- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: ESB-2005.0197
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2005 03:28 PM
03-02-2005 03:28 PM
ESB-2005.0197
I realize that vagueness is a hallmark of a good security alert but is anyone able to indicate whether
* access means read/write or only read?
* it is remotely exploitable?
If it is remotely exploitable...
* there is anything I can do to protect my system in the meantime? (Patch cannot be installed before the weekend.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2005 04:55 PM
03-02-2005 04:55 PM
Re: ESB-2005.0197
Obviously no detail of the hole, (and I'm sure I don't need to explain that to you!).
The alert I have,
"SSRT4866 rev.0 MUP HP OpenVMS V6.x and V7.x privileged file access"
says:
"Alpha Version 7.x or 6.x that may allow a local authorized user to gain unauthorized privileged access to data and system resources."
Note "LOCAL AUTHORIZED USER", so I don't believe you need concern yourself with remote exploits from random sources (provided you trust the security of your users' passwords).
Also note that it's 7.x or 6.x, so this is something that's been around for a LONG time - at least a decade, so I don't expect it's a huge risk.
(fwiw, my node is still V7.2-2, so I don't have a MUP to install. I won't lose any sleep over it ;-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2005 05:40 PM
03-02-2005 05:40 PM
Re: ESB-2005.0197
The wording is not crystal clear.
If I knew that the exploit required the user to be able to run code of their choosing, I would feel safer since almost all of my users are captive.
The mention of DECnet got me edgy about remote exploit.
>(provided you trust the security of your users' passwords).
I don't trust the security of my users' passwords! I know for sure that they will choose the easiest password that meets the minimum enforced standards. Wot? Me cynical?
I also know that I have had 1000 attempted breakins *per day* over the last 7 days, so I need defence in depth.
We're starting to contemplate username evasion (have already renamed one). Most attempts are not even valid usernames but for the few that are ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2005 02:21 AM
03-03-2005 02:21 AM
Re: ESB-2005.0197
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2005 11:32 AM
03-03-2005 11:32 AM
Re: ESB-2005.0197
But can your node be connected to from the internet? Obviously we too have a firewall but some services are forwarded from the firewall to the VMS machine.
>the problem fixed by the VMSMUP has been around over 10 years.
I am trouble seeing the logic (that both of you seem to be implying). It is likely that the above statement implies that it is difficult to find. That says nothing about what will happen if someone did find it (and choose to exploit it on my system) and hence once can't assess the mathematical expectation of damage. At this stage we don't even know whether "access" means "read only" or "read/write" (although I would lean toward the latter both on the grounds of wording and on the grounds of safety in pessimism).
Furthermore, releasing a MUP increases (somewhat) the probability that someone can find the problem. That is not to say that HP did and does the wrong thing by issuing the alert.
Incidentally this alert is still not showing in AusCERT.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2005 12:45 PM
03-03-2005 12:45 PM
Re: ESB-2005.0197
One other point, the MUP itself replaces only DECW$SESSIONSHRP.EXE so I suspect the exploit must be via a local DECwindows session. Even if remote sessions are vulnerable, the intruder still has to log in to start the session, and I'm guessing your firewall blocks port 6000?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2005 01:20 PM
03-03-2005 01:20 PM
Re: ESB-2005.0197
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-04-2005 12:46 AM
03-04-2005 12:46 AM
Re: ESB-2005.0197
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-04-2005 01:26 AM
03-04-2005 01:26 AM
Re: ESB-2005.0197
The security notice I saw from hp says its not remotely expolitable - you have to login and write a program.
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-04-2005 01:46 AM
03-04-2005 01:46 AM
Re: ESB-2005.0197
"local authorized user" - so it is not remotely expolitable.
Purely Personal Opinion