home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Forum of Incident Response & Security Teams
/
Forum_of_Incident_Response_and_Security_Teams_FIRST_October_1994.iso
/
teaminfo
/
nasirc
/
nsi9301.txt
< prev
next >
Wrap
Internet Message Format
|
1994-07-02
|
7KB
From: NSI Short-Timer (2/24/93)
To: ciac-team@cheetah.llnl.GOV
Mail*Link¿ SMTP NSI Security Bulletin #93-0
=============================================================================
NASA SCIENCE INTERNET - SECURITY BULLETIN NUMBER: 93-01
February 23, 1993
SUBJECT: Potential Security Vulnerability in OpenVMS
-----------------------------------------------------------------------------
NASA/NSI DISTRIBUTION: Official Use Only
FIRST Restrictions: NONE
=============================================================================
The NSI Security Office received the following advisory from Digital
Equipment Corporation's Software Security Response Team (SSRT).
A vulnerability exists in VAX/VMS V5.0 through OpenVMS V5.5-2 and
OpenVMS AXP V1.0. There have been some incidents of malicious code
being used to exploit this vulnerability.
NSI sites that cannot obtain the remedial kits described below should
contact the NSI Security Office using the information provided at the end
of this bulletin.
The following is the DEC bulletin:
-------------------------------------------------------------------------
23.FEB.1993
SOURCE: Digital Equipment Corporation
AUTHOR: Software Security Response Team
Colorado Springs USA
PRODUCT: VMS V5.0 through OpenVMS V5.5-2 & OpenVMS AXP V1.0
PROBLEM: Potential Security Vulnerability - OpenVMS
SOLUTION: A remedial kit is now available for OpenVMS AXP V1.0,
VMS V5.0 through OpenVMS Version 5.5-2 (including all SEVMS
versions V5.1 through V5.5-2 as applicable) by contacting
your normal Digital Services Support organization.
SEVERITY LEVEL: High
This potential vulnerability has been corrected in the next release of
OpenVMS, V6.0 and OpenVMS AXP, V1.5 For VMS Versions prior to V5.0,
Digital strongly recommends that you upgrade to a minimum of VMS
V5.0 and further, to the latest release of OpenVMS V5.5-2.
-------------------------------------------------------------------------
The remedial kits may be identified as:
VAXSYS01_U2050 VMS V5.0, V5.0-1, V5.0-2
VAXSYS01_U1051 VMS V5.1
VAXSYS01_U1052 VMS V5.2
VAXSYS01_U2053 VMS V5.3 thru V5.3-2
VAXSYS01_U3054 VMS V5.4 thru V5.4-3
VAXSYS02_U2055 OpenVMS V5.5 thru V5.5-2
AXPSYS01_010 OpenVMS AXP V1.0
-------------------------------------------------------------------------
Copyright (c) Digital Equipment Corporation, 1993 All Rights Reserved.
Published Rights Reserved Under The Copyright Laws Of The United States.
-------------------------------------------------------------------------
ADVISORY INFORMATION:
-------------------------------------------------------------------------
This update kit corrects a potential security vulnerability in the VMS,
OpenVMS VAX and OpenVMS AXP operating systems. This potential
vulnerability may be further exploited in the form of a malicious program
that may allow authorized but unprivileged users to obtain all system
privileges, potentially giving the unprivileged user control of your
OpenVMS system and data.
NOTE:
The update kit must be applied if an update or installation is performed
for all versions prior to OpenVMS V6.0 or OpenVMS AXP V1.5. For VMS
Versions prior to VMS V5.0, Digital strongly recommends that you upgrade
to a minimum of VMS V5.0 and further to the latest release of OpenVMS
V5.5-2.
-------------------------------------------------------------------------
INFORMATION:
-------------------------------------------------------------------------
Digital strongly recommends that you install the available kit on your
system(s), to avoid any potential vulnerability as a result of this
problem.
Customers with a Digital Services contract may obtain a kit for the
affected versions of OpenVMS by contacting your normal support
organizations.
- In the U.S. Customers may contact the Customer Support Center
at 1(800)354-9000 and request the appropriate kit for your version
of OpenVMS, or through DSNlink Text Search database using the
keyword text "Potential Security Vulnerability", or DSNlink VTX using
the patch number 1084
- Customers in other geographies should contact their normal Digital
Services support organizations.
As always, Digital recommends you to regularly review your system
management and security procedures. Digital will continue to review and
enhance security features, and work with our customers to further improve
the integrity of their systems.
-------------------------------------------------------------------------
[End of DEC Advisory]
Ron Tencati
Security Manager
NASA Science Internet
If you believe your system may have been compromised, be sure to contact
your system administrator or your local Computer Security Official first.
If you require any assistance with information contained in this bulletin,
or if you believe you have discovered an unreported vulnerability relating
to VMS, UNIX, DECnet or TCP/IP, contact your NSI Routing Center Manager
or the NSI Security Office at:
Phone: +1-202-434-4541 TCP/IP: Security@Nsipo.Arc.Nasa.Gov
FAX: +1-202-434-4599 X.25: 31103210703593::Security
Beeper: +1-800-SKY-PAGE DECnet: NSINIC::Security
(24Hrs) (Pin# 5460866)
NSI wishes to thank Digital Equipment Corporation's Software Security
Response Team (SSRT) for their timely reporting of this vulnerability
to the user community via the Forum of Incident Response and Security
Teams (FIRST).
------------------ RFC822 Header Follows ------------------
Received: by internetqm.llnl.gov with SMTP;24 Feb 1993 10:14:20 U
Return-path: TENCATI@nssdca.gsfc.nasa.GOV
Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id
<01GV3GWI16JK9BVFER@icdc.llnl.gov>; Wed, 24 Feb 1993 10:05:25 PST
Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id
<01GV3GVAN12O9BVFQ8@icdc.llnl.gov>; Wed, 24 Feb 1993 10:04:32 PST
Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA26254; Wed,
24 Feb 93 10:04:59 PST
Received: from nixon.llnl.gov by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92)
id AA26234; Wed, 24 Feb 93 10:04:51 PST
Received: by nixon.llnl.gov (5.57/1.15) id AA25427; Wed,
24 Feb 93 10:05:09 -0800
Received: from NSSDCA.GSFC.NASA.GOV by (4.1/SMI-4.1) id AA05421; Wed,
24 Feb 93 10:03:53 PST
Date: 24 Feb 1993 12:56:00 -0500 (EST)
From: TENCATI@nssdca.gsfc.nasa.GOV (NSI Short-Timer)
Subject: NSI Security Bulletin #93-01: OpenVMS Security Vulnerabilty
Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV
To: ciac-team@cheetah.llnl.GOV
Resent-message-id: <01GV3GWI4NXE9BVFER@icdc.llnl.gov>
Message-id: <930224125600.20c0092d@NSSDCA.GSFC.NASA.GOV>
X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov
X-VMS-To: IN%"ciac-team@cheetah.llnl.GOV"
Content-transfer-encoding: 7BIT
X-Vmsmail-To: SMTP%"ciac-team@cheetah.llnl.gov"
======================================================================