From: CRDGW2::CRDGW2::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 23-OCT-1990 08:57:14.26 To: MRGATE::"ARISIA::EVERHART" CC: Subj: Serious VMS Security Bug Received: by crdgw1.ge.com (5.57/GE 1.76) id AA00282; Mon, 22 Oct 90 20:12:07 EDT Received: From ccit.arizona.edu ([128.196.120.82]) by CRVAX.SRI.COM with TCP; Mon, 22 OCT 90 16:11:16 PDT Date: Mon, 22 Oct 90 15:57 MST From: KAPLAN@ccit.arizona.edu Subject: Serious VMS Security Bug To: info-vax@sri.com Message-Id: <16C0F4834B3F603056@ccit.arizona.edu> X-Envelope-To: info-vax@sri.com X-Vms-To: IN%"info-vax@sri.com" X-Vms-Cc: KAPLAN Attention! This first came to my attention on the "for pay" DECUServe BBS of the U.S. Chapter of DECUS. Seems to me that the most responsible thing to do is widely distribute it ASAP. As usual, and with considerable justification, DEC is not volunteering this information. If you want confirmation of its authentisity, call your DEC software support number and ask for it specifically since they will not volunteer it. If this is a duplicate of previously distributed information, please accept my appologies. As I said, I think that this deserves immediate action and wide disemination to the community. Please tell everyone you know. (since I can not contact the author of this particularly articulate summary for permission to post it, I have edited it to conceal his identity) Summary:: Critical VMS Security Problem Facts ---------------------------------------------------------------------------- PROBLEM: VMS security problem with the ANALYZE/PROCESS_DUMP command PLATFORM: DEC VMS systems (all versions 4.0 to 5.3 including MicroVMS) DAMAGE: Allows system privileges to non-privileged users (including the user decnet on older VMS systems) WORKAROUND: Disable ANALYZE/PROCESS_DUMP for non-privileged users PATCH: Not currently available, but DEC is aware of the problem SYSTEM IMPACT: The workaround will disallow the use of analyze/process_dump for non-privileged users. Other program debuggers are unaffected ---------------------------------------------------------------------------- A serious security problem on Digital Equipment Corp. (DEC) VMS systems has been detected. The potential damage of this problem is that users may gain unauthorized system privileges through the use of the ANALYZE/PROCESS_DUMP dcl command. In addition, systems that have set up the FAL and default DECNET account to use the same directory have a potential to allow system access to other VMS machines connected to the network. DEC is currently working on a permanent solution to this problem. As a interim measure, DEC recommends that this command be disabled for all non-privileged users. This may be accomplished using the following procedure: 1. Log into the system account. 2. $ SET PROC/PRIV=ALL 3. a) For VMS systems prior to V5.0, Modify SYS$MANAGER:SYSTARTUP.COM to include the following lines as the first two lines in the file: $ SET NOON $ MCR INSTALL ANALIMDMP.EXE/DELETE b) For VMS system V5.0 and later, Modify SYS$MANAGER:SYSTARTUP_V5.COM to include the following as the first two lines of the file: $SET NOON $ MCR INSTALL ANALIMDMP.EXE/DELETE c) For MicroVMS systems, The image ANALIMDMP.EXE is not installed by default, but SYSTARTUP.COM contains a suggestion of installing the image if you have multiple users on your system. You mus ensure that this image is not installed in SYSTARTUP.COM. You can use the following command to verify that the image is not installed: $MCR INSTALL ANALIMDMP/LIST If you receive the message similar to the following: %INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE then you do not have the image installed. Otherwise, proceed as step 3.a above. 4. $ MCR INSTALL ANALIMDMP/DELETE This command removes the installed image from the active system. 5. (Optional) Restart your systems and verify that the image is not installed using the following command: $MCR INSTALL ANALIMDMP/LIST If you receive the message similar to the following: %INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE -INSTALL-E-NOKFEFND, Known File Entry not found then you do not have the image installed and your system does not have the security problem. Please feel free to contact me with questions - but it would be better if you posted them here so everyone can learn from them. Ray 8-|)} Ray Kaplan - I know what I don't know W) Computer Center - University of Arizona - Tucson, AZ, 85751 - (602) 621-2857 H) P.O. Box 32647 - Tucson, Arizona 85751 - (602) 323-4606 BITNET: KAPLAN@ARIZRVAX INTERNET: KAPLAN@RVAX.CCIT.ARIZONA.EDU ------------------------------------------------------------------------------ >> THESE ARE MY VIEWS. They do not necessarily reflect those of others ... >> ------------------------------------------------------------------------------