-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Don Stikvoort)                     Index  :    S-94-22
Distribution  : World                                       Page   :          1
Classification: External                                    Version:      Final
Subject       : DECnet/OSI vulnerabilities                  Date   :  05-Dec-94
===============================================================================
 
By courtesy of Digital Equipment Corporation, NASIRC and CIAC we received 
information about DECnet/OSI vulnerabilities.

Below problem and solution are described. If this applies to your 
situation we strongly advise to follow the suggested steps!
 
How to get other CERT-NL advisories and how to contact us, you will find 
at the very bottom of this document.

===============================================================================
 

              Security Vulnerabilities in DECnet/OSI for OpenVMS
_____________________________________________________________________________

PROBLEM:       Security Vulnerabilities exist in certain versions of
               DECnet/OSI for OpenVMS.
PLATFORMS:     (1) DEC Alpha AXP OpenVMS systems running DECnet/OSI Version
               2.0, 2.0A, or 5.7;
               (2) DEC VAX/VMS OpenVMS systems running DECnet/OSI Version 
               5.5, 5.6, 5.6A, 5.6B, 5.7, 5.7A, or DECnet-VAX Version 5.4 
               extensions.
DAMAGE:        Unprivileged system users may gain unauthorized, expanded
               privileges or may crash the operating system.   
SOLUTION:      Install DECnet/OSI Version 5.8, or apply a patch available
               from Digital, or apply the workaround given in the Appendix,
               below.
_____________________________________________________________________________

VULNERABILITY  Although to date these vulnerabilities are not widely known
ASSESSMENT:    nor exploited, we recommend prompt attention.
_____________________________________________________________________________


        Critical Information about the Vulnerabilities in DECnet/OSI

We have received information from Digital Equipment Corporation concerning
potential security vulnerabilities for those systems running versions of
DECnet/OSI prior to Version 5.8. These vulnerabilities may be eliminated by
(1) upgrading to DECnet/OSI Version 5.8 or (2) correcting earlier versions
by applying DEC supplied patches or (3) applying the workaround provided in
the DEC advisory reprinted below.

   NOTE: An unofficial DEC advisory on this topic that was previously
   circulated within some communities should be discarded. The information
   presented in this advisory is the most complete and accurate to date. 

Patch files are available via the normal Digital support channels: DSNlink
for warranty and contract customers, the local office for all others.

Patch File Information
Name             CSCPAT_0597011.A
OpenVMS Checksum 4247567393
MD5 Checksum     79DBE63AC8855D6759EA73B5F419F8ED

Name             CSCPAT_0597011.B
OpenVMS Checksum 1811769591
MD5 Checksum     279E735D15915FC66941D5E2595FA932

Name             CSCPAT_0615011.A
OpenVMS Checksum 756388445
MD5 Checksum     19E698B26F0FAEF75314891A6FB85A7C

Name             CSCPAT_0615011.RELEASE_NOTES
OpenVMS Checksum 38157879
MD5 Checksum     9CEF6DF7DF15FEE539D9159D681C6F12

Name             CSCPAT_0618010.A
OpenVMS Checksum 1502668639
MD5 Checksum     35A7F541B209608869ACD8D2086DA4B6

The patches also fix a bug in the Common Trace Facility (CTF) User Interface
which causes systems to crash, as well as correct other problems.   If you
need additional information or assistance, contact your local DEC
representative or Mr. Richard Boren of DEC's Software Security Response 
Team (SSRT) at +1 719 592 4689. 


++++++++++++++++++++ Begin DECnet/OSI Advisory +++++++++++++++++++++++
|SOURCE: Digital Equipment Corporation
|AUTHOR: Software Security Response Team Colorado Springs, CO.
|PRODUCT: The following products are affected:
|
|       o  DECnet-VAX, Version 5.4 Extensions
|
|       o  DECnet/OSI Version 2.0  for OpenVMS AXP
|       o  DECnet/OSI Version 2.0A for OpenVMS AXP
|       o  DECnet/OSI Version 5.7  for OpenVMS AXP
|
|       o  DECnet/OSI Version 5.5  for OpenVMS VAX
|       o  DECnet/OSI Version 5.6  for OpenVMS VAX
|       o  DECnet/OSI Version 5.6A for OpenVMS VAX
|       o  DECnet/OSI Version 5.6B for OpenVMS VAX
|       o  DECnet/OSI Version 5.7  for OpenVMS VAX
|       o  DECnet/OSI Version 5.7A for OpenVMS VAX
|
|SYMPTOM: User privileges may be expanded under certain circumstances.
| 
|FIX: This potential vulnerability can be removed by installing one of the
|following software updates or Engineering Change Orders (ECO)s available
|from Digital:
|
|    Software update:
|    ----------------
|    DECnet/OSI Version 5.8 for OpenVMS AXP
|    DECnet/OSI Version 5.8 for OpenVMS VAX
|
|                                                ECO
|    Software version:                           number    CSCPAT number
|    -----------------                           ------    -------------
|    DECnet/OSI Version 5.6B for OpenVMS VAX       10      CSCPAT_0597 V1.1
|    DECnet/OSI Version 5.7  for OpenVMS AXP       02      CSCPAT_0615 V1.1
|    DECnet/OSI Version 5.7A for OpenVMS VAX       07      CSCPAT_0618 V1.0
|
|Engineering ECO References:
|
|    CSCPAT_0597 V1.1  = DNVOSIB_ECO10056
|    CSCPAT_0615 V1.1  = DNVOSIAXP_ECO02057
|    CSCPAT_0618 V1.0  = DNVOSIA_ECO07057
|
|If you are unable to install one of the above listed updates or ECOs,
|or if there is no ECO available for the version of DECnet that you are
|currently running, see the workaround described later.
|
|Execute the following command to determine which version of DECnet you
|are currently running:
|
|    $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION")
|
|If "00040100" or "00040200" is displayed then DECnet-VAX, Version 5.4
|Extensions is installed. If the "version" begins with "0005", it means that
|DECnet/OSI is installed. Use the following command to find the version
|number:
|
|    $ MCR NCL SHOW IMPLEMENTATION
|
|and look for the line beginning with "Version =". For example:
|
|    $ WRITE SYS$OUTPUT F$GETSYI("DECNET_VERSION")
|    00050300
|
|    $ MCR NCL SHOW IMPLEMENTATION
|
|    Node 0
|    at 1994-08-24-16:29:38.991+02:00I1.690
|    Characteristics
|        Implementation                    =
|           {
|              [
|              Name = VMS ,
|              Version = "V6.1    "
|              ] ,
|              [
|              Name = DECnet-OSI for OpenVMS ,
|              Version = "DECnet-OSI for OpenVMS Version V5.7 14-JAN-1994..."
|              ]
|           }
|
|Therefore, DECnet/OSI Version 5.7 for OpenVMS (VAX) is running on this
|particular machine.
|
|WORKAROUND: If you are unable to install one of the software updates or
|ECOs listed previously, we strongly recommend that you de-install the
|Common Trace Facility User Interface image (SYS$SYSTEM:CTF$UI.EXE) from
|memory. Execute the following command to determine if this image is
|installed on your system:
|
|    $ INSTALL LIST SYS$SYSTEM:CTF$UI.EXE
|
|The following output is displayed if the image is installed:
|
|    DISK$OPENVMS061:<SYS0.SYSCOMMON.SYSEXE>.EXE
|       CTF$UI;5                       Prv
|
|Execute the following command to de-install the image from memory. Note
|that you require the privilege CMKRNL to do this.
|
|    $ INSTALL REMOVE SYS$SYSTEM:CTF$UI.EXE
|
|In addition to de-installing the image from memory, steps should be taken
|to ensure that the image is not (re-)installed during a subsequent machine
|reboot, or when the Common Trace Facility startup command file executed.
|
|To do this, edit the Common Trace Facility startup command file
|(SYS$COMMON:[SYSMGR]CTF$STARTUP.COM) and search for the following text:
|
|    F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe
|
|Comment out the code that installs the image into memory as follows:
|
|  Original code:
|
|    $  IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") -
|       THEN install create sys$system:ctf$ui.exe -
|           /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, -
|                        world,pswapm,prmmbx,bypass,cmkrnl)
|
|  Changed to be comment:
|
|    $!  IF .NOT. F$FILE_ATTRIBUTES("sys$system:ctf$ui.exe","KNOWN") -
|    $!  THEN install create sys$system:ctf$ui.exe -
|    $!     /privileges=(sysnam,altpri,tmpmbx,syslck,sysgbl,prmgbl,netmbx, -
|    $!                  world,pswapm,prmmbx,bypass,cmkrnl)
|
|
|Be aware that de-installing the image from memory means that non-privileged
|users can no longer use the Common Trace Facility User Interface START and
|STOP commands. This is the case even if the NET$TRACE identifiers have been
|granted to the user account. START and STOP commands will only be allowed
|from a privileged account.
|
|AVAILABILITY: If you have a software service or warranty contract, you can
|obtain the required ECO or software update through your regular Digital
|support channels. 
|   NOTE: For non-contract/non-warranty customers contact your local
|   Digital support channels for information regarding these kits.
+++++++++++++++++++++++++++ End DECnet/OSI Advisory +++++++++++++++++++++++++


==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WGjSYjBqwfc9jEQL9CgCgkGsrCD/NSQPRE3J9O+HxbMcGKxgAn1h7
YbTq0R5Kr811th9O+XMuiooE
=m5fy
-----END PGP SIGNATURE-----