_____________________________________________________
                The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
           _____________________________________________________
                           INFORMATION BULLETIN 

             Patch Available for VAX/VMS MONITOR Vulnerability

October 30, 1992, 0800 PST                                   Number D-03

______________________________________________________________________________
PROBLEM:     The MONITOR utility on VMS Versions 5.0 through 5.4-2 can be
             used to obtain unauthorized privileges.
PLATFORM:    VAX systems running the VMS operating system.
DAMAGE:      An unprivileged user can obtain increased privileges.
SOLUTION:    Upgrade to VMS version 5.4-3 (or higher); alternatively,
             install a new SYS$SHARE:SPISHR.EXE or implement workarounds
             given in CIAC Bulletin C-30.
______________________________________________________________________________
             Critical Information about the MONITOR Patch

CIAC issued Bulletin C-30 on August 31, 1992, which described the VAX/VMS
MONITOR vulnerability in VMS Versions 5.0 through 5.4-2. Bulletin C-30
contained Digital Equipment Corporation (DEC) advisory SSRT-0200, which gave
workarounds.

This bulletin contains DEC's addendum, SSRT-0200-1, which announces the
availability of a kit to fix problems with the affected VMS versions. The
kit is identified as MONITOR$S01_050, MONITOR$S01_051, MONITOR$S01_052,
MONITOR$S01_053 and MONITOR$S01_054. It contains a new binary image of
SYS$SHARE:SPISHR.EXE, appropriate to the version of VMS being fixed. It is
available from DEC's Digital Services organization. In the U.S.A., it is
also available via DSIN or DSNlink as CSCPAT_1047. 

DEC's advisory notice follows:
==============================================================================
      21-OCT-1992 SSRT-0200-1 (ADDENDUM)
      21-AUG-1992 SSRT-0200

      SOURCE:    Digital Equipment Corporation
      AUTHOR:    Software Security Response Team - U.S.
                 Colorado Springs USA
      PRODUCT:   VMS MONITOR V5.0 through V5.4-2 
      PROBLEM:   Potential Security Vulnerability in VMS MONITOR Utility
      SOLUTION:  A VMS V5.0 through V5.4-2 remedial kit is now available 
                 by contacting your normal Digital Services Support 
                 organization.     
      NOTE:      This problem has been corrected in VAX/VMS V5.4-3
                 (released in October 1991).  
                      
         _____________________________________________________________________
         The kit may be identified as MONTOR$S01_05* or CSCPAT_1047,
         available via DSIN and DSNlink.
         _____________________________________________________________________
      Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved.
      Published Rights Reserved Under the Copyright Laws of the United States.

      ________________________________________________________________________
      ADVISORY ADDENDUM INFORMATION:
      ________________________________________________________________________

      In August 1992, an advisory and article was distributed describing a
      potential security vulnerability discovered in the VMS MONITOR utility.
      Suggested workarounds to remove the vulnerability were provided. The
      advisory was labeled SSRT-0200 "Potential Security Vulnerability in VMS
      MONITOR Utility."

      This addendum follows that advisory with information of the availability 
      of a kit containing a new SYS$SHARE:SPISHR.EXE for VMS V5.0-* through
      VMS V5.4-2 and may be identified as MONTOR$S01_050 through MONTOR$S01_054
      respectively from your Digital Services organization. In the U.S., the
      kit is also identified as CSCPAT_1047, available via DSIN and DSNlink.
 
Note: This potential vulnerability does not exist in VMS V5.4-3 and later
      versions of VMS.  Digital strongly recommends that you upgrade to a
      minimum of VMS V5.4-3, and further, to the latest release of VMS, V5.5-1
      (released in July, 1992).

      If you cannot upgrade to a minimum of VMS V5.4-3 at this time,
      Digital strongly recommends that you install the available V5.0-* 
      through V5.4-2 patch kit on your system(s), available from your support 
      organization, to avoid any potential vulnerability. 

      You may obtain a kit for VMS V5.0 thru V5.4-2 by contacting your normal
      Digital Services support organization (Customer Support Center, using 
      DSNlink or DSIN, or your local support office).

      As always, Digital recommends that you periodically review your system
      management and security procedures.  Digital will continue to review and
      enhance the security features of its products and work with customers to
      maintain and improve the security and integrity of their systems.
      ________________________________________________________________________
      End of Advisory SSRT-0200-1
==============================================================================

If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages
to: (510) 423-8002.

For emergencies only, call 1-800-SKYPAGE and enter PIN number
855-0070 (primary) or 855-0074 (secondary).

The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400
baud at (510) 423-4753 and 9600 baud at (510) 423-3331.
Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).  

CIAC wishes to thank Rich Boren of DEC's Software Security Response
Team (SSRT) for the information used in this bulletin.

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.
Your agency's team will coordinate with CIAC.

This document was prepared as an account of work sponsored by an agency
of the United States Government.  Neither the United States Government
nor the University of California nor any of their employees, makes any
warranty, expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use
would not infringe privately owned rights. Reference herein to any
specific commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily constitute or
imply its endorsement, recommendation, or favoring by the United States
Government or the University of California.  The views and opinions of
authors expressed herein do not necessarily state or reflect those of
the United States Government nor the University of California, and shall
not be used for advertising or product endorsement purposes.