Copy Link
Add to Bookmark
Report
CIAC B-04
========================================================================
|| THE COMPUTER INCIDENT ADVISORY CAPABILITY ||
|| ||
|| C I A C ||
|| ||
|| INFORMATION NOTICE ||
========================================================================
VMS Security Problem with ANALYZE/PROCESS_DUMP
----------------------------------------------
October 22, 1990, 1200 PST Number B-4
Summary:: Critical VMS Security Problem Facts
----------------------------------------------------------------------------
PROBLEM: VMS security problem with the ANALYZE/PROCESS_DUMP command
PLATFORM: DEC VMS systems (all versions 4.0 to 5.3 including MicroVMS)
DAMAGE: Allows system privileges to non-privileged users
(including the user decnet on older VMS systems)
WORKAROUND: Disable ANALYZE/PROCESS_DUMP for non-privileged users
PATCH: Not currently available, but DEC is aware of the problem
SYSTEM IMPACT: The workaround will disallow the use of analyze/process_dump
for non-privileged users. Other program debuggers are
unaffected
----------------------------------------------------------------------------
CIAC has learned of a serious security problem on Digital Equipment
Corp. (DEC) VMS systems. The potential damage of this problem is that
users may gain unauthorized system privileges through the use of the
ANALYZE/PROCESS_DUMP dcl command. In addition, systems that have set
up the FAL and default DECNET account to use the same directory have a
potential to allow system access to other VMS machines connected to
the network.
DEC is currently working on a permanent solution to this problem. As
a interim measure, DEC recommends that this command be disabled for
all non-privileged users. This may be accomplished using the
following procedure:
1. Log into the system account.
2. $ SET PROC/PRIV=ALL
3. a) For VMS systems prior to V5.0,
Modify SYS$MANAGER:SYSTARTUP.COM to include the following
lines as the first two lines in the file:
$ SET NOON
$ MCR INSTALL ANALIMDMP.EXE/DELETE
b) For VMS system V5.0 and later,
Modify SYS$MANAGER:SYSTARTUP_V5.COM to include the following
as the first two lines of the file:
$SET NOON
$ MCR INSTALL ANALIMDMP.EXE/DELETE
c) For MicroVMS systems,
The image ANALIMDMP.EXE is not installed by default, but
SYSTARTUP.COM contains a suggestion of installing the image if
you have multiple users on your system. You mus ensure that
this image is not installed in SYSTARTUP.COM. You can use the
following command to verify that the image is not installed:
$MCR INSTALL ANALIMDMP/LIST
If you receive the message similar to the following:
%INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE
then you do not have the image installed. Otherwise, proceed
as step 3.a above.
4. $ MCR INSTALL ANALIMDMP/DELETE
This command removes the installed image from the active system.
5. (Optional) Restart your systems and verify that the image is
not installed using the following command:
$MCR INSTALL ANALIMDMP/LIST
If you receive the message similar to the following:
%INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE
-INSTALL-E-NOKFEFND, Known File Entry not found
then you do not have the image installed and your system does
not have the security problem.
For additional information or assistance, please contact CIAC
Thomas A. Longstaff
(415) 423-4416 or (FTS) 543-4416
FAX: (415) 423-0913 or (FTS) 543-0913
or send e-mail to:
ciac@tiger.llnl.gov
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
