Operating System - OpenVMS
1839205 Members
2949 Online
110137 Solutions
New Discussion

Re: TCP/IP security patch

 
SOLVED
Go to solution
Hoff
Honored Contributor

Re: TCP/IP security patch

HP does not indicate if this error exists in other releases, so if you need an official answer, call HP.

The safest assumption (and based on reading CVEs and reading the developer discussions of the fix over at the ntp site) is that the error does exist in earlier releases.
John28
New Member

Re: TCP/IP security patch


Hoff,

Many Thanks for the quick answer. Does V5.6 ECO 3 need to be patched or only V5.6 ECO 4 ?

John
Volker Halle
Honored Contributor

Re: TCP/IP security patch

John,

HP did NOT make a patch available for TCPIP V5.6 ECO 3. Whether this mean ECO 3 is not affected, only HP can answer !

Volker.
Hoff
Honored Contributor

Re: TCP/IP security patch

If you're looking for a simple answer?

Sure. That's easy. Be (appropriately!) paranoid.

Until you hear otherwise from an authoritative source (and which is _not_ ITRC) that a version or configuration is explicitly _not_ vulnerable, the assumption is that the software _is_ vulnerable. And if you're even operating with an average level of paranoia, not even then.

This (appropriate!) paranoia irrespective of the platform and software; whether we are discussing OpenVMS or anything else.

The web-facing servers I manage get attacked multiple times a day.

Unfortunately for this whole discussion, the OpenVMS web tools and web-facing software stacks are down-revision, and there are various security issues within the various web-facing and net-facing tools. Which is why do not recommend exposing OpenVMS to the Internet.

In defense of the vendors here, security also often turns into a circus; there's no certainty here, and even current-patch systems can be vulnerable to zero-day attacks, and to targeted attacks and spearfishing. And some of the security uproars are inconsequential for many sites; you have to know how big a target your site is, and how much you're willing to (directly and indirectly) pay to (try to) reduce your exposure to attacks. This security stuff gets FUD'd pretty heavily in the market, and it's easy to end up with an inappropriate degree of paranoia.

And one of the oft-overlooked parts of security is having current archives. And a review for the "low-hanging" security bugs that can exist in most any configuration.
John28
New Member

Re: TCP/IP security patch

Hoff,

Many Thanks for the info esp. on the appropriate "paranoia" level - understand the risk assessment aspect that you mentioned and I'll continue to follow up with on whether versions not mentioned in the bulletin do have the vulnerability. Way too easy to just assume that all is well when a specific version is not directly referenced in a bulletin.

Regards,

John
Volker Halle
Honored Contributor

Re: TCP/IP security patch

BE CAREFUL WHEN RESTORING THOSE .EXE FILES !

They have ACLs on them (at least the Alpha V5.6 ECO 5 *.EXE_ECO_A ones )!

(IDENTIFIER=%X80010100,OPTIONS=PROTECTED,ACCESS=READ+WRITE+EXECUTE+DELETE)(DEFAULT_PROTECTION,SYSTEM:RWE,OWNER:RWE,GROUP:RWE,WORLD:,OPTIONS=PROTECTED)

A BACKUP/INTERCHANGE would have been nice when creating those .BCK files !

Volker.
Volker Halle
Honored Contributor
Solution

Re: TCP/IP security patch

After installing the patches on TCPIP V5.6 ECO 5 (Alpha) and manually correcting the PROTECTION and removing the ACLs, I did a DIFFERENCES on those 7 images:

5 of them only differ in the IMAGE header (VBN 1), i.e. the LINK DATE and the IDENT string.

Only TCPIP$NTP.EXE and TCPIP$NTP_RES_CHILD.EXE differ in the code section of the image !

NOTE: this is just for the images in QXCR1000910870_V56_ECO5_ALPHA.BCK - the same analysis would need to be done for the other patches as well, but I think I can mostly guess what that analysis would turn out...

I hope that e.g. TCPIP$NTPQ.EXE would be different for all the other patches except against V5.6 ECO 5, which already reportedly fixed that problem in NTPQ (re: SSRT#090073)

Volker.
Volker Halle
Honored Contributor

Re: TCP/IP security patch

HP is listening ...

- TCPIP$NTPTRACE.EXE has been removed from all the patches

- the .BCK savesets have been re-created with BACKUP/INTERCHANGE (on 5-APR-2010).
[I have verified this for QXCR1000910870_V56_ECO5_ALPHA.BCK]

- all NTP images have been re-linked, because they all use the same .OLB and some modules in the .OLB have been changed due to the SSRT fix

- ONLY the following iamges are affected by the security fixes:

For TCPIP V56-ECO4 and TCPIP V55-ECO3
1. TCPIP$NTP.EXE
2. TCPIP$NTP_RES_CHILD.EXE
3. TCPIP$NTPQ.EXE

And for TCPIP V56-ECO5
1. TCPIP$NTP.EXE
2. TCPIP$NTP_RES_CHILD.EXE.

NOTE: the protection of those images is (RWE,RWE,RWE,RE), so this might cause problems during deletion !

Volker.
Volker Halle
Honored Contributor

Re: TCP/IP security patch

another update:

Now there are also NTP patches for TCPIP V5.4 ECO 7

See Document ID: c01961959 Version: 3

Volker.

IS Ops account
Advisor

Re: TCP/IP security patch

Good afternoon gents,

I don't know if my question is relevant to this topic, but I do have problems with installing TCPIP v5.6 ECO5 patch on my DS25.
Currently I'm running OpenVMS 8.2 with TCPIP v5.6 ECO3.

But when I want to decompress the ZIPEXE file, I get an error:

>run DEC-AXPVMS-TCPIP-V0506-9ECO5-1.ZIPEXE
%DCL-W-ACTIMAGE, error activating image DEC-AXPVMS-TCPIP-V0506-9ECO5-1.ZIPEXE
-CLI-E-IMGNAME, image file CARD$DKB1:[PATCHES]DEC-AXPVMS-TCPIP-V0506-9ECO5-1.ZIP
EXE;1
-IMGACT-F-NOTNATIVE, image is not an OpenVMS Alpha image

Can anyone please advise?
Thanks,
IO

Shriniketan Bhagwat
Trusted Contributor

Re: TCP/IP security patch

Hi,

The run command is failing because of IMGACT-F-NOTNATIVE error. If the file was FPTed over network then there are chances that it might have lost some of the file attributes like RFM, LRL, MRS etc. In this case you have to restore the lost attributes before using the file. Check the file attributes before and after file transfer by $ dir/full command. You can use the below command to restore the attributes back. The typical command used is:

SET FILE/ATTR=(RFM:FIX,LRL:32256,MRS:32556) DEC-AXPVMS-TCPIP-V0506-9ECO5-1.ZIPEXE

Hope this helps.

Regards,
Ketan
Volker Halle
Honored Contributor

Re: TCP/IP security patch

Ketan,

OpenVMS .EXE files have 512 byte length FIXED records ! Your command can be used to modify the record attribute for BACKUP savesets !

Here is a real working example:

AXPVMS $ dir/full DEC-AXPVMS-TCPIP-V0506-9ECO5-1.ZIPEXE;1

Directory DSA64:

DEC-AXPVMS-TCPIP-V0506-9ECO5-1.ZIPEXE;1 File ID: (46058,7,0)
Size: 84846/84848 Owner: [1,1]
Created: 26-MAR-2010 09:06:53.07
Revised: 29-MAR-2010 14:17:26.15 (3)
Expires:
Backup:
Effective:
Recording:
Accessed:
Attributes:
Modified:
Linkcount: 1
File organization: Sequential
Shelved state: Online
Caching attribute: Writethrough
File attributes: Allocation: 84848, Extend: 0, Global buffer count: 0
No version limit, Backups disabled
Record format: Fixed length 512 byte records
Record attributes: None
RMS attributes: None
Journaling enabled: None
File protection: System:RWED, Owner:RWED, Group:RE, World:
Access Cntrl List: None
Client attributes: None

Total of 1 file, 84846/84848 blocks.
AXPVMS $ run DEC-AXPVMS-TCPIP-V0506-9ECO5-1.ZIPEXE;1
UnZipSFX 5.42 of 14 January 2001, by Info-ZIP (Zip-Bugs@lists.wku.edu).
...

You need to use the appropriate SET FILE/ATTR=... commands to change the file attributes of your .ZIPEXE file to those shown above.

Volker.
Shriniketan Bhagwat
Trusted Contributor

Re: TCP/IP security patch

Thanks for correcting me Volker. :-)


Regards,
Ketan
IS Ops account
Advisor

Re: TCP/IP security patch

Good evening everyone.

I have modified it as it should be now.

Before:
--------
DEC-AXPVMS-TCPIP-V0506-9ECO5-1.ZIPEXE;1 File ID: (45190,42,0)
Size: 85340/85351 Owner: [SYSTEM]
Created: 3-JUN-2010 18:52:36.69
Revised: 3-JUN-2010 18:52:40.37 (1)
Expires:
Backup:
Effective:
Recording:
Accessed:
Attributes:
Modified:
Linkcount: 1
File organization: Sequential
Shelved state: Online
Caching attribute: Writethrough
File attributes: Allocation: 85351, Extend: 0, Global buffer count: 0
No version limit
Record format: Variable length, maximum 0 bytes, longest 5299 bytes
Record attributes: Carriage return carriage control
RMS attributes: None
Journaling enabled: None
File protection: System:RWED, Owner:RWED, Group:RE, World:
Access Cntrl List: None
Client attributes: None

Command:
--------
SET FILE/ATTR=(RFM:FIX,MRS:512,LRL=512,ORG=SEQ,RAT=NONE)DEC-AXPVMS-TCPIP-V0506-9ECO5-1.ZIPEXE

After:
------
DEC-AXPVMS-TCPIP-V0506-9ECO5-1.ZIPEXE;1 File ID: (45190,42,0)
Size: 85340/85351 Owner: [SYSTEM]
Created: 3-JUN-2010 18:52:36.69
Revised: 3-JUN-2010 19:08:30.96 (4)
Expires:
Backup:
Effective:
Recording:
Accessed:
Attributes:
Modified:
Linkcount: 1
File organization: Sequential
Shelved state: Online
Caching attribute: Writethrough
File attributes: Allocation: 85351, Extend: 0, Global buffer count: 0
No version limit
Record format: Fixed length 512 byte records
Record attributes: None
RMS attributes: None
Journaling enabled: None
File protection: System:RWED, Owner:RWED, Group:RE, World:
Access Cntrl List: None
Client attributes: None

Total of 1 file, 85340/85351 blocks.


What I can see already is that the block size of this file is different from your example, however it is the same file.

Any ideas?

Thanks a lot,
IO
Volker Halle
Honored Contributor

Re: TCP/IP security patch

IO,

it's possibly too late now, but please do not 'hijack' existing threads for a new problem. Consider to create a new topic for this question.

Does this .ZIPEXE expand correctly when run ?

The release notes specify checksums, do they match ?

I now remember: this kit might been re-released. My notes show a 1-MAR-2010 and a 5-MAR-2010 date for this patch. Copy it again...

Volker.
IS Ops account
Advisor

Re: TCP/IP security patch

Volker,

You're right. I should have started a new thread.
Thanks for your help here. I just moved then.

Cheers,
IO
H_Bachner
Regular Advisor

Re: TCP/IP security patch

Sorry for leaving this thread open for such a long period.

Many thanks to all who offered valuable suggestions and info regarding the security patch, and special thanks to Volker for his detailed analysis of the contents of the various generations of patch kits and additions to the original bulletin. I owe you a beer or two when we meet next time :-)

Also thanks to the TCP/IP maintenance engineers who listened to this thread and updated the patch kits to deliver better quality ECOs. I'm confident that future ECOs will reach the standards again which the OpenVMS community is used to (and expects).

Closing this topic.
Hans.
Ian Miller.
Honored Contributor

Re: TCP/IP security patch

Updated version of this patch now available as TCPIP_NTP_PAT
____________________
Purely Personal Opinion
H_Bachner
Regular Advisor

Re: TCP/IP security patch

Ian, thanks for updating this thread with the latest information! Actually, there are several versions of the TCPIP_NTP_PAT patch available - at least for versions from V5.5 through V5.7, for Alpha and Itanium.

If someone from engineering is reading this thread as well: could you please update the "patch description" field of the various TCPIP_NTP_PAT patches? It still contains this template text:

"This will appear in the ITRC interface next to the patch ID. For example: DECnet-Plus for OpenVMS Alpha V7.3 ECO04"

Also, the new patches are missing the Release Notes :-(

Thanks for listening.

Closing this thread again,
Hans.
Volker Halle
Honored Contributor

Re: TCP/IP security patch

And there is a typo in

HP-I64VMS-TCPIP_NTP_PAT-V0506-9ECO5D-4

...
3.2 Version of TCPIP to which this kit may be applied
OVMS I64 TCPIP V5.5

...
should be:

OpenVMS I64 TCPIP V5.6

Volker.
Ian Miller.
Honored Contributor

Re: TCP/IP security patch

comments passed on :-)
____________________
Purely Personal Opinion
Ian Miller.
Honored Contributor

Re: TCP/IP security patch

patch descriptions should be updated soon :-)
____________________
Purely Personal Opinion