[Info-vax] CVE-2017-17482
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Jan 26 21:18:31 EST 2018
On 2018-01-26, Derrell Piper <derrell.piper at vmssoftware.com> wrote:
> From: Eddie Orcutt <eddie.orcutt at vmssoftware.com>
> Date: Friday, January 26, 2018 at 4:27 PM
> To: Eddie Orcutt <eddie.orcutt at vmssoftware.com>
> Subject: OpenVMS Security Notice
>
> Dear VSI OpenVMS Customer;
>
> A potential security vulnerability has been found in which a malformed
> DCL command table may result in a buffer overflow allowing a local
> privilege escalation in non-privileged accounts. This bug is exploitable
> on VAX and Alpha and may cause a process crash on IA64. All versions of
> VMS and OpenVMS after and including VAX/VMS 4.0 are affected.
>
First off, thanks to Derrell for working behind the scenes to get
certain things done at VSI. Thank you Derrell.
Hopefully, the process for the next CVE will now flow more smoothly.
I'm still planning on releasing the details at the beginning of March
but I also still plan to _not_ release any code which shows the actual
exploit itself.
However, based on the discussion we need to have, experienced people
around here will almost certainly be able to fill in the missing pieces
and create their own exploit. We are having this discussion because
there's something about your existing VMS systems I think you need
to know about.
>
> If you are reporting a security vulnerability, please use the secure VSI
> web page, when available.
>
Yes, there's a web page _finally_ coming; it's currently being tested
so thanks again Derrell.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list