PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
(ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER
(IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS
SUBJECT: SECURITY VULNERABILITY IN OPENVMS AND OPENVMS AXP (AUTOMATED
SYSTEM SECURITY INCIDENT SUPPORT TEAM (ASSIST) BULLETIN 93-08).
1.  DIGITAL EQUIPMENT CORPORATION HAS PROVIDED INFORMATION CONCERNING
A VULNERABILITY IN OPENVMS V5.0 THROUGH V5.5-2 AND OPENVMS AXP V1.0. 
A PATCH KIT IS NOW AVAILABLE FOR OPENVMS AXP V1.0, OPENVMS V5.0
THROUGH V5.5-2 (INCLUDING ALL SEVMS VERSIONS V5.1 THROUGH V5.5-2 AS
APPLICABLE) BY CONTACTING YOUR NORMAL DIGITAL SERVICES SUPPORT
ORGANIZATION.  THIS VULNERABILITY HAS BEEN CORRECTED IN THE NEXT
RELEASE OF OPENVMS, V6.0 AND OPENVMS AXP, V1.5.  THE UPDATE KIT MUST
BE APPLIED FOR ALL VERSIONS OF OPENVMS VERSIONS PRIOR TO V6.0 AND AXP
V1.5.  FOR DOD SITES USING OPENVMS VERSIONS PRIOR TO V5.0, ASSIST
STRONGLY RECOMMENDS THAT YOU UPGRADE TO A MINIMUM OF OPENVMS V5.0, OR
FURTHER TO THE LATEST RELEASE OF OPENVMS V5.5-2 AS SOON AS POSSIBLE. 
THE PATCH KITS MAY BE IDENTIFIED AS:
VAXSYS01_U2050 - FOR VMS V5.0, V5.0-1, V5.0-2
VAXSYS01_U1051 - FOR VMS V5.1 
VAXSYS01_U1052 - FOR VMS V5.2
VAXSYS01_U2053 - FOR VMS V5.3 THRU V5.3-2    
VAXSYS01_U3054 - FOR VMS V5.4 THRU V5.4-3    
VAXSYS02_U2055 - FOR OPENVMS V5.5 THRU V5.5-2  
AXPSYS01_010   - FOR OPENVMS AXP V1.0    
2.  THE PATCH KIT CORRECTS A POTENTIAL SECURITY VULNERABILITY IN THE
OPENVMS VAX AND OPENVMS AXP OPERATING SYSTEMS.  THIS POTENTIAL 
VULNERABILITY MAY BE FURTHER EXPLOITED IN THE FORM OF A MALICIOUS
PROGRAM THAT MAY ALLOW AUTHORIZED, BUT UNPRIVILEGED USERS TO OBTAIN
ALL SYSTEM PRIVILEGES, POTENTIALLY GIVING THE UNPRIVILEGED USER
CONTROL OF YOUR SYSTEM AND DATA.  ASSIST STRONGLY RECOMMENDS THAT YOU
INSTALL THE AVAILABLE KIT ON YOUR SYSTEM(S) AS SOON AS POSSIBLE, TO
AVOID ANY POTENTIAL VULNERABILITY AS A RESULT OF THIS
PROBLEM.
3.  DOD USERS WITH A DIGITAL SERVICES CONTRACT MAY OBTAIN A KIT FOR
THE AFFECTED VERSIONS OF OPENVMS BY CONTACTING THEIR REGULAR SUPPORT
ORGANIZATIONS.  IN THE U.S. CUSTOMERS MAY CONTACT THE CUSTOMER
SUPPORT CENTER AT 1(800)354-9000 AND REQUEST THE APPROPRIATE PATCH
KIT, OR THROUGH DSNLINK TEXT SEARCH DATABASE USING THE KEYWORD TEXT
"POTENTIAL SECURITY VULNERABILITY", OR DSNLINK VTX USING THE PATCH
NUMBER 1084.  DOD SITES OUTSIDE THE U.S. SHOULD CONTACT THEIR REGULAR
DIGITAL SERVICES SUPPORT ORGANIZATIONS.
4.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
PETE HAMMES, COMM (703) 696-1924/5/6 OR DSN 226-1924/5/6.  ASSIST CAN
BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (800) SKY-PAGE (800-
759-7243), PIN NUMBER 2133937.  WHEN CALLING THE PAGER SERVICE,
FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK
NUMBER AFTER THE PROMPT.  THE ASSIST DUTY OFFICER WILL CALL YOU BACK
WITHIN 30 MINUTES.  IF FASTER SERVICE IS REQUIRED, PREFIX YOUR
TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL
BACK WITHIN 5 MINUTES.  ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-
CERT(AT-SIGN)DDN-CONUS.DDN.MIL".
BT