User Tools

Site Tools


is_openvms_vulnerable_to_cve-2017-17482_the_dcl_cdu_issue

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

is_openvms_vulnerable_to_cve-2017-17482_the_dcl_cdu_issue [2019/02/12 23:02] (current)
mmacgregor created
Line 1: Line 1:
 +
 +==== Introduction ====
 +
 +If you've searched for OpenVMS vulnerabilities at either the https://​cve.mitre.org/​ or https://​nvd.nist.gov/​ you may have run across CVE-2017-17482
 +
 +==== Details ====
 +
 +Per the Nist site, this Vulnerability and Exposure states the following ((1 NIST description of the vulnerability:​ https://​nvd.nist.gov/​vuln/​detail/​CVE-2017-17482))
 +
 +An issue was discovered in OpenVMS through V8.4-2L2 on Alpha and through V8.4-2L1 on IA64, and VAX/VMS 4.0 and later. A malformed DCL command table may result in a buffer overflow allowing a local privilege escalation when a non-privileged account enters a crafted command line. This bug is exploitable on VAX and Alpha and may cause a process crash on IA64. Software was affected regardless of whether it was directly shipped by VMS Software, Inc. (VSI), HPE, HP, Compaq, or Digital Equipment Corporation. ​
 +
 +==== Solution ====
 +
 +  * Alpha OpenVMS V8.4 systems should have this patch installed: VMS84A_DCL-V0200 ​ Contact HPE for the patch
 +  * Itanium OpenVMS V8.4 systems should have this patch installed: VMS84I_DCL-V0200 Contact HPE for the patch
 +
 +Alpha customers running VSI OpenVMS V8.4-2L1 or VSI OpenVMS V8.4-2L2 for Alpha, contact VSI support to obtain the appropriate patch version. ​
 +
 +IA64 customers running VSI OpenVMS V8.4-1H1, VSI OpenVMS V8.4-2, or VSI OpenVMS V8.4-2L1, if you have a support contract with HPE for your version, contact HPE customer support to obtain the patch; otherwise, contact VSI support.((2 VSI acknowledges the issue: https://​groups.google.com/​forum/#​!topic/​comp.os.vms/​BYIUQ0lJ-s0))
 +
 +==== Workaround ====
 +
 +For VAX, Alpha, and Integrity users unable to patch OpenVMS, here are best practices to better protect your systems from the vulnerability.
 +
 +  * Practice good user account control. The attacker must be able to log into the OpenVMS system to exploit the vulnerability.
 +
 +  * Disable user access to the DCL "SET COMMAND"​. Most unprivileged users should never need access to this function. As HPE explains:
 +
 +The vulnerability is in the CDU.EXE image, which is installed with CMEXEC privilege, and a workaround is to remove privileges from the image. This can be done by editing the files SYS$MANAGER:​VMSIMAGES.DAT plus the master VMS$IMAGES_MASTER.DAT and then rebooting.
 +
 +The relevant lines look like this (this may vary between versions of OpenVMS):
 +
 +<​code>​
 +$ search sys$manager:​vms$images_master.dat,​vmsimages.dat cdu
 +******************************
 +SYS$COMMON:​[SYSMGR]VMS$IMAGES_MASTER.DAT;​1
 +sys$system:​cdu /open /header /​priv=(cmexec) !
 +******************************
 +SYS$SYSROOT:​[SYSMGR]VMSIMAGES.DAT;​1
 +SYS$SYSTEM:​CDU /OPEN /HEADER /​PRIV=(CMEXEC) ! 1/​0/</​code>​
 +
 +The workaround would be to simply remove the “/​PRIV=(CMEXEC)” qualifier from these lines. This prevents a non-privileged user from using the DCL "SET COMMAND"​.
 +
 +Along the same vein, the system DCL table could be patched to remove the COMMAND
 +option from the SET command.
  
is_openvms_vulnerable_to_cve-2017-17482_the_dcl_cdu_issue.txt · Last modified: 2019/02/12 23:02 by mmacgregor