[Info-vax] Have the NSA planted backdoors in VMS ?

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Mon Jan 8 18:10:09 EST 2018 

On 2018-01-08 22:09:40 +0000, Simon Clubley said:

> Many non-privileged interactive users would be using these systems as 
> well. In that environment, a known interactive privilege escalation 
> method would be a very valuable thing to have.

I'd rather have a path through LOGINOUT or via DECnet, that far back.

There was a hilariously stupid GRPNAM security hole back in the early 1980s.

And many OpenVMS systems and many networks were wide open, as well.

> I wonder if SEVMS had the same vulnerability as well ?

SEVMS was identical to OpenVMS in this and in most other areas.  SEVMS 
activated some latent capabilities, and added a fairly small number of 
executable images, and documented added commands and features.

> BTW, let's assume that this was an accident and not a deliberate 
> backdoor. That means the next question is: did the NSA find out about 
> this during their normal evaluation of systems and then decide not to 
> tell DEC about it ?

If any national intelligence agency is relevant to you and to your 
systems, then you're probably already toast.    Anybody that's really 
interested can "black bags" your servers directly.  Or can compromise 
your systems through your supply chain, or by directly accessing your 
data center, by co-opting your networking, or by co-opting existing 
staff with the necessary access.  Etc.   As for your question?   Any 
discussions and debates of VEP aside, that's not something that anybody 
that knows will likely answer.    Whether it's NSA, GCHQ, FSB or 
otherwise.   Various end-users can and did send in bug reports, and 
still do.   Exploits are valuable to a number of folks and 
organizations well beyond NSA, and with interests in vulnerabilities 
and exploits for both legal and illegal purposes.   VSI hasn't decided 
to set a floor on exploit prices yet, but that's fodder for a different 
discussion.  Folks that are interested in exploits will review the 
source listings and will fuzz the APIs.  Same as usual.  Some agencies 
have other options and alternatives within their jurisdictions.

GRPNAM: http://www.netfunny.com/rhf/jokes/89q4/evild.693.html
VEP: https://www.eff.org/document/vulnerabilities-equities-process-january-2016


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list