Privacy and Legal Notice

CIAC INFORMATION BULLETIN

F-04: Security Vulnerabilities in DECnet/OSI for OpenVMS

November 28, 1994 0900 PST 

PROBLEM:       Security Vulnerabilities exist in certain versions of
               DECnet/OSI for OpenVMS.
PLATFORMS:     (1) DEC Alpha AXP OpenVMS systems running DECnet/OSI Version
               2.0, 2.0A, or 5.7;
               (2) DEC VAX/VMS OpenVMS systems running DECnet/OSI Version 
               5.5, 5.6, 5.6A, 5.6B, 5.7, 5.7A, or DECnet-VAX Version 5.4 
               extensions.
DAMAGE:        Unprivileged system users may gain unauthorized, expanded
               privileges or may crash the operating system.   
SOLUTION:      Install DECnet/OSI Version 5.8, or apply a patch available
               from Digital, or apply the workaround given in the Appendix,
               below.


VULNERABILITY  Although to date these vulnerabilities are not widely known
ASSESSMENT:    nor exploited, CIAC recommends prompt attention.

Critical Information about the Vulnerabilities in DECnet/OSI

CIAC has received information from Digital Equipment Corporation concerning potential security vulnerabilities for those systems running versions of DECnet/OSI prior to Version 5.8. These vulnerabilities may be eliminated by (1) upgrading to DECnet/OSI Version 5.8 or (2) correcting earlier versions by applying DEC supplied patches or (3) applying the workaround provided in the DEC advisory reprinted below.

NOTE: An unofficial DEC advisory on this topic that was previously circulated within some communities should be discarded. The information presented in this advisory is the most complete and accurate to date.

Patch files are available via the normal Digital support channels: DSNlink for warranty and contract customers, the local office for all others.

Patch File Information 

Name             CSCPAT_0597011.A
OpenVMS Checksum 4247567393
MD5 Checksum     79DBE63AC8855D6759EA73B5F419F8ED

Name             CSCPAT_0597011.B
OpenVMS Checksum 1811769591
MD5 Checksum     279E735D15915FC66941D5E2595FA932

Name             CSCPAT_0615011.A
OpenVMS Checksum 756388445
MD5 Checksum     19E698B26F0FAEF75314891A6FB85A7C

Name             CSCPAT_0615011.RELEASE_NOTES
OpenVMS Checksum 38157879
MD5 Checksum     9CEF6DF7DF15FEE539D9159D681C6F12

Name             CSCPAT_0618010.A
OpenVMS Checksum 1502668639
MD5 Checksum     35A7F541B209608869ACD8D2086DA4B6

The patches also fix a bug in the Common Trace Facility (CTF) User Interface which causes systems to crash, as well as correct other problems. If you need additional information or assistance, contact CIAC at 510-422-8193 or Mr. Richard Boren of DEC's Software Security Response Team (SSRT) at 719-592-4689.

CIAC thanks Rich Boren of Digital Equipment Corporation and Ron Tencati of NASA's Automated Systems Incident Response Capability (NAISRC) for providing information used in this bulletin. 
======================= Begin DECnet/OSI Advisory ===========================
|SOURCE: Digital Equipment Corporation
|AUTHOR: Software Security Response Team Colorado Springs, CO.
|PRODUCT: The following products are affected:
|
|       o  DECnet-VAX, Version 5.4 Extensions
|
|       o  DECnet/OSI Version 2.0  for OpenVMS AXP
|       o  DECnet/OSI Version 2.0A for OpenVMS AXP
|       o  DECnet/OSI Version 5.7  for OpenVMS AXP
|
|       o  DECnet/OSI Version 5.5  for OpenVMS VAX
|       o  DECnet/OSI Version 5.6  for OpenVMS VAX
|       o  DECnet/OSI Version 5.6A for OpenVMS VAX
|       o  DECnet/OSI Version 5.6B for OpenVMS VAX
|       o  DECnet/OSI Version 5.7  for OpenVMS VAX
|       o  DECnet/OSI Version 5.7A for OpenVMS VAX
|
|SYMPTOM: User privileges may be expanded under certain circumstances.
| 
|FIX: This potential vulnerability can be removed by installing one of the
|following software updates or Engineering Change Orders (ECO)s available
|from Digital:
|
|    Software update:
|    ----------------
|    DECnet/OSI Version 5.8 for OpenVMS AXP
|    DECnet/OSI Version 5.8 for OpenVMS VAX
|
|                                                ECO
|    Software version:                           number    CSCPAT number
|    -----------------                           ------    -------------
|    DECnet/OSI Version 5.6B for OpenVMS VAX       10      CSCPAT_0597 V1.1
|    DECnet/OSI Version 5.7  for OpenVMS AXP       02      CSCPAT_0615 V1.1
|    DECnet/OSI Version 5.7A for OpenVMS VAX       07      CSCPAT_0618 V1.0
|
|Engineering ECO References:
|
|    CSCPAT_0597 V1.1  = DNVOSIB_ECO10056
|    CSCPAT_0615 V1.1  = DNVOSIAXP_ECO02057
|    CSCPAT_0618 V1.0  = DNVOSIA_ECO07057
|
|If you are unable to install one of the above listed updates or ECOs,
|or if there is no ECO available for the version of DECnet that you are
|currently running, see the workaround described later.
|
|Execute the following command to determine which version of DECnet you
|are currently running:
|
|    $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION")
|
|If "00040100" or "00040200" is displayed then DECnet-VAX, Version 5.4
|Extensions is installed. If the "version" begins with "0005", it means that
|DECnet/OSI is installed. Use the following command to find the version
|number:
|
|    $ MCR NCL SHOW IMPLEMENTATION
|
|and look for the line beginning with "Version =". For example:
|
|    $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION")
|    00050300
|
|    $ MCR NCL SHOW IMPLEMENTATION
|
|    Node 0
|    at 1994-08-24-16:29:38.991+02:00I1.690
|    Characteristics
|        Implementation                    =
|           {
|              [
|              Name = VMS ,
|              Version = "V6.1    "
|              ] ,
|              [
|              Name = DECnet-OSI for OpenVMS ,
|              Version = "DECnet-OSI for OpenVMS Version V5.7 14-JAN-1994..."
|              ]
|           }
|
|Therefore, DECnet/OSI Version 5.7 for OpenVMS (VAX) is running on this
|particular machine.
|
|WORKAROUND: If you are unable to install one of the software updates or
|ECOs listed previously, we strongly recommend that you de-install the
|Common Trace Facility User Interface image (SYS$SYSTEM:CTF$UI.EXE) from
|memory. Execute the following command to determine if this image is
|installed on your system:
|
|    $ INSTALL LIST SYS$SYSTEM:CTF$UI.EXE
|
|The following output is displayed if the image is installed:
|
|    DISK$OPENVMS061:.EXE
|       CTF$UI;5                       Prv
|
|Execute the following command to de-install the image from memory. Note
|that you require the privilege CMKRNL to do this.
|
|    $ INSTALL REMOVE SYS$SYSTEM:CTF$UI.EXE
|
|In addition to de-installing the image from memory, steps should be taken
|to ensure that the image is not (re-)installed during a subsequent machine
|reboot, or when the Common Trace Facility startup command file executed.
|
|To do this, edit the Common Trace Facility startup command file
|(SYS$COMMON:[SYSMGR]CTF$STARTUP.COM) and search for the following text:
|
|    F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe
|
|Comment out the code that installs the image into memory as follows:
|
|  Original code:
|
|    $  IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") -
|       THEN install create sys$system:ctf$ui.exe -
|           /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, -
|                        world,pswapm,prmmbx,bypass,cmkrnl)
|
|  Changed to be comment:
|
|    $!  IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") -
|    $!  THEN install create sys$system:ctf$ui.exe -
|    $!     /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, -
|    $!                  world,pswapm,prmmbx,bypass,cmkrnl)
|
|
|Be aware that de-installing the image from memory means that non-privileged
|users can no longer use the Common Trace Facility User Interface START and
|STOP commands. This is the case even if the NET$TRACE identifiers have been
|granted to the user account. START and STOP commands will only be allowed
|from a privileged account.
|
|AVAILABILITY: If you have a software service or warranty contract, you can
|obtain the required ECO or software update through your regular Digital
|support channels. 
|   NOTE: For non-contract/non-warranty customers contact your local
|   Digital support channels for information regarding these kits.
========================= End DECnet/OSI Advisory =========================
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]