topic Re: Tcpip vulnerability /SSRT4696 in Operating System - OpenVMS

Tcpip vulnerability /SSRT4696

Kjartan Konradsson — Fri, 09 Dec 2005 09:53:45 GMT

Hi there,,
My company recently made a contract with Qualys Inc. to test our systems. When test where run against our Vms-cluster, we got notified about possible vulnerability on port 21 and 23. I can't find any papers that are about this problem specially for VMS. Is anyone familiar with this and should I worry about this.
Our cluster is behind firewalls and we have front end machines behind the firewalls that communicate with our cluster, witch is only running Oracle database. OpenVMS 7.3-2 and Oracle 9.2.0.5

Thanks in advance...
Kjartan

Re: Tcpip vulnerability /SSRT4696

Peter Zeiszler — Fri, 09 Dec 2005 10:50:29 GMT

You probably got flagged on those because you are not running the SSH on the system. We get dinged on them also. Those are the default ports for FTP (21) and TELNET (23).

We have systems that do not have SSH compatibility or software packages that communicate that don't work with SSH. So on our systems we have to present a "security exception" to run those 2 images.

I would suggest contacting Qualsys and ask for exact information on what they are testing. In some cases they perform additional tests that check underlying vulnerabilities on those ports.

As an example. On port 21 after you do an FTP to a VMS machine and type CHMOD. Nothing should happen because VMS does not recognize the command. However some of the Vulnerability scans determine that this is a security issue because the CHMOD did not return what they expected to see.

Re: Tcpip vulnerability /SSRT4696

Robert Gezelter — Fri, 09 Dec 2005 11:07:33 GMT

Kjartan,

As noted Ports 21 and 23 are telnet and ftp respectively.

There are two sets of issues with these ports:

- the basic protocols expose passwords for compromise by eavesdropping. For this reason, many security checklists flag the use of these protocols. In the case of ftp, the issue reflects non-anonymous ftp (in the case of anonymous ftp, password exposure is generally a non-issue).

- the second issue is whether the servers for these protocols have implementation defects which can compromise the underlying system. This is a concern, but only if the "detection" is valid. It is not unusual for security scans to check for the common Windows and Unix/Linus behaviors, and give false indications when OpenVMS is encountered.

Get the details of the reported problems, and then determine if they are correct reports. Regardless of whether they are correct, or not, be sure to write a memorandum to your management about the results of your post-scan review.

- Bob Gezelter, http://www.rlgsc.com
Contributing Editor, Computer Security Handbook, Internet Security(3rd & 4th Editions), http://www.computersecurityhandbook.com
Contributor, Handbook of Information Security

Re: Tcpip vulnerability /SSRT4696

Robert Gezelter — Fri, 09 Dec 2005 11:07:49 GMT

Kjartan,

As noted Ports 21 and 23 are telnet and ftp respectively.

There are two sets of issues with these ports:

- the basic protocols expose passwords for compromise by eavesdropping. For this reason, many security checklists flag the use of these protocols. In the case of ftp, the issue reflects non-anonymous ftp (in the case of anonymous ftp, password exposure is generally a non-issue).

- the second issue is whether the servers for these protocols have implementation defects which can compromise the underlying system. This is a concern, but only if the "detection" is valid. It is not unusual for security scans to check for the common Windows and Unix/Linux behaviors, and give false indications when OpenVMS is encountered.

Get the details of the reported problems, and then determine if they are correct reports. Regardless of whether they are correct, or not, be sure to write a memorandum to your management about the results of your post-scan review.

- Bob Gezelter, http://www.rlgsc.com
Contributing Editor, Computer Security Handbook, Internet Security(3rd & 4th Editions), http://www.computersecurityhandbook.com
Contributor, Handbook of Information Security

Re: Tcpip vulnerability /SSRT4696

Steven Schweda — Fri, 09 Dec 2005 11:39:44 GMT

Note that I see many more attacks on my
(more exposed) system using SSH than I do
using Telnet. And some of the SSH attacks
run on for thousands of attempts. The rare
Telnet attacks are usually quite brief.

The TCPIP FTP server is so different from
what the usual scripts expect that the FTP
attacks always fail harmlessly, usually
leaving only some clutter in the anonymous
FTP server log and one OPCOM message, like:

%%%%%%%%%%% OPCOM 9-DEC-2005 07:08:27.48 %%%%%%%%%%%
Message from user TCPIP$FTP on ALP
User Name: anonymous
Source: 84.101.116.32
Status: NOPRIV -- File access violation
Object: SYS$SYSDEVICE:[ANONYMOUS.051209140830p]

Re: Tcpip vulnerability /SSRT4696

Willem Grooters — Fri, 09 Dec 2005 14:50:52 GMT

What do they mean by "vulnerability"? If you open ANY system to an outside network, and certainly using TCP/IP, it will allow access to your system, no matter what application protocol (ANY protocol can be mimicked using TELNET, that's the way I test connectivity) and no matter on what port the service is defined.

From my own experience, I can second Steven, at least for anonymous FTP set up to be download only (I don't allow upload on my site) port 23 is pretty safe. "Normal" FTP however can be somewhat troublesome as will telnet. Does intrusion detection and protection work on FTP as well? If so, you're safer with VMS then any other system - on both ports.

Nevertheless, if your VMS boxes run only Oracle database, what need is there (apart from system and database management) for telnet (port 23)? FTP I could understand, but even that could be limited to the frontend- and backend systems.
Perhapes these consultants know just aboutr Windows and p;robably some Unixes.

Re: Tcpip vulnerability /SSRT4696

Kjartan Konradsson — Tue, 13 Dec 2005 05:42:47 GMT

Sorry for not having not responding, we had some internet problems here.
I talked to the Qualys guis, and they could not give me more information. The notice is on HP support web as possible general problem, not specific for VMS. So I will ignore this.
Thanks for your input..

Kjartan

Re: Tcpip vulnerability /SSRT4696

Kjartan Konradsson — Tue, 13 Dec 2005 10:08:01 GMT

Thanks
Kjartan