Remote access vulnerability in VMS - VMS

This is a discussion on Remote access vulnerability in VMS - VMS ; Hoff is reporting at http://64.223.189.234/node/1021 that a remote access exploit against VMS has been discovered and verified. Just giving people a heads-up as I haven't seen it reported here yet. Simon. -- Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP Microsoft: Bringing you 1980's technology ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: Remote access vulnerability in VMS

  1. Remote access vulnerability in VMS

    Hoff is reporting at

    http://64.223.189.234/node/1021

    that a remote access exploit against VMS has been discovered and verified.

    Just giving people a heads-up as I haven't seen it reported here yet.

    Simon.

    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Microsoft: Bringing you 1980's technology to a 21st century world

  2. Re: Remote access vulnerability in VMS

    In article ,
    clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) writes:
    > Hoff is reporting at
    >
    > http://64.223.189.234/node/1021
    >
    > that a remote access exploit against VMS has been discovered and verified.
    >
    > Just giving people a heads-up as I haven't seen it reported here yet.
    >


    I see the vulnerability was reported to HP. Was it reported to CERT?
    Or are we going to continue the myth that VMS has no CERT Vulnerabilities
    to keep Bob happy?

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  3. Re: Remote access vulnerability in VMS

    In article <6hqb1sFngtrnU3@mid.individual.net>, billg999@cs.uofs.edu (Bill Gunshannon) writes:
    >
    > I see the vulnerability was reported to HP. Was it reported to CERT?
    > Or are we going to continue the myth that VMS has no CERT Vulnerabilities
    > to keep Bob happy?


    I don't know about the other Bob, but I'll take half a dozen CERT
    notices over the last 3 decades against patch-of-the-day.


  4. Re: Remote access vulnerability in VMS

    On Aug 29, 9:36*am, koeh...@eisner.nospam.encompasserve.org (Bob
    Koehler) wrote:
    > In article <6hqb1sFngtr...@mid.individual.net>, billg...@cs.uofs.edu (Bill Gunshannon) writes:
    >
    > > I see the vulnerability was reported to HP. *Was it reported to CERT?
    > > Or are we going to continue the myth that VMS has no CERT Vulnerabilities
    > > to keep Bob happy?

    >
    > * *I don't know about the other Bob, but I'll take half a dozen CERT
    > * *notices over the last 3 decades against patch-of-the-day.


    While I agree with this Bob, I've heard others say that CERT is
    equivalent to kissing your sister these days. Its kinda lost its
    luster. Can't say first hand, so I guess I'm spreading a rumor or
    opinions of others.

  5. Re: Remote access vulnerability in VMS

    In article ,
    koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    > In article <6hqb1sFngtrnU3@mid.individual.net>, billg999@cs.uofs.edu (Bill Gunshannon) writes:
    >>
    >> I see the vulnerability was reported to HP. Was it reported to CERT?
    >> Or are we going to continue the myth that VMS has no CERT Vulnerabilities
    >> to keep Bob happy?

    >
    > I don't know about the other Bob, but I'll take half a dozen CERT
    > notices over the last 3 decades against patch-of-the-day.


    Except that if nothing ever gets reported you really have no idea how
    many there might have been. I notice none of the DEFCON problems were
    reported to CERT either. Or has CERT told people they are not collecting
    VMS Vulnerabilities?

    bill


    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  6. Re: Remote access vulnerability in VMS

    Simon Clubley wrote:
    > Hoff is reporting at
    >
    > http://64.223.189.234/node/1021
    >
    > that a remote access exploit against VMS has been discovered and verified.



    Woopty doo ! Since his announcement is devoid of *ANY* information, it
    is absolutely meaningless. Sorry Hoff but it has to be said.

    So far, I have found many vulnerabilities over the years, including XDM,
    POP and IMAP, but they have yet to be fixed.

  7. Re: Remote access vulnerability in VMS

    Hi JF,

    > Woopty doo ! Since his announcement is devoid of *ANY* information, it


    It could be very informative. Not wanting to have a(nother :-) go at Hoff
    personally, but if the company reporting the problem is also one of his
    customers and he heard about it through his association with them, then
    that's peachy. OTOH, if he was fed this valuable information through his
    continued links with VMS' Cosa Vostre, and is now able to evaluate the
    potential risks to his (and his customer(s)') servers and take remedial
    action, while simple license-paying fodder are left vulnerable floundering
    in the dark, then I think that'd be indictable.

    I hope I'm wrong, but there was another recent post here indicating that
    some were fortunate enough to enjoy the patronage of the Andy Goldsteins of
    this world, and were getting direct updates on the availability of patches
    for other vulnerabilities while, presumably, fee-generating customers like
    NasdaqOMX are told to piss-off and just wait in line like everybody else?

    So how do you get in with this in-crowd? Who do you have to sleep with (or
    threaten to sleep with :-) Is there a Clique-Membership upgrade-option on
    the license/warranty agreement that one can tick? A school-tie? A
    secret-handshake? A political/sexual/religious orientation that always
    helps? Just whose arse(s) do you have to kiss?

    Heaven-forbid that VMS would be run on a professional and transparent basis
    ". . .and justice for *all*".

    Regards Richard Maher


    "JF Mezei" wrote in message
    news:48b85dd9$0$9629$c3e8da3@news.astraweb.com...
    > Simon Clubley wrote:
    > > Hoff is reporting at
    > >
    > > http://64.223.189.234/node/1021
    > >
    > > that a remote access exploit against VMS has been discovered and

    verified.
    >
    >
    > Woopty doo ! Since his announcement is devoid of *ANY* information, it
    > is absolutely meaningless. Sorry Hoff but it has to be said.
    >
    > So far, I have found many vulnerabilities over the years, including XDM,
    > POP and IMAP, but they have yet to be fixed.




  8. Re: Remote access vulnerability in VMS

    In article , Richard Maher wrote:
    >Hi JF,
    >
    >> Woopty doo ! Since his announcement is devoid of *ANY* information, it

    >
    >It could be very informative. Not wanting to have a(nother :-) go at Hoff

    [...]

    You know, the SMGSHR MUP came out in a pretty timely fashion, all things
    considered - thanks (probably) in large part to the visibility provided by this
    NG, as well as the efforts by the folks from DEFCON 16 who made us aware of the
    issue in the first place. It's nice to know that the mechanism "worked", and
    that complain.on.vms turned out to be a somewhat-valuable resource to the
    community.
    :-)

    Please continue posting - your screeds are highly entertaining, and could
    be more so with a little less acidity. :-)

  9. Re: Remote access vulnerability in VMS

    Malcolm Dunnett wrote:

    > Let's cut Hoff some slack here. It's classic Digital culture to not
    > speak of an exploit (at least not until the fix is widely available).



    What is the point of announcing a vulnerability without giving *ANY*
    details ?

    Might as well have just kept quiet and let HP issue a patch in its onw
    due time (or have a fix in the next release of VMS).

    If you're going to keep details away, you would be better off to wait
    for the patch to be issued and then make a public announcement (HP sure
    won't) about availability of that patch that fixes a vulnerability.

    But if you want the patch to come out fast, you then provide enough
    details to the public to force HP to escalate the issue and assign
    resources ASAP to fix them.

  10. Re: Remote access vulnerability in VMS

    On Aug 29, 3:36*pm, JF Mezei wrote:
    > Simon Clubley wrote:
    > > Hoff is reporting at

    >
    > > * *http://64.223.189.234/node/1021

    >
    > > that a remote access exploit against VMS has been discovered and verified.

    >
    > Woopty doo ! Since his announcement is devoid of *ANY* information, it
    > is absolutely meaningless. Sorry Hoff but it has to be said.
    >


    I disagree. People who are aware of the vulnerability, even without
    details, can exert pressure on HP to expedite release of a fix.

    > So far, I have found many vulnerabilities over the years, including XDM,
    > POP and IMAP, but they have yet to be fixed.


    Did you *report* them? And follow up when there was no resolution?

    Jerry


  11. Re: Remote access vulnerability in VMS

    In article <48b85dd9$0$9629$c3e8da3@news.astraweb.com>,
    JF Mezei writes:
    > Simon Clubley wrote:
    >> Hoff is reporting at
    >>
    >> http://64.223.189.234/node/1021
    >>
    >> that a remote access exploit against VMS has been discovered and verified.

    >
    >
    > Woopty doo ! Since his announcement is devoid of *ANY* information, it
    > is absolutely meaningless. Sorry Hoff but it has to be said.
    >
    > So far, I have found many vulnerabilities over the years, including XDM,
    > POP and IMAP, but they have yet to be fixed.


    Or reported to CERT. :-)

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  12. Re: Remote access vulnerability in VMS

    On Aug 29, 11:46*pm, JF Mezei wrote:
    > Malcolm Dunnett wrote:
    > > * *Let's cut Hoff some slack here. It's classic Digital culture to not
    > > speak of an exploit (at least not until the fix is widely available).

    >
    > What is the point of announcing a vulnerability without giving *ANY*
    > details ?
    >
    > Might as well have just kept quiet and let HP issue a patch in its onw
    > due time (or have a fix in the next release of VMS).
    >
    > If you're going to keep details away, you would be better off to wait
    > for the patch to be issued and then make a public announcement (HP sure
    > won't) about availability of that patch that fixes a vulnerability.
    >
    > But if you want the patch to come out fast, you then provide enough
    > details to the public to force HP to escalate the issue and assign
    > resources ASAP to fix them.


    The public can exert pressure on HP without knowing the details. With
    the sketchy information that has been released, it might help to at
    least have an internal tracking number that can be referenced.

    As a system administrator, I too would like to have more information
    so that I can take proactive measures to reduce my exposure to the
    vulnerability -- or at least to know for certain there is nothing I
    can do. The risk of releasing the information, as Malcolm noted, is
    that you are also making it easier for the bad guys to exploit the
    vulnerability. Anyone in Hoff's position must also be careful not to
    jeopardize their association with the company or their internal
    network within the company by giving the appearance of being
    indiscreet in public forums.

    Hoff is both sensible and technically competent. I suspect he decided
    how much information to release based on a complete evaluation of the
    situation, including the risk of compromise at this time. He has
    given a great deal to the OpenVMS community over the years -- do you
    really think he'd leave us hanging now?

  13. Re: Remote access vulnerability in VMS

    On Aug 29, 9:05*pm, "Richard Maher"
    wrote:
    >
    > I hope I'm wrong, but there was another recent post here indicating that
    > some were fortunate enough to enjoy the patronage of the Andy Goldsteins of
    > this world, and were getting direct updates on the availability of patches
    > for other vulnerabilities while, presumably, fee-generating customers like
    > NasdaqOMX are told to piss-off and just wait in line like everybody else?
    >

    This is common in almost any business context. While it may not seem
    fair to those on the outside, there is some benefit to the rest of
    us. These back-door channels serve as an unofficial level of pre-
    release testing: I wonder how many times over the years they have
    identified problems that were corrected before customers were impacted
    by them?

    > So how do you get in with this in-crowd? Who do you have to sleep with (or
    > threaten to sleep with :-) Is there a Clique-Membership upgrade-option on
    > the license/warranty agreement that one can tick? A school-tie? A
    > secret-handshake? A political/sexual/religious orientation that always
    > helps? Just whose arse(s) do you have to kiss?
    >

    He earned the trust and respect of his colleagues by demonstrating he
    was worthy of such. He got a break the rest of us didn't and he made
    good use of it. Life isn't always fair: get used to it and do the
    best with what you have. Jealousy rarely leads to a good end. Nor
    does biting the hand that feeds you (even if it's not always exactly
    what you want or when you want it).


  14. Good Fellas (Was Re: Remote access vulnerability in VMS)

    Hi Jerry,

    > He earned the trust and respect of his colleagues by demonstrating he
    > was worthy of such.


    Is the quickest way to do that, still to kill someone? I wouldn't want to
    break with tradition.

    > Jealousy rarely leads to a good end.


    "Jealousy"? Get out of the ****ing playground will ya; this is a business!
    Would a Telco, a bank, or NasdaqOMX be jealous for wanting to protect their
    servers? (Especially when such vulnerabilities are being blabbed about not
    only outside of HP but all over the internet!)

    > Nor
    > does biting the hand that feeds you (even if it's not always exactly
    > what you want or when you want it).


    I've personally have never been on the "payroll", and have sadly relied on
    the old-fashioned litmus test of "Is it in the interest's of VMS?" when
    charting direction. If only I'd realized early on that VMS is the personal
    play-thing of the elite few then we all could've all saved some time.

    Full steam ahead; you're all doing very well!

    How's that installed-base going again?

    Regards Richard Maher

    PS. Looks like the "code of silence" isn't what it used to be?

    "Jerry Eckert" wrote in message
    news:da9b5489-96a2-44b4-b283-85c8f9c0a51c@m73g2000hsh.googlegroups.com...
    On Aug 29, 9:05 pm, "Richard Maher"
    wrote:
    >
    > I hope I'm wrong, but there was another recent post here indicating that
    > some were fortunate enough to enjoy the patronage of the Andy Goldsteins

    of
    > this world, and were getting direct updates on the availability of patches
    > for other vulnerabilities while, presumably, fee-generating customers like
    > NasdaqOMX are told to piss-off and just wait in line like everybody else?
    >

    This is common in almost any business context. While it may not seem
    fair to those on the outside, there is some benefit to the rest of
    us. These back-door channels serve as an unofficial level of pre-
    release testing: I wonder how many times over the years they have
    identified problems that were corrected before customers were impacted
    by them?

    > So how do you get in with this in-crowd? Who do you have to sleep with (or
    > threaten to sleep with :-) Is there a Clique-Membership upgrade-option on
    > the license/warranty agreement that one can tick? A school-tie? A
    > secret-handshake? A political/sexual/religious orientation that always
    > helps? Just whose arse(s) do you have to kiss?
    >

    He earned the trust and respect of his colleagues by demonstrating he
    was worthy of such. He got a break the rest of us didn't and he made
    good use of it. Life isn't always fair: get used to it and do the
    best with what you have. Jealousy rarely leads to a good end. Nor
    does biting the hand that feeds you (even if it's not always exactly
    what you want or when you want it).



  15. Re: Remote access vulnerability in VMS

    In article , BRAD@rabbit.turquoisewitch.com (Brad Hamilton) writes:
    >You know, the SMGSHR MUP came out in a pretty timely fashion,


    That is too easy to say.
    It seems this vulnerability is/was there in VMS since decades.
    How do you know that it only was found recently?

    The presenter at DEFCON16 told, it was found months before...

    It was fixed in a 'timely' fashion after DEFCON16, but this could have been
    decades after the real first exploit...

    So, please, don't take it the easy way (as you obviously did)...

    --
    Peter "EPLAN" LANGSTÖGER
    Network and OpenVMS system specialist
    E-mail Peter@LANGSTOeGER.at
    A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist

  16. Re: Remote access vulnerability in VMS

    In article <48bb1ec2$1@news.langstoeger.at>, Peter 'EPLAN' LANGSTOeGER wrote:
    >In article ,
    >BRAD@rabbit.turquoisewitch.com (Brad Hamilton) writes:
    >>You know, the SMGSHR MUP came out in a pretty timely fashion,

    >
    >That is too easy to say.
    >It seems this vulnerability is/was there in VMS since decades.
    >How do you know that it only was found recently?
    >
    >The presenter at DEFCON16 told, it was found months before...
    >
    >It was fixed in a 'timely' fashion after DEFCON16, but this could have been
    >decades after the real first exploit...
    >
    >So, please, don't take it the easy way (as you obviously did)...


    My only "proof" for the timeliness of the fix is the "fact" that although the
    vuln existed for "decades", it was only demonstrated recently. If in fact
    someone had "exploited" it decaeds ago, surely we would have heard about it by
    now.

    If a bank could be easily and safely robbed, why would the robbers wait for
    decades?
    :-)

    To my friends at DEFCON16 - please don't take the above example to construe in
    any way that I think you are the "bad guys" - your work with c.o.v. proves
    otherwise.
    [...]

  17. Re: Remote access vulnerability in VMS

    Brad Hamilton wrote:
    > In article <48bb1ec2$1@news.langstoeger.at>, Peter 'EPLAN' LANGSTOeGER wrote:
    >> In article ,
    >> BRAD@rabbit.turquoisewitch.com (Brad Hamilton) writes:
    >>> You know, the SMGSHR MUP came out in a pretty timely fashion,

    >> That is too easy to say.
    >> It seems this vulnerability is/was there in VMS since decades.
    >> How do you know that it only was found recently?
    >>
    >> The presenter at DEFCON16 told, it was found months before...
    >>
    >> It was fixed in a 'timely' fashion after DEFCON16, but this could have been
    >> decades after the real first exploit...
    >>
    >> So, please, don't take it the easy way (as you obviously did)...

    >
    > My only "proof" for the timeliness of the fix is the "fact" that although the
    > vuln existed for "decades", it was only demonstrated recently. If in fact
    > someone had "exploited" it decaeds ago, surely we would have heard about it by
    > now.
    >
    > If a bank could be easily and safely robbed, why would the robbers wait for
    > decades?


    The fact that no use of an exploit has been publicized does not
    guarantee that it has not been used.

    Maybe the incident was never discovered, maybe the incident was
    discovered but the method was not.

    I don't think it is likely, but we really don't know for sure.

    There is an old saying that a perfect crime is a crime not even
    discovered.

    Arne

+ Reply to Thread