Serious OpenVMS Security Issue!

VAX OpenVMS
I include this news item for personal nostalgia reasons! I started my computer career working with OpenVMS and the DCL Command language. In fact, my first professionally published article was in DEC Professional magazine on a menu system I wrote in DCL! Amazing that people are still using OpenVMS!

Mission-critical system alert: 40-year-old OpenVMS hit by exploitable bug
ZDNet – By Liam Tung – “A patch is available for a privilege-escalation flaw affecting the 40-year-old OpenVMS operating system on hardware powered by ancient VAX and Alpha processors from Digital Equipment Corporation.

The OS, which has been supported by HP, is known for its reliability and has historically been used for core business systems that require high availability, including nuclear power plants and process-control systems.

The Register reports that a patch for the privilege-escalation flaw, CVE-2017-17842, has been made available ahead of a detailed description of the issue due in March. The delay is to give admins time to patch affected systems.

VMS Software Inc (VSI), the company to which HP licensed OpenVMS in 2014, said a ‘malformed DCL command table may result in a buffer overflow allowing a local privilege escalation in non-privileged accounts’. DCL is the VMS shell.

The vulnerability affects all versions of VMS and OpenVMS dating back to version 4.0, when it was just called VMS.

While this vulnerability is exploitable on VAX and Alpha hardware, it only causes a crash on Intel Itanium-based hardware and isn’t directly exploitable.

However, according to Simon Clubley, the researcher who found the flaw, a different version of the same vulnerability could make Itanium systems exploitable.

‘The only reason Itanium is not compromisable with this specific version of the exploit is because the return address is handled very differently on Itanium,’ he wrote.

‘It is not beyond the bounds of possibility that someone could find a different variant that could be used to compromise an Itanium system. For example, if you can overwrite a pointer to a data structure, then you can force code within DCL to process memory that you control.’

Additionally, Itanium systems can be indirectly compromised using the exploit he has if they’re part of a cluster with affected VAX or Alpha processors.

‘If your Itanium systems are part of a mixed-architecture cluster, then you can use the vulnerability to compromise a vulnerable cluster member and then use that cluster member to compromise your Itanium systems,’ he noted.

Clubley told The Register that anyone with shell access can compromise any version of OpenVMS released for VAX or Alpha architecture in the past 30 years.

There are different courses of action to remedy the issue for different customers, according to VMS Software’s VP of software engineering, Eddie Orcutt.

Alpha customers running VSI OpenVMS V8.4-2L1 or VSI OpenVMS V8.4-2L2 for Alpha need to contact VSI support.

Customers with Itanium running VSI OpenVMS V8.4-1H1, VSI OpenVMS V8.4-2, or VSI OpenVMS V8.4-2L1 can contact HPE if they have a HPE support contract for their version. Otherwise customers need to contact VMS Software VSI support.

Customers running HPE OpenVMS versions prior to and including V8.4 must contact HPE customer support.”

Leave a Reply

Your email address will not be published. Required fields are marked *