In August 1992, an advisory and article was distributed describing a 

     potential security vulnerability discovered in the VMS Monitor utility and

     provided suggested workarounds to remove the vulnerability. The advisory

     was labeled SSRT-200 "Potential Security Vulnerability in VMS Monitor

     Utility".



     This advisory follows that advisory with information of the

     availability of a kit containing a new sys$share:spishr.exe for VMS

     V5.0-* through VMS V5.4-2 and may be identified as MONTOR$S01_050

     through MONTOR$S01_054 respectively from your Digital Services

     organization.

     In the U.S.the kit is also identified as CSCPAT_1047 via DSIN and DSNlink.



Note:This potential vulnerability does not exist in VMS V5.4-3 and later

     versions of VMS.  Digital strongly recommends that you upgrade to a

     minimum of VMS V5.4-3, and further, to the latest release of VMS V5.5-1.

     (released in July, 1992)



     If you cannot upgrade to a minimum of VMS V5.4-3 at this time,

     Digital strongly recommends that you install the available V5.0-* 

     through V5.4-2 kit on your  system(s), available from your support 

     organization, to avoid any potential vulnerability. 



     You may obtain a kit for VMS V5.0 through V5.4-2 by contacting your normal

     Digital Services support organization. (Customer Support Center, using 

     DSNlink or DSIN, or your local support office)   



     As always, Digital recommends that you periodically review your system

     management and security procedures.  Digital will continue to review and

     enhance the security features of its products and work with customers to

     maintain and improve the security and integrity of their systems.



===========================================================================

        End of Text provided by Digital Equipment Corporation



- ---------------------------------------------------------------------------

CERT wishes to thank Teun Nijssen of CERT-NL (the SURFnet CERT, in the

Netherlands) for bringing this security vulnerability to our attention.

We would also like to thank Digital Equipment Corporation's Software Security

Response Team for providing information on this vulnerability.

- ---------------------------------------------------------------------------



If you believe that your system has been compromised, contact CERT or

your representative in FIRST (Forum of Incident Response and Security Teams).



Internet E-mail: cert@cert.org

Telephone: 412-268-7090 (24-hour hotline)

           CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),

           on call for emergencies during other hours.



CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890



- ------------------------------------------------------------------------------



Copyright 1992 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Revision History:



September 19,1997  Attached Copyright Statement



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBS+uFr9kb5qlZHQEQJ5MACeKHUwl2vZ6qrma1gLa0dmVa//wTQAn2I/

tBDpk1MbjH/jbx2FViV7wGt/

=djG9

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.