[Info-vax] OpenVMS Security (was Re: VSI strategy for OpenVMS)

[Stephen Hoffman]

On 2021-09-15 23:07:41 +0000, <kemain.nospam at gmail.com> said:

> It will be interesting to see if OpenVMS runs into this same challenge 
> not that it will soon be released on X86-64.

That's less about x86-64 hardware itself, and more about the wider 
availability of hardware for folks wishing to run OpenVMS, and to then 
examine platform security, and sometimes-imprudent security claims.

~None of the open-source code incorporated into OpenVMS is maintained 
at current.

ISC BIND, Apache HTTP, Samba, OpenSSL, etc.

AFAIK, none gets pushed upstream. (ISC was surprised to learn that 
OpenVMS incorporated BIND.)

AFAIK, none have gotten (valid) CVEs logged against OpenVMS, which is 
why CVE counts and related cross-platform comparisons are problematic.

The Common Data Security Architecture (CDSA) implementation was 
effectively deprecated an aeon or two ago, and somewhat more recently 
was actually officially deprecated:

> DISCONTINUATION OF PROJECT. This project will no longer be maintained 
> by Intel. Intel will not provide or guarantee development of or support 
> for this project, including but not limited to, maintenance, bug fixes, 
> new releases or updates. Patches to this project are no longer accepted 
> by Intel. If you have an ongoing need to use this project, are 
> interested in independently developing it, or would like to maintain 
> patches for the community, please create your own fork of the project.
> 
> ====>Due to the age of the code, the cryptography should not be used in 
> any new products.<====
> 
> This repository may be deleted on or after June 30, 2020.
> 
> CDSA is a security middleware specification and reference 
> implementation that is open source, cross-platform, interoperable, 
> extensible, and freely exportable

Among closed-source apps, some holes known in SMH were verified to work 
against SMH on OpenVMS, though SMH is unlikely to be a focus of any 
substantial new VSI work, it's still home to various SNMP (SNMPv2!) 
MIBs.

And DECnet should have been explicitly deprecated years ago. Not that 
there was ever a great migration path provided.

VSI folks have been making progress here—all discussions of imprudent 
VSI marketing claims aside—though the efforts and the investments 
involved in keeping current will never slow.

And the above does not apply to OpenVMS-unique security issues, which 
can and have existed. More just waiting for somebody to fuzz the APIs, 
as I suspect happened with that SMG bug.

TL;DR: Don't run a flat internal address space, seriously consider 
enabling external authentication, do firewall your OpenVMS servers, and 
look for and be aware of and work to remove any insecure protocol usage 
(telnet, ftp, DECnet, SCS, etc) by apps active on your OpenVMS servers. 
We all get free penetration tests. Whether we also get the findings 
reports?


-- 
Pure Personal Opinion | HoffmanLabs LLC