|
_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Patch Available for VAX/VMS MONITOR Vulnerability October 30, 1992, 0800 PST Number D-03 ______________________________________________________________________________ PROBLEM: The MONITOR utility on VMS Versions 5.0 through 5.4-2 can be used to obtain unauthorized privileges. PLATFORM: VAX systems running the VMS operating system. DAMAGE: An unprivileged user can obtain increased privileges. SOLUTION: Upgrade to VMS version 5.4-3 (or higher); alternatively, install a new SYS$SHARE:SPISHR.EXE or implement workarounds given in CIAC Bulletin C-30. ______________________________________________________________________________ Critical Information about the MONITOR Patch CIAC issued Bulletin C-30 on August 31, 1992, which described the VAX/VMS MONITOR vulnerability in VMS Versions 5.0 through 5.4-2. Bulletin C-30 contained Digital Equipment Corporation (DEC) advisory SSRT-0200, which gave workarounds. This bulletin contains DEC's addendum, SSRT-0200-1, which announces the availability of a kit to fix problems with the affected VMS versions. The kit is identified as MONITOR$S01_050, MONITOR$S01_051, MONITOR$S01_052, MONITOR$S01_053 and MONITOR$S01_054. It contains a new binary image of SYS$SHARE:SPISHR.EXE, appropriate to the version of VMS being fixed. It is available from DEC's Digital Services organization. In the U.S.A., it is also available via DSIN or DSNlink as CSCPAT_1047. DEC's advisory notice follows: ============================================================================== 21-OCT-1992 SSRT-0200-1 (ADDENDUM) 21-AUG-1992 SSRT-0200 SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team - U.S. Colorado Springs USA PRODUCT: VMS MONITOR V5.0 through V5.4-2 PROBLEM: Potential Security Vulnerability in VMS MONITOR Utility SOLUTION: A VMS V5.0 through V5.4-2 remedial kit is now available by contacting your normal Digital Services Support organization. NOTE: This problem has been corrected in VAX/VMS V5.4-3 (released in October 1991). _____________________________________________________________________ The kit may be identified as MONTOR$S01_05* or CSCPAT_1047, available via DSIN and DSNlink. _____________________________________________________________________ Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved. Published Rights Reserved Under the Copyright Laws of the United States. ________________________________________________________________________ ADVISORY ADDENDUM INFORMATION: ________________________________________________________________________ In August 1992, an advisory and article was distributed describing a potential security vulnerability discovered in the VMS MONITOR utility. Suggested workarounds to remove the vulnerability were provided. The advisory was labeled SSRT-0200 "Potential Security Vulnerability in VMS MONITOR Utility." This addendum follows that advisory with information of the availability of a kit containing a new SYS$SHARE:SPISHR.EXE for VMS V5.0-* through VMS V5.4-2 and may be identified as MONTOR$S01_050 through MONTOR$S01_054 respectively from your Digital Services organization. In the U.S., the kit is also identified as CSCPAT_1047, available via DSIN and DSNlink. Note: This potential vulnerability does not exist in VMS V5.4-3 and later versions of VMS. Digital strongly recommends that you upgrade to a minimum of VMS V5.4-3, and further, to the latest release of VMS, V5.5-1 (released in July, 1992). If you cannot upgrade to a minimum of VMS V5.4-3 at this time, Digital strongly recommends that you install the available V5.0-* through V5.4-2 patch kit on your system(s), available from your support organization, to avoid any potential vulnerability. You may obtain a kit for VMS V5.0 thru V5.4-2 by contacting your normal Digital Services support organization (Customer Support Center, using DSNlink or DSIN, or your local support office). As always, Digital recommends that you periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ________________________________________________________________________ End of Advisory SSRT-0200-1 ============================================================================== If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). CIAC wishes to thank Rich Boren of DEC's Software Security Response Team (SSRT) for the information used in this bulletin. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.