From BITFTP1@pucc.PRINCETON.EDU Thu Dec 20 22:02:45 1990 Received: from pucc.Princeton.EDU by po.CWRU.Edu with SMTP (5.61+ida+/CWRU-1.7.1) id AA01560; Thu, 20 Dec 90 22:02:45 -0500 (from BITFTP1@pucc.PRINCETON.EDU for /usr/local/bin/m2mbox /u/38/al636/mbox) Message-Id: <9012210302.AA01560@po.CWRU.Edu> Received: from PUCC.PRINCETON.EDU by pucc.PRINCETON.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 2739; Thu, 20 Dec 90 21:32:52 EST Received: by PUCC (Mailer R2.08B) id 9142; Thu, 20 Dec 90 21:32:50 EST Date: 20 Dec 1990 21:32:51 From: BITFTP1@pucc.PRINCETON.EDU To: al636@cleveland.Freenet.Edu Subject: BITFTP output, CA-90:07.VMS.ANALYZE.vulnerability, Part 1 of 1 (uuenco CA-90:07 CERT Advisory October 25, 1990 VMS ANALYZE/PROCESS_DUMP ------------------------------------------------------------------------- The CERT/CC has received a report of a security vulnerability which exists under specific conditions in Digital VMS Software (Versions 4.0 to 5.4). The DESCRIPTION, IMPACT, SOLUTION, and CONTACT INFORMATION sections below have been provided to the CERT/CC by the Digital Equipment Corporation. ------------------------------------------------------------------------- DESCRIPTION: Non-privileged users can acquire system privileges through the ANALYZE/PROCESS_DUMP routine. IMPACT: Non-privileged users who gain increased privileges might deliberately or inadvertently affect the integrity of system information and/or affect the integrity of the computing resource. SOLUTION: Digital is currently working on a permanent solution to this problem. While a permanent fix is being completed, Digital recommends that the following actions be taken on every VMS system (this includes all nodes in a VAXcluster system). After taking the following actions, non-privileged users will not be able to use the ANALYZE/PROCESS_DUMP command. 1. Log into the system account. 2. $ SET PROC/PRIV=ALL 3. a) For VMS versions prior to V5.0, Modify SYS$MANAGER:SYSTARTUP.COM to include the following lines: $ SET NOON $ MCR INSTALL ANALIMDMP.EXE/DELETE as the first two commands in this file. b) For VMS versions V5.0 and later, Modify SYS$MANAGER:SYSTARTUP_V5.COM to include the following lines: $ SET NOON $ MCR INSTALL ANALIMDMP.EXE/DELETE as the first two commands in this file. c) For MicroVMS systems, The image ANALIMDMP.EXE is not installed by default, but SYSTARTUP.COM contains a suggestion for installing the image if you have multiple users on your system. You must ensure that this image is not installed by SYSTARTUP.COM. You can use the following command to verify that the image is not installed: $ MCR INSTALL ANALIMDMP/LIST 4. $ MCR INSTALL ANALIMDMP/DELETE This command removes the installed image from the active system. 5. (Optional) Restart your systems and verify that the image is not installed using the following command: $ MCR INSTALL ANALIMDMP/LIST You should receive a message similar to the following: %INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE -INSTALL-E-NOKFEFND, Known File Entry not found CONTACT INFORMATION: For further questions, please contact your Digital Customer Support Center. ------------------------------------------------------------------------- The CERT/CC thanks Digital for the information above, and thanks Clive Walmsley, Royal Signal and Radar Establishment, Malvern England, for reporting this problem to CERT/CC. ------------------------------------------------------------------------- Dan Farmer Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies other hours. Past advisories and other information are available for anonymous ftp from cert.sei.cmu.edu (128.237.253.5).