_______________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                         Information Bulletin

	Failure to disable user accounts for VMS 5.3 to 5.5-2	

FEB 12, 1993  1400 PST                                       Number D-06
________________________________________________________________________
PROBLEM: VMS systems configured to disable user accounts experiencing
break-in attempts may not disable those accounts, as required.
PLATFORM: VAXstations using DECwindows or Motif, VMS versions 5.3
through Open VMS 5.5-2.
DAMAGE: Unauthorized users could gain access given sufficient time.
SOLUTION: Apply patch CSCPAT_0239019 or physically secure workstations
if accounts are so configured.
________________________________________________________________________
    Critical Facts about potential vulnerability in VMS VAXstations

CIAC has learned of a vulnerability in VAXstations running (Open) VMS
versions 5.3 through 5.5-2 when using VMS DECwindows or VMS DECwindows
MOTIF.  The vulnerability applies to systems where the SYSGEN parameter
for disabling accounts under attack is enabled (i.e., LGI_BRK_DISUSER
is set to 1).  If the "break-in limit," i.e, log-in failure count
threshold (SYSGEN parameter LGI_BRK_LIM) is exceeded during an interval
determined by an algorithm using LGI_BRK_TMO, the account will NOT be
disabled, allowing repeated attacks.  Other security functions will
continue to work correctly, such as evasion and SYSUAF counts for
log-in failures, as well as security audit recording.  The
vulnerability is not present when using non-local DECwindows or MOTIF
access via DECnet.

If you are not required to invoke automatic account disabling, CIAC
recommends that you secure your systems by prudently managing passwords
and effectively setting break-in detection and evasion SYSGEN
parameters.  In most cases the default parameter settings are
adequate.  You may further strengthen evasion security by

	o reducing LGI_BRK_LIM (default 5 log-in attempts)
	o increasing LGI_HID_TIM (default 300 seconds)
	o increasing LGI_BRK_TMO (default 300 seconds)
	o changing LGI_BRK_TERM to 0 (default is 1)

Be advised that each parameter change may increase the risk of denial
of service to legitimate users.  If you have dial up access, make
certain that the parameter LGI_RETRY_LIM is not increased beyond its
default value of three.

In all cases, CIAC recommends that you first upgrade to the latest
version of Open VMS and windowing software (to correct other potential
vulnerabilities).  To correct the potential vulnerability identified in
this bulletin, apply patch suite CSCPAT_0239019, available from
Digital.  If you have DSNlink for VMS, use the DSNlink VTX Patch
Application.  When prompted for a search string, use the keyword
CSCPAT_0239019.  If you do not have DSNlink for VMS, contact your local
Digital office or your Digital Support Center for the patch.

If you cannot obtain or apply the patch, you should restrict
workstation physical access to authorized users.

For additional information or assistance, please contact CIAC at (510)
422-8193/FTS or send e-mail to ciac@llnl.gov.  FAX messages to: (510)
423-8002/FTS.

The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud
at (510) 423-4753 and 9600 baud at (510) 423-3331.  Previous CIAC
bulletins and other information is available via anonymous ftp from
irbis.llnl.gov (ip address 128.115.19.60).

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Your agency's team will coordinate with CIAC.  The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization.  A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.

CIAC wishes to acknowledge Tom Moore and Mona Wecksung of Los Alamos
National Laboratory for bringing the vulnerability to our attention,
and Rich Boren of Digital's Software Security Response Team for leading
problem resolution efforts.

This document was prepared as an account of work sponsored by an agency
of the United States Government.  Neither the United States Government
nor the University of California nor any of their employees, makes any
warranty, expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use
would not infringe privately owned rights.  Reference herein to any
specific commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily constitute
or imply its endorsement, recommendation, or favoring by the United
States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government nor the University of
California, and shall not be used for advertising or product
endorsement purposes.