KAPLAN@CCIT.ARIZONA.EDU (10/23/90)
(cross posted to INFO-VAX)
This first came to my attention on the "for pay" DECUServe BBS of the U.S.
Chapter of DECUS. Seems to me that the most responsible thing to do is widely
distribute it ASAP. As usual, and with considerable justification, DEC is not
volunteering this information. If you want confirmation of its authentisity,
call your DEC software support number and ask for it specifically since they
will not volunteer it.
If this is a duplicate of previously distributed information, please accept my
appologies. As I said, I think that this deserves immediate action and wide
disemination to the community. Please tell everyone you know.
(since I can not contact the author of this particularly articulate summary
for permission to post it, I have edited it to conceal his identity)
Summary:: Critical VMS Security Problem Facts
----------------------------------------------------------------------------
PROBLEM: VMS security problem with the ANALYZE/PROCESS_DUMP command
PLATFORM: DEC VMS systems (all versions 4.0 to 5.3 including MicroVMS)
DAMAGE: Allows system privileges to non-privileged users
(including the user decnet on older VMS systems)
WORKAROUND: Disable ANALYZE/PROCESS_DUMP for non-privileged users
PATCH: Not currently available, but DEC is aware of the problem
SYSTEM IMPACT: The workaround will disallow the use of analyze/process_dump
for non-privileged users. Other program debuggers are
unaffected
----------------------------------------------------------------------------
A serious security problem on Digital Equipment Corp. (DEC) VMS systems has
been detected. The potential damage of this problem is that users may gain
unauthorized system privileges through the use of the ANALYZE/PROCESS_DUMP dcl
command. In addition, systems that have set up the FAL and default DECNET
account to use the same directory have a potential to allow system access to
other VMS machines connected to the network.
DEC is currently working on a permanent solution to this problem. As
a interim measure, DEC recommends that this command be disabled for
all non-privileged users. This may be accomplished using the
following procedure:
1. Log into the system account.
2. $ SET PROC/PRIV=ALL
3. a) For VMS systems prior to V5.0,
Modify SYS$MANAGER:SYSTARTUP.COM to include the following
lines as the first two lines in the file:
$ SET NOON
$ MCR INSTALL ANALIMDMP.EXE/DELETE
b) For VMS system V5.0 and later,
Modify SYS$MANAGER:SYSTARTUP_V5.COM to include the following
as the first two lines of the file:
$SET NOON
$ MCR INSTALL ANALIMDMP.EXE/DELETE
c) For MicroVMS systems,
The image ANALIMDMP.EXE is not installed by default, but
SYSTARTUP.COM contains a suggestion of installing the image if
you have multiple users on your system. You mus ensure that
this image is not installed in SYSTARTUP.COM. You can use the
following command to verify that the image is not installed:
$MCR INSTALL ANALIMDMP/LIST
If you receive the message similar to the following:
%INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE
then you do not have the image installed. Otherwise, proceed
as step 3.a above.
4. $ MCR INSTALL ANALIMDMP/DELETE
This command removes the installed image from the active system.
5. (Optional) Restart your systems and verify that the image is
not installed using the following command:
$MCR INSTALL ANALIMDMP/LIST
If you receive the message similar to the following:
%INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE
-INSTALL-E-NOKFEFND, Known File Entry not found
then you do not have the image installed and your system does
not have the security problem.
Please feel free to contact me with questions - but it would be better if you
posted them here so everyone can learn from them.
Ray 8-|)}
Ray Kaplan - I know what I don't know
W) Computer Center - University of Arizona - Tucson, AZ, 85751 - (602) 621-2857
H) P.O. Box 32647 - Tucson, Arizona 85751 - (602) 323-4606
BITNET: KAPLAN@ARIZRVAX
INTERNET: KAPLAN@RVAX.CCIT.ARIZONA.EDU
------------------------------------------------------------------------------
>> THESE ARE MY VIEWS. They do not necessarily reflect those of others ... >>
------------------------------------------------------------------------------