1828416 Members
3414 Online
109977 Solutions
New Discussion

Re: ESB-2005.0197

 
Derek Garson
Frequent Advisor

ESB-2005.0197

I just received the above security alert regarding "authorized user may gain access to privileged files".

I realize that vagueness is a hallmark of a good security alert but is anyone able to indicate whether

* access means read/write or only read?

* it is remotely exploitable?

If it is remotely exploitable...

* there is anything I can do to protect my system in the meantime? (Patch cannot be installed before the weekend.)
9 REPLIES 9
John Gillings
Honored Contributor

Re: ESB-2005.0197

Hi Derek,

Obviously no detail of the hole, (and I'm sure I don't need to explain that to you!).

The alert I have,

"SSRT4866 rev.0 MUP HP OpenVMS V6.x and V7.x privileged file access"

says:

"Alpha Version 7.x or 6.x that may allow a local authorized user to gain unauthorized privileged access to data and system resources."

Note "LOCAL AUTHORIZED USER", so I don't believe you need concern yourself with remote exploits from random sources (provided you trust the security of your users' passwords).

Also note that it's 7.x or 6.x, so this is something that's been around for a LONG time - at least a decade, so I don't expect it's a huge risk.

(fwiw, my node is still V7.2-2, so I don't have a MUP to install. I won't lose any sleep over it ;-)

A crucible of informative mistakes
Derek Garson
Frequent Advisor

Re: ESB-2005.0197

>Note "LOCAL AUTHORIZED USER", so I don't believe you need concern yourself with remote exploits from random sources

The wording is not crystal clear.

If I knew that the exploit required the user to be able to run code of their choosing, I would feel safer since almost all of my users are captive.

The mention of DECnet got me edgy about remote exploit.

>(provided you trust the security of your users' passwords).

I don't trust the security of my users' passwords! I know for sure that they will choose the easiest password that meets the minimum enforced standards. Wot? Me cynical?

I also know that I have had 1000 attempted breakins *per day* over the last 7 days, so I need defence in depth.

We're starting to contemplate username evasion (have already renamed one). Most attempts are not even valid usernames but for the few that are ...
Ian Miller.
Honored Contributor

Re: ESB-2005.0197

the problem fixed by the VMSMUP has been around over 10 years. My understanding of what I've been told leads me to belive code would have to be written to exploit it. I may be wrong.
____________________
Purely Personal Opinion
Derek Garson
Frequent Advisor

Re: ESB-2005.0197

>I don't have a MUP to install. I won't lose any sleep over it

But can your node be connected to from the internet? Obviously we too have a firewall but some services are forwarded from the firewall to the VMS machine.

>the problem fixed by the VMSMUP has been around over 10 years.

I am trouble seeing the logic (that both of you seem to be implying). It is likely that the above statement implies that it is difficult to find. That says nothing about what will happen if someone did find it (and choose to exploit it on my system) and hence once can't assess the mathematical expectation of damage. At this stage we don't even know whether "access" means "read only" or "read/write" (although I would lean toward the latter both on the grounds of wording and on the grounds of safety in pessimism).

Furthermore, releasing a MUP increases (somewhat) the probability that someone can find the problem. That is not to say that HP did and does the wrong thing by issuing the alert.

Incidentally this alert is still not showing in AusCERT.

John Gillings
Honored Contributor

Re: ESB-2005.0197

Derek,

One other point, the MUP itself replaces only DECW$SESSIONSHRP.EXE so I suspect the exploit must be via a local DECwindows session. Even if remote sessions are vulnerable, the intruder still has to log in to start the session, and I'm guessing your firewall blocks port 6000?

A crucible of informative mistakes
Derek Garson
Frequent Advisor

Re: ESB-2005.0197

Yes, 6000 is blocked.
Dale A. Marcy
Trusted Contributor

Re: ESB-2005.0197

Does this vulnerability also apply to Phase IV? All MUPs seem to apply to Plus or OSI.
Ian Miller.
Honored Contributor

Re: ESB-2005.0197

there are two kits. The VMS one (with DECW files in it) and if you are running DECnet-Plus then there is another one to install. If you are running DECnet PhaseIV then you just need the VMS kit.

The security notice I saw from hp says its not remotely expolitable - you have to login and write a program.
____________________
Purely Personal Opinion
Ian Miller.
Honored Contributor

Re: ESB-2005.0197

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=PSD_HPSBOV01121

"local authorized user" - so it is not remotely expolitable.
____________________
Purely Personal Opinion