[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications
Some Dude
dgordonatvsi at gmail.com
Mon May 10 15:27:40 EDT 2021
On Monday, May 10, 2021 at 2:20:19 PM UTC-4, Simon Clubley wrote:
> I have come across some very unexpected DECnet Phase IV functionality
> while I was looking at the FAL specification.
>
> Did you know that you can directly submit batch jobs using FAL from
> across the network without having to go anywhere near a command prompt
> on the target system ? The command procedure runs on SYS$BATCH on
> the target system as the user you have logged into with FAL on the
> target system.
What Simon omits is that you are required to provide login credentials (absent a default FAL
account which would leave your system vulnerable to many more interesting things.)
The response from VSI also included:
As such, outside the inherent security problems with the unencrypted DECnet transport
itself...
-----
And I agree with Hoff on this one:
> And there's a reason I keep writing comments about the problems of
> continued use of DECnet...
--Doug
More information about the Info-vax
mailing list