______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ ____________________________________________________ I N F O R M A T I O N B U L L E T I N OpenVMS Security Patch #1084 Problems Addendum to CIAC Advisory D-08 MAR 2, 1993 1400 PST Number D-09 ___________________________________________________________________________ PROBLEM: Systems with security patch #1084 installed will not boot after performing certain system upgrades. PLATFORM: VMS, OpenVMS VAX and SEVMS systems. DAMAGE: System security is not affected. SOLUTION: Restore the old files before upgrading or apply a patch to the new IMAGE_MANAGEMENT.EXE file. ___________________________________________________________________________ Critical Information about OpenVMS VAX Patch Problems CIAC has learned that applying specific system upgrades to VMS, OpenVMS VAX and Security Enhanced VMS (SEVMS) which have been patched as described in CIAC Advisory D-08 "Potential Vulnerability in VMS V5 and Derivative Operating Systems, February 23, 1993" leaves systems which will not boot. The patch is #1084 and the specific upgrades are: V5.3 to V5.3-1; V5.3-1 to V5.3-2; V5.5 to V5.5-2; V5.5-1 to V5.5-2. All other upgrades are not affected. This patch's installation procedure leaves the old IMAGE_MANAGEMENT.EXE and PAGE_MANAGEMENT.EXE files in the SYS$COMMON:[SYS$LDR] directory. The system can be restored for upgrade as long as these files have not been removed. Prior to system upgrade, use rename to change the old files to a higher version than the new files. Otherwise, take the corrective action described in addendum SSRT 02.25-01 (see below). DEC requests that 02.25-01 be redistributed intact. ========================== Begin DEC Addendum 02.25-01 ======================== SSRT 02.25 - 01 01.MAR.1993 Addendum Advisory RE: SSRT 02.25 dated 23.FEB.1993 SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team Colorado Springs, CO. DESCRIPTION ------------ Digital has received information concerning a problem while upgrading the OpenVMS VAX Version paths listed below. OpenVMS VAX versions affected: ------------------------------ upgrade paths V5.3 to V5.3-1 V5.3-1 to V5.3-2 V5.5 to V5.5-2 V5.5-1 to V5.5-2 A problem will occur during an upgrade to a system that previously installed the Security Kit identified as: CSCPAT_1084010.A (combined kit for all OpenVMS VAX Versions affected. DSNlink kit.) VAXSYS01_U2053.A OpenVMS V5.3, V5.3-1, V5.3-2 VAXSYS02_U2055.A OpenVMS V5.5, V5.5-1, V5.5-2 NOTE: ***** All other applicable versions of OpenVMS VAX and their supported upgrade paths do not exhibit this symptom if the Security Kit (identified in an advisory SSRT 02.25 dated 23.FEB.1993) was installed before upgrading to the next higher version. The Security Kit must be re-applied after all OpenVMS VAX upgrades for V5.0 through V5.5-2. Digital recommends that until OpenVMS VAX V6.0 or OpenVMS AXP V1.5 is installed later this year, contact your Digital Services Support organization to obtain the most current version of the applicable Security Kit. IMPACT --------- Anyone who upgrades from OpenVMS VAX V5.3 to V5.3-1, V5.3-1 to V5.3-2, V5.5 to V5.5-2, or V5.5-1 to V5.5-2 will experience an error directly related to having the Security Kit installed prior to the OpenVMS VAX upgrades listed above. The system will to fail to boot properly after the completion of the upgrade. SOLUTION --------- If you renamed the images replaced following the installation of the Security Kit, restore the saved images prior to upgrading OpenVMS VAX to the next higher release then re-apply the Security Kit. The images replaced by the Security Kit identified above are: PAGE_MANAGEMENT.EXE & IMAGE_MANAGEMENT.EXE and placed in the directory SYS$COMMON:[SYS$LDR] WARNING: To prevent a similar problem ensure that no copies of the above images exist in the SYS$SPECIFIC:[SYS$LDR] directory. If the images replaced during the Security Kit installation cannot be restored prior to your upgrade, enter the commands (as indicated below) after your OpenVMS VAX upgrade completes. **** IN EACH CASE, THE SOLUTION BELOW IS A POST OpenVMS VAX UPGRADE EVENT **** !For OpenVMS VAX V5.3 upgrade paths ! V5.3 to V5.3-1 ! V5.3-1 to V5.3-2 ! ! At the point where the OpenVMS upgrade process has completed: ! From the systems console invoke a conversational boot then enter the ! remaining commands as shown and follow the instructions for re-booting. >>> >>> B/1 !YOUR PARTICULAR BOOT FOR CONVERSATIONAL MODE MAY BE DIFFERENT SYSBOOT> SET/START=OPA0: SYSBOOT> C $ $ set noon $ set default [vms$common.sys$ldr] $ patch/update=(1) image_management.exe SET ECO 1 REPL/INST 0A0F='BISB2 #01,B^1F(SP)' 'NOP' EXIT UPDATE EXIT Press the HALT button, reboot the system, and re-install the Security Kit and reboot again for the installation to become effective. ---------------------------------------------------------------------------- !For OpenVMS VAX V5.5 upgrade paths ! V5.5 to V5.5-2 ! V5.5-1 to V5.5-2 ! ! At the point where the OpenVMS upgrade process has completed: ! From the systems console invoke a conversational boot then enter the ! remaining commands as shown and follow the instructions for re-booting. >>> >>> B/1 !YOUR PARTICULAR BOOT FOR CONVERSATIONAL MODE MAY BE DIFFERENT SYSBOOT> SET/START=OPA0: SYSBOOT> C $ set noon $ set default [vms$common.sys$ldr] $ patch/update=(1) image_management.exe SET ECO 1 REPL/INST 0A2F='BISB2 #01,B^1F(SP)' 'NOP' EXIT UPDATE EXIT $ Press the HALT button, reboot the system, and re-install the Security Kit and reboot again for the installation to become effective. ----------------------------------------------------------------------------- Copyright (c) Digital Equipment Corporation, 1993 All Rights Reserved. Published Rights Reserved Under The Copyright Laws Of The United States. =========================== End DEC Addendum 02.25-01 ========================= CIAC recommends that you follow the DEC advisory addendum if performing an upgrade for the specific versions indicated. If you need additional information, contact Mr. Richard Boren of DEC's Software Security Response Team (SSRT) at 719-592-4689. CIAC wishes to thank Rich for supplying the advisory used in this bulletin. If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies and off-hour assistance call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.