-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Teun Nijssen/CERT-NL Index : S-92-18 Distribution : SURFnet constituency Page : 1 Classification: External Version: final Subject : VMS MONITOR V5.3 through V5.4-2 Date : 22-oct-92 =============================================================================== CERT-NL (SURFnet Computer Emergency Response Team) has received additional information concerning the previously known security problem in VMS Monitor. The following text is a verbatim copy of Digital's advisory: ------------------------------------------------------------------------- 21-OCT-1992 SSRT-0200-1 (ADDENDUM) 21-AUG-1992 SSRT-0200 SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team - U.S. Colorado Springs USA PRODUCT: VMS MONITOR V5.3 through V5.4-2 PROBLEM: Potential Security Vulnerability in VMS Monitor Utility SOLUTION: A VMS V5.3 through V5.4-2 remedial kit is now available by contacting your normal Digital Services Support organization. NOTE: This problem has been corrected in VAX VMS V5.4-3 (released in October 1991). __________________________________________________________________ The kit may be identified as MONTOR$S01_053 / MONTOR$S01_054, (or CSCPAT_1047 via DSIN, and DSNlink) ------------------------------------------------------------------ Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved. Published Rights Reserved Under The Copyright Laws Of The United States. ------------------------------------------------------------------------- ADVISORY ADDENDUM INFORMATION: ------------------------------------------------------------------------- In August 1992, an advisory and article was distributed describing poten- tial security vulnerability discovered in the VMS Monitor utility and provided suggested workarounds to remove the vulnerability. The advisory was labeled SSRT-200 "Potential Security Vulnerability in VMS Monitor Utility". This addendum follows that advisory with information of the availability of a kit containing a new sys$share:spishr.exe for VMS V5.3-* through VMS V5.4-2 and may be identified as MONTOR$S01_053 and MONTOR$S01_054 respectively from your Digital Services organization. In the U.S.the kit is also identified as CSCPAT_1047 via DSIN and DSNlink. Note:This potential vulnerability does not exist in VMS V5.4-3 and later versions of VMS. Digital strongly recommends that you upgrade to a minimum of VMS V5.4-3, and further, to the latest release of VMS V5.5-1. (released in July, 1992) If you cannot upgrade to a minimum of VMS V5.4-3 at this time, Digital strongly recommends that you install the available V5.3-* through V5.4-2 kit on your system(s), available from your support organization, to avoid any potential vulnerability. You may obtain a kit for VMS V5.3 thru V5.4-2 by contacting your normal Digital Services support organization. (Customer Support Center, using DSNlink or DSIN, or your local support office) As always, Digital recommends that you periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. End of Advisory ------------------------------------------------------------------------- CERT-NL wishes to thank Digital's Software Security Response Team for this information and advises system manager's running relevant versions of VMS to obtain the mentioned security kit from Digital Netherlands. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6V+zSYjBqwfc9jEQJegQCgiwUsjRfqPyIfLKQOBxhJuRSS9XsAn2nu PXSv59VhGhoiQeX7bm4JH8i4 =FrAP -----END PGP SIGNATURE-----