CERT-SEI

VMS ANALYZE/PROCESS_DUMP

Original issue date: October 25, 1990
Last revised: September 17, 1997
Attached Copyright Statement

A complete revision history is at the end of this file.

The CERT/CC has received a report of a security vulnerability which exists under specific conditions in Digital VMS Software  (Versions 4.0 to 5.4).  The DESCRIPTION, IMPACT, SOLUTION, and CONTACT INFORMATION sections below have been provided to the CERT/CC by the Digital Equipment Corporation.


I. Description

Non-privileged users can acquire system privileges through the ANALYZE/PROCESS_DUMP routine.

II. Impact

Non-privileged users who gain increased privileges might deliberately or inadvertently affect the integrity of system information and/or affect the integrity of the computing resource.

III.  Solution

Digital is currently working on a permanent solution to this problem.  While a permanent fix is being completed, Digital recommends that the following actions be taken on every VMS system (this includes all nodes in a VAXcluster system).

After taking the following actions, non-privileged users will not be able to use the ANALYZE/PROCESS_DUMP command.

  1. Log into the system account.
  2. $ SET PROC/PRIV=ALL
  3.   a)  For VMS versions prior to V5.0,

    Modify SYS$MANAGER:SYSTARTUP.COM to include the following lines:

    		 $ SET NOON
                     $ MCR INSTALL ANALIMDMP.EXE/DELETE
     
    as the first two commands in this file.

    b)  For VMS versions V5.0 and later,

    Modify SYS$MANAGER:SYSTARTUP_V5.COM to include the following lines:

    		 $ SET NOON
                     $ MCR INSTALL ANALIMDMP.EXE/DELETE
    
    as the first two commands in this file.

    c)  For MicroVMS systems,

    The image ANALIMDMP.EXE is not installed by default, but SYSTARTUP.COM contains a suggestion for installing the image if you have multiple users on your system.  You must ensure that this image is not installed by SYSTARTUP.COM.  You can  use the following command to verify that the image is not  installed:

                     $ MCR INSTALL ANALIMDMP/LIST
    	
  4.             $ MCR INSTALL ANALIMDMP/DELETE

    This command removes the installed image from the active system.

  5. (Optional) Restart your systems and verify that the image is not installed using the following command:
                     $ MCR INSTALL ANALIMDMP/LIST
     
    You should receive a message similar to the following:
    	%INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE
             -INSTALL-E-NOKFEFND, Known File Entry not found
    

For further questions, please contact your Digital Customer Support    Center.


The CERT/CC thanks Digital for the information above, and thanks Clive Walmsley, Royal Signal and Radar Establishment, Malvern England, for reporting this problem to CERT/CC.


This document is available from: http://www.preview.cert.org/advisories/CA-1990-07.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.  Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Conditions for use, disclaimers, and sponsorship information

Copyright 1990 Carnegie Mellon University.


Revision History
September 17,1997  Attached Copyright Statement