[Info-vax] Next release of OpenVMS x86

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Jul 20 13:47:55 EDT 2020 

On 2020-07-20, abrsvc <dansabrservices at yahoo.com> wrote:
> I'm not going to suggest that OpenVMS is the most secure system around,
> but if all that can be stated is 2 vulnerabilities reported in 40 years and
> that these were easily resolved once known, I would think that OpenVMS is
> much more secure than you would suggest.

2 vulnerabilities that came to public attention in recent years, not the
number of vulnerabilities found and fixed and which may not even have had
CVEs assigned.

BTW, didn't VMS V6 go through a major hardening exercise to fix a number of
security weaknesses ?

DECnet has also had successful attacks against it in times gone past.

>  DECnet has always been known to
> be insecure as it pre-dates the general internet and was never designed to
> work securely in that arena.  DECnet sends password in open text which
> obviously is in-secure.

Unencrypted network communications are not the major problem here as this
is at least known about.

The kinds of things that an attacker might look for would include
compromising the stack itself to cause a DoS or even to get code they
control running in kernel mode (for example).

>  Few today use DECnet other than in local,
> disconnected network connections where security is within the business.  I
> know of many sites where the system is isolated from the outside world
> completely (no connection at all to the outside world) so that what you
> call "standard" security measures are not needed.
>

Network printers are still used on internal networks to print documents.
That doesn't stop them from also being used to attack the rest of the
internal network if they get compromised.

> I would agree that there is much experience out there around TCPIP and
> how it works such that there are possible vulnerabilities there.  Again I
> would suggest that OpenVMS works differently than other OSes such that what
> is a problem for one may not be a problem for OpenVMS.
>

Are you sure ? It might actually be the other way around.

Don't forget that VMS doesn't even have ASLR let alone KASLR.

> The bottom line here is that I may not call OpenVMS the "most secure"
> operating system, I would maintain that it is MUCH more secure than
> Windows. I can't comment about Linux as I don't use or know it.

SELinux has stuff like this built in:

https://en.wikipedia.org/wiki/Security-Enhanced_Linux

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list