[Info-vax] Questions and observations about OpenVMS

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Sun Mar 7 11:47:13 EST 2021 

On 2021-03-07, abrsvc <dansabrservices at yahoo.com> wrote:
>> > 
>> > Oh, give me a break! How long are you going to polish that particular 
>> > apple? It was a bug in a utility, which has been fixed. 
>> >
>> Actually, I had decided to let it rest as mentioned the last time 
>> I pushed it. I only mentioned it again due to the OP's comments and 
>> his rather naive take on the state of VMS security. 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

As mentioned above, and in the previous discussion, I had already decided
to let it rest. If one of the regulars had said something like that these
days, I would have just told them to stop being a twit and left it at that.

But the OP clearly knows none of this so it's something that needs pointing
out to him so he can understand how things have changed but how VMS has
stood still when it comes to security.

>
> Let me address 2 items here:
>
> 1) DECnet - It has been said in the past that this is NOT a secure
> mechanism and in reality its use has been discouraged.  The cases where it
> is currently used (for my clients anyway) are only where there are networks
> that are NOT connected to the outside world.  In these cases, security is
> not as necessary as there is a gap to the outside world.  Here, the
> connections for applications are through known pathways using the OpenVMS
> systems as backends.  No direct "user" access other than the
> administrators.
>

That works great until the local network gets compromised.

> 2) DCL bug that you seem to target anytime there is a discussion here: 
> Yes there was a bug, yes it was fixed, get over it!  You should also
> differentiate between bugs that allow access to the system vs. bugs that
> allow more access once you have it.  I would argue that OpenVMS is just as
> secure (ifnot more so) than Windows for example.  how many times have you
> seen people access an OpenVMS system externally?  Once you gain access to
> an account, that provides a different scenerio.  Do you see virus attacks
> on OpenVMS?  Do you see "programs" executed by opening an Email on OpenVMS
> systems?

On the last one, actually maybe.

VMS Mail got altered a decade or two back to stop displaying some escape
sequences in an email to stop them causing abuse. I don't know the details
as they were never published in the notice I remember seeing.

The DEFCON 16 researchers found a problem in finger which involved a
user's plan file IIRC. A plan file is most certainly also a
user-controlled document.

Document handling on VMS is very primitive, so I don't remember seeing
the kinds of attacks you are talking about. Even so, those are two issues
that I do remember.

To go back to the remote access to VMS, you should also consider the
possibility that there might be vulnerabilities in the actual network
stacks themselves that are enabled on a VMS system.

Actual login access to a VMS system might not be required if a user
can get to the network protocols enabled on a VMS system and find a
vulnerability.

BTW, Stephen pointed out that I am not the only person to ever find a
vulnerability on VMS. He's right about that, but also think about what
that means when considering if there are any more vulnerabilities
waiting to be found by other people who do this for a living instead
of just doing the one-off piece of research I did.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list