[Info-vax] VSI strategy for OpenVMS
Bill Gunshannon
bill.gunshannon at gmail.com
Sat Sep 18 08:20:49 EDT 2021
On 9/17/21 9:50 PM, Simon Clubley wrote:
> On 2021-09-17, Arne Vajhøj <arne at vajhoej.dk> wrote:
>> On 9/17/2021 2:09 PM, Simon Clubley wrote:
>>> On 2021-09-17, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>>> If they can insert and try execute x86-64 instructions then I would
>>>> expect that the same would be possible with Alpha instructions and
>>>> that it could work.
>>>
>>> Once they have learnt the Alpha architecture and compiled a cross
>>> assembler for Alpha. They will already know the x86-64 architecture
>>> and have an assembler to hand.
>>
>> Sure.
>>
>> But I would not let security depend on attackers being too lazy to
>> learn Alpha assembler.
>>
>>>> The vulnerability needs to get identified and fixed.
>>>>
>>>> Actually executing some code looks super cool as a screenshot. But
>>>> it does not matter from a security perspective.
>>>>
>>>
>>> It most certainly does matter !!!!
>>>
>>> If it's a simple crasher, any data on the system cannot be accessed
>>> using it.
>>>
>>> If the researchers have turned it into a RCE vulnerability, then an
>>> attacker could have done the same against live sites and their data
>>> could now be compromised.
>>
>> You do not seem to get it.
>>
>
> Knock it off Arne - you are talking to someone who has done this
> kind of thing for real.
>
> Your original statement, quoted above, said it didn't matter whether
> they got code running or not. That statement is nonsense.
>
>> If they are able to insert and get executed x86-64 instructions
>> then they have proven that there is a RCE vulnerability that need
>> to be fixed.
>>
>> That is what matters.
>>
>> If they had inserted valid Alpha instructions then
>> they could have shown something actually being executed.
>>
>> But the vulnerability does not go away by not being
>> demonstrated fully.
>>
>> So it does not matter security wise.
>>
>
> Yes, it does !!!
>
> It directly affects the appropriate severity of the vendor and customer
> response to the vulnerability and whether the customer has to worry
> about if their data could have been compromised by an attacker.
>
> This includes, for example, whether they have to do a full formal
> notification to customers and the government of possibly compromised
> data and whether they have to do a full security audit of their networks
> and systems.
>
>> The full demonstration looks cool in screenshots and
>> may be more efficient to convince the PHB that there
>> is a vulnerability. But technically it is not required.
>>
>
> Once again, not all crashes can be turned into attacker-controlled
> code execution vulnerabilities.
No, but they make a great DoS. :-)
>
> Everyone here knows about the DCL CVE and the fact it was directly
> exploitable on VAX and Alpha (and causes a crash on Itanium, so it
> was an open question about whether someone with sufficient skills
> and knowledge could do mischief on Itanium).
>
> What you may have forgotten is that a few months before that, I had
> found another way to crash DCL by stuffing the recall buffer full
> of binary data. That earlier attempt also caused a crash, but it was
> not exploitable so nobody had to worry about it from a system compromise
> point of view.
See comment above. :-)
bill
More information about the Info-vax
mailing list