[Info-vax] Is HP's TCP/IP Services for OpenVMS vulnerable?

Jose Baars peutbaars at googlemail.com
Mon Aug 15 15:28:39 EDT 2011 

Op 8/15/2011 6:32 PM, Michael T. Davis schreef:

>
> Our security folks keep reporting this system as vulnerable to the "SSH
> Secure Shell without PTY setsid() Function Privilege Escalation" issue:
>
>                       http://www.kb.cert.org/vuls/id/740619
>
> In particular, they're relying on scans from Nessus...
>
>                       http://www.tenable.com/products/nessus
>
> ...which identifies our system as vulnerable.  It parses the hello string
> from our SSH server, which reports a SSH version less than v3.2.2.  According
> to the CERT site, HP's Tru64 is reported as "not vulnerable," but what about
> their TCP/IP stack for OpenVMS?
>

The vulnerability states this:

On platforms relying on getlogin() (mainly the different BSD variants)
malicious users can at least send misleading messages to syslog and
others applications (getlogin() call will return "root").

Although it is possible that OpenVMS is affected, it definitely is not a
BSD variant, although the TCP IP Services is a port from Ultrix, or Tru64,
which is. process groups and syslog are nonsense on VMS of course, but it is
possible that something might be wrong there.

It is not a bad idea to upgrade, this is not the only vulnerability, I expect.

As the SSH server runs under user TCPIP$SSH, which has no privileges, it
is not likely that this particular defect would result in a privilege
elevation.

It is impossible to get rid of the identification string, which tells
nessus (or a telnet to port 22) which version SSH you are running, it's part
of the SSH2 protocol. On the version running on my system it says:
SSH-2.0-3.2.0 SSH OpenVMS V5.5 VMS_sftp_version 3
The most practical way to solve this is to upgrade your system.

A couple of years ago we had similar problems with security people running
nessus, which told them that our DECservers 700 were running a really old
version Mandrake Linux, with a zillion security advisories.
We informed them we needed advice on how to upgrade as Mandrake wasn't
installed in the first place. They updated some kind of profile, and that
was it. Maybe an idea for you too?

More information about the Info-vax mailing list