[Info-vax] VSI strategy for OpenVMS

[Simon Clubley]

On 2021-09-17, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 9/17/2021 2:09 PM, Simon Clubley wrote:
>> On 2021-09-17, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>> If they can insert and try execute x86-64 instructions then I would
>>> expect that the same would be possible with Alpha instructions and
>>> that it could work.
>> 
>> Once they have learnt the Alpha architecture and compiled a cross
>> assembler for Alpha. They will already know the x86-64 architecture
>> and have an assembler to hand.
>
> Sure.
>
> But I would not let security depend on attackers being too lazy to
> learn Alpha assembler.
>
>>> The vulnerability needs to get identified and fixed.
>>>
>>> Actually executing some code looks super cool as a screenshot. But
>>> it does not matter from a security perspective.
>>>
>> 
>> It most certainly does matter !!!!
>> 
>> If it's a simple crasher, any data on the system cannot be accessed
>> using it.
>> 
>> If the researchers have turned it into a RCE vulnerability, then an
>> attacker could have done the same against live sites and their data
>> could now be compromised.
>
> You do not seem to get it.
>

Knock it off Arne - you are talking to someone who has done this
kind of thing for real.

Your original statement, quoted above, said it didn't matter whether
they got code running or not. That statement is nonsense.

> If they are able to insert and get executed x86-64 instructions
> then they have proven that there is a RCE vulnerability that need
> to be fixed.
>
> That is what matters.
>
> If they had inserted valid Alpha instructions then
> they could have shown something actually being executed.
>
> But the vulnerability does not go away by not being
> demonstrated fully.
>
> So it does not matter security wise.
>

Yes, it does !!!

It directly affects the appropriate severity of the vendor and customer
response to the vulnerability and whether the customer has to worry
about if their data could have been compromised by an attacker.

This includes, for example, whether they have to do a full formal
notification to customers and the government of possibly compromised
data and whether they have to do a full security audit of their networks
and systems.

> The full demonstration looks cool in screenshots and
> may be more efficient to convince the PHB that there
> is a vulnerability. But technically it is not required.
>

Once again, not all crashes can be turned into attacker-controlled
code execution vulnerabilities.

Everyone here knows about the DCL CVE and the fact it was directly
exploitable on VAX and Alpha (and causes a crash on Itanium, so it
was an open question about whether someone with sufficient skills
and knowledge could do mischief on Itanium).

What you may have forgotten is that a few months before that, I had
found another way to crash DCL by stuffing the recall buffer full
of binary data. That earlier attempt also caused a crash, but it was
not exploitable so nobody had to worry about it from a system compromise
point of view.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.