CERT-SEI

Revised VMS Monitor Vulnerability

Original issue date: November 17,1992
Last revised: September 19, 1997
Attached copyright statement

A complete revision history is at the end of this file.

      *** THIS IS A REVISED CERT ADVISORY ***
*** IT CONTAINS NEW INFORMATION REGARDING AVAILABILITY OF IMAGE KITS ***
*** SUPERSEDES CERT ADVISORY CA-92.16 ***

The CERT Coordination Center received information concerning a potential vulnerability with Digital Equipment Corporation's VMS Monitor. This vulnerability is present in V5.0 through V5.4-2 but has been corrected in V5.4-3 through V5.5-1.  The Software Security Response Team at Digital has provided the following information concerning this vulnerability.

The remedial image kit was not available at the time CERT distributed the CA-92.16.VMS.monitor.vulnerability advisory (dated September 22, 1992).  At that time, Digital strongly suggested that customers either upgrade to VMS V5.4-3 (preferably to V5.5-1) or implement the provided workaround if unable to upgrade.

The following SSRT-200-1 addendum contains information about the availability of new images to address the possible vulnerability with VMS Monitor.

This last and final addendum includes new information about remedial images for VMS V5.0 through V5.4-2.

Digital strongly suggests that those customers who were unable to upgrade their systems (i.e., VMS V5.0 through V5.4-2) obtain and install the remedial image kit on their system(s).

For additional information, please contact your normal Digital Services Support Organization.

  The information separated by the hard line is excerpted from the previously published CERT Advisory


SSRT-0200      PROBLEM: Potential Security Vulnerability Identified in Monitor
                SOURCE: Digital Equipment Corporation
                AUTHOR: Software Security Response Team - U.S.
                        Colorado Springs USA

               PRODUCT:  VMS
Symptoms Identified On:  VMS, Versions 5.0, 5.0-1, 5.0-2, 5.1, 5.1-B,                                       5.1-1, 5.1-2, 5.2, 5.2-1, 5.3,                                       5.3-1, 5.3-2, 5.4, 5.4-1, 5.4-2             *******************************************************             SOLUTION: This problem is not present in VMS V5.4-3                       (released in October 1991) through V5.5-1                       (released in July, 1992.)
            ******************************************************* Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved. Published Rights Reserved Under The Copyright Laws Of The United States.

PROBLEM/IMPACT:

Unauthorized privileges may be expanded to authorized users of a system under certain conditions, via the Monitor utility.  Should a system be compromised through unauthorized access, there is a risk of potential damage to a system environment.  This problem will not permit unauthorized access entry, as individuals attempting to gain unauthorized access will continue to be denied through the standard VMS security mechanisms.

SOLUTION

This potential vulnerability does not exist in VMS V5.4-3 (released in October 1991) and later versions of VMS through V5.5-1. Digital strongly recommends that you upgrade to a minimum of VMS V5.4-3, and further, to the latest release of VMS V5.5-1. (released in July, 1992)

End of material excerpted from previously published CERT Advisory

Beginning of Text Provided by Digital Equipment Corporation


     
21-OCT-1992 SSRT-0200-1 (ADDENDUM)
21-AUG-1992 SSRT-0200


     SOURCE: 		Digital Equipment Corporation
     AUTHOR: 		Software Security Response Team - U.S.
                        Colorado Springs USA

            PRODUCT: VMS MONITOR V5.0 through V5.4-2 

            PROBLEM:  Potential Security Vulnerability in VMS Monitor Utility
            SOLUTION: A VMS V5.0 through V5.4-2 remedial kit is now available 
                      by contacting your normal Digital Services Support 
                      organization.     

            NOTE:     This problem has been corrected in VAX VMS V5.4-3
                      (released in October 1991).  
The kit may be identified as MONTOR$S01_05* or CSCPAT_1047 via DSIN , and DSNlink. Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved. Published Rights Reserved Under The Copyright Laws Of The United States.

ADVISORY ADDENDUM INFORMATION:

    In August 1992, an advisory and article was distributed describing a     potential security vulnerability discovered in the VMS Monitor utility and     provided suggested workarounds to remove the vulnerability. The advisory     was labeled SSRT-200 "Potential Security Vulnerability in VMS Monitor     Utility".     This advisory follows that advisory with information of the     availability of a kit containing a new sys$share:spishr.exe for VMS     V5.0-* through VMS V5.4-2 and may be identified as MONTOR$S01_050     through MONTOR$S01_054 respectively from your Digital Services     organization.     In the U.S.the kit is also identified as CSCPAT_1047 via DSIN and DSNlink. Note:This potential vulnerability does not exist in VMS V5.4-3 and later     versions of VMS.  Digital strongly recommends that you upgrade to a     minimum of VMS V5.4-3, and further, to the latest release of VMS V5.5-1.     (released in July, 1992)     If you cannot upgrade to a minimum of VMS V5.4-3 at this time,     Digital strongly recommends that you install the available V5.0-*     through V5.4-2 kit on your  system(s), available from your support     organization, to avoid any potential vulnerability.     You may obtain a kit for VMS V5.0 through V5.4-2 by contacting your normal     Digital Services support organization. (Customer Support Center, using     DSNlink or DSIN, or your local support office)      As always, Digital recommends that you periodically review your system     management and security procedures.  Digital will continue to review and     enhance the security features of its products and work with customers to     maintain and improve the security and integrity of their systems.

End of Text provided by Digital Equipment Corporation
CERT wishes to thank Teun Nijssen of CERT-NL (the SURFnet CERT, in the Netherlands) for bringing this security vulnerability to our attention. We would also like to thank Digital Equipment Corporation's Software Security Response Team for providing information on this vulnerability.
This document is available from: http://www.preview.cert.org/advisories/CA-1992-18.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.  Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Conditions for use, disclaimers, and sponsorship information

Copyright 1992 Carnegie Mellon University.


Revision History
September 19,1997  Attached copyright statement