KVC@ENGVAX.SCG.HAC.COM (Kevin Carosso) (05/31/87)
Me and my big mouth...
When I sent a message out to the list indicating that the security patch
went in ok, I also made the (possible) mistake of mentioning that I had
a test program that demo'd the problem. Several (tons) of people have since
asked for a copy of the program, mainly to check their own sites vulnerability,
or they want to know the hole so they can see if their users have exploited
it.
I'm certain that the inquiries were based solely on the best of intentions,
but I cannot in good conscience distribute the thing. I hope people will
understand that I don't wish to bear the responsibility of the program causing
someone a problem because it "fell into the wrong hands".
Most of the reasons and questions I got were:
- "I need to know if it's serious enough to warrant patching a
production machine"
The patch is simple and requires no down-time. Simply reinstall the
image. The problem is serious enough to warrant you taking every effort
to patch it.
- "How do I know if someone exploited it? How do I tell if someone
uses it in the future?"
I will say only that it allows a nonprivileged user to modify SYSUAF.DAT.
If things are strange in SYSUAF.DAT, maybe you got got. Placing an alarm
ACL on SYSUAF.DAT may help catch someone. A skilled attacker, however,
may have left no obvious traces so there are no quarantees. It is very
esoteric. Not something you stumble upon.
- "How do I know if I need it?" "Is it big enough?"
You need it if you are running VMS 4.4 or 4.5. I do not know about
4.5A, B, and C. I suspect, but have no proof, that it is fixed in 4.6.
You really do need it.
- "How do I get the patch? Please send it to me!"
DEC is making every effort to distribute the patch to all sites.
When I called, the TSC informed me that a mandatory update was being sent
to everyone who gets VMS updates. I assume that includes those people who
don't have TSC access, but still get VMS distributions. If you really
have no access to TSC contact your local DEC office. I'm sure they
will get it to you even if you don't have support.
I have only given it to those I know personally.
Anyway, I hope everyone can understand my reasons for disappointing them.
/Kevin Carosso kvc@engvax.scg.hac.com
Hughes Aircraft Co. kvc%engvax@oberon.usc.eduLEICHTER-JERRY@YALE.ARPA (05/31/87)
Just a brief expansion on what Kevin said:
- "How do I know if I need it?" "Is it big enough?"
You need it if you are running VMS 4.4 or 4.5. I do not know about
4.5A, B, and C. I suspect, but have no proof, that it is fixed in 4.6.
You really do need it.
You DO need it for 4.5A, B and C. The same patchs WILL appear in 4.6.
The following is from memory, so the exact numbers may not be right: The
patches are all to one file SYS$SHARE:SECURESHR.EXE, and set ECO levels 1
through 6. ECO levels 1 and 2 were actually part of VMS 4.5; when the patch
is applied on a 4.5 system, VMSINSTAL will tell you about this (but proceed
to apply the other four patches anyway). When it comes time to install 4.6,
VMSINSTAL will complain when it finds ECO's 3-6 already set, but again that's
no big deal. In general, nothing terrible will happen if you these patches
are applied twice, so play it safe.
There's no reason NOT to apply this patch. If you've received this patch
and haven't applied it, expect no sympathy from ANYONE if Joe Hacker then
proceeds to rob you blind.
-- Jerry
-------MANAGER@SMITH.BITNET (Mary Malmros) (06/01/87)
Kevin Carosso wrote that DEC is making every effort to distribute the patch to all sites. This was not my experience. I called my DEC rep, explained the situation, and asked for the patch. She talked to someone else who said that they were only distributing it to people who could prove that they could do the hack or that the hack had been done to them. I'm ANNOYED. I'm VERY VERY ANNOYED. My two machines are both on VMS 4.5 and I don't have the option to go back, even if I were that crazy, because one is an 8500 and needs 4.4 for the necessary drivers or what ever. Furthermore, they're connected via DECnet to about 22 machines at other sites in the area, all college/university sites with God knows how many students who think that terrorizing systems managers is the greatest new fun activity since someone discovered how to pull the wings off flies. Okay, flame off and sorry for the extraneous @^%#^$^!%#$%. I would appreciate it if anyone can help in the following ways: 1. Does anyone else who is on software self-maintenance know of any recourse other than DEC reps, when dealing with buggy software? 2. Does anyone know when 4.6 will be out, and does anyone have any more definite ideas about whether it will contain a fix? 3. Failing in either of this, can anyone show me the hole so I can get the patch? I understand that no one wants to post it, but I will call you or you can call me or I'll meet you somewhere and give you the secret password or whatever. PLEASE HELP. Mary Malmros Systems Manager Center for Academic Computing Stoddard Hall 24 Smith College Northampton MA 01063 (413) 584-2700 x3073