SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   DECwindows Motif Server Vendors:   Compaq
Compaq's DECwindows Motif Server for OpenVMS Allows Local Users to Gain Unauthorized Access to Data and System Resources
SecurityTracker Alert ID:  1002665
SecurityTracker URL:  http://securitytracker.com/id/1002665
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 30 2001
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Compaq warned of a security vulnerability for DECwindows Motif Server for the OpenVMS operating system that could allow local users to obtain additional privileges on the host.

It si reported that systems running OpenVMS Alpha, OpenVMS VAX, SEVMS VAX or SEVMS Alpha with the DECwindows Motif Server installed are vulnerable.

A local user could gain unauthorized access to data and system resources.

The following operating system versions are affected if running DECwindows Motif Server:

o OpenVMS Alpha Version 6.2 and all associated hardware releases (for example, Version 6.2-1H1)
o OpenVMS Alpha Version 7.1-2
o OpenVMS Alpha Version 7.2-1H1
o OpenVMS Alpha Version 7.2-2
o OpenVMS Alpha Version 7.3
o OpenVMS VAX Version 6.2
o OpenVMS VAX Version 7.1
o OpenVMS VAX Version 7.2
o OpenVMS VAX Version 7.3
o SEVMS Alpha Version 6.2
o SEVMS VAX Version 6.2

It is reported that OpenVMS VAX Version 5.5-2 is not vulnerable.

The nature of the vulnerability was not reported.

Impact:   A local user could gain unauthorized access to data and system resources.
Solution:   The vendor has released a fix. Patches are available at the Vendor URL.

o ALPHA

DEC-AXPVMS-VMS73_DW_MOT_MUP-V0100-4.PCSI
DEC-AXPVMS-VMS722_DW_MOT_MUP-V0100-4.PCSI
DEC-AXPVMS-VMS721H1_DW_MOT_MUP-V0100-4.PCSI
DEC-AXPVMS-VMS721_DW_MOT_MUP-V0100-4.PCSI
DEC-AXPVMS-VMS712_DW_MOT_MUP-V0100-4.PCSI
ALPDWMOTMUP01_062

o VAX

VAXDWMOTMUP01_073
VAXDWMOTMUP01_072
VAXDWMOTMUP01_071
VAXDWMOTMUP01_062

o SEVMS

SE_VAXDWMOTMUP01_062
SE_ALPDWMOTMUP01_062

For WEB Site kits: Use the FTP access option, select VMS then either the VAX or AXP directory, then choose the appropriate version directory and download the patch as identified in the applicable .HTML file accordingly.

Additional important instructions are provided in the Source Message.

Vendor URL:  www.support.compaq.com/patches (Links to External Site)
Cause:   Not specified
Underlying OS Comments:  OpenVMS Alpha, OpenVMS VAX, SEVMS VAX or SEVMS Alpha

Message History:   None.


 Source Message Contents

Subject:  [Advisory] SSRT0738 OpenVMS Security Mandatory Update, OVMSMUP03


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

    NO RESTRICTION FOR DISTRIBUTION
 PROVIDED THE ADVISORY REMAINS INTACT

 TITLE: (SSRT0738) OpenVMS Security Mandatory Update, OVMSMUP03

 SOURCE: Compaq Computer Corporation
         Software Security Response Team

COMPONENT IMPACT: DECwindows Motif Server

 X-REF: None

 October 30, 2001

 "Compaq is broadly distributing this Security Advisory to
 notify all users of Compaq products of the important security
 information contained in this Advisory. Compaq recommends that
 all users determine the applicability of this information to
 their individual situations and take appropriate action. Compaq
 does not warrant that this information is necessarily accurate or
 complete for all user situations and, consequently, Compaq
 will not be responsible for any damages resulting from user's use
 or disregard of the information provided in this Advisory."

 IMPACT:

 This fix was implemented in response to a recent report of a
 problem where systems running OpenVMS Alpha, OpenVMS VAX,
 SEVMS VAX or SEVMS Alpha with the DECwindows Motif Server
 installed have a potential security vulnerability.
 This vulnerability could be exploited to allow existing users
 unauthorized access to data and system resources.

 o OpenVMS Alpha Version 6.2 and all associated hardware
   releases (for example, Version 6.2-1H1)

 o OpenVMS Alpha Version 7.1-2

 o OpenVMS Alpha Version 7.2-1H1

 o OpenVMS Alpha Version 7.2-2

 o OpenVMS Alpha Version 7.3

 o OpenVMS VAX Version 6.2

 o OpenVMS VAX Version 7.1

 o OpenVMS VAX Version 7.2

 o OpenVMS VAX Version 7.3

 o SEVMS Alpha Version 6.2

 o SEVMS VAX Version 6.2

 NOTE

OpenVMS VAX Version 5.5-2 is not subject to this potential
security vulnerability.


 RESOLUTION:

 This potential security problem has been resolved and
 patches for this problem have been made available for the 
 affected versions listed above.

 NOTE: This is a mandatory update for the affected OpenVMS
 VAX and Alpha environments with the DECwindows Motif Server
 installed.

 Installation of the DECwindows Motif Server is optional
 during the installation of the OpenVMS Operating System. You can
 verify whether or not the DECwindows Motif Server has been
 installed on your system using the following command:

$ DIRECTORY SYS$LIBRARY:DECW$*.EXE

 If no DECW$*.EXE files are present on your system, the
 DECwindows Motif Server is not installed on your system and
 you do not need to apply this mandatory update.

********** IMPORTANT **********

If the DECwindows Motif Server is not installed on your
system you do NOT need to apply this mandatory update.

 A CD-ROM containing the patches has been automatically
 shipped to VAX and Alpha customers with update services.

 In addition, the patches are available from the World Wide
 Web at the following address:

<http://www.support.compaq.com/patches


 PATCH FILE NAMES:


 o ALPHA

 DEC-AXPVMS-VMS73_DW_MOT_MUP-V0100-4.PCSI
 DEC-AXPVMS-VMS722_DW_MOT_MUP-V0100-4.PCSI
 DEC-AXPVMS-VMS721H1_DW_MOT_MUP-V0100-4.PCSI
 DEC-AXPVMS-VMS721_DW_MOT_MUP-V0100-4.PCSI
 DEC-AXPVMS-VMS712_DW_MOT_MUP-V0100-4.PCSI
 ALPDWMOTMUP01_062

 o VAX

 VAXDWMOTMUP01_073
 VAXDWMOTMUP01_072
 VAXDWMOTMUP01_071
 VAXDWMOTMUP01_062

 o SEVMS

 SE_VAXDWMOTMUP01_062
 SE_ALPDWMOTMUP01_062

 For WEB Site kits: Use the FTP access option, select VMS
 then either the VAX or AXP directory, then choose the appropriate
 version directory and download the patch as identified in
 the applicable .HTML file accordingly.

 Note: Please review the README file(s) for each patch prior
 to installation.

 Non-service customers who can not access the WEB Site kits,
 should contact their local Compaq Sales Office to order a
 CD-ROM containing the patches. The part number for the CD-ROM
 is QA-MT3AA-T8. There will be a charge for shipping and
 handling.

 After completing the update, Compaq strongly recommends that
 you perform an immediate backup of your system disk so that
 any subsequent restore operations begin with updated
 software. Otherwise, you must reapply the update after a future
 restore operation. Also, if at some future time you upgrade your
 system to one of the versions of OpenVMS or SEVMS listed, you must
 reapply the update.


 Additional Considerations:

 If you need further information, please contact your normal
 Compaq Service support channel.

 Compaq appreciates your cooperation and patience. We regret
 any inconvenience applying this information may cause. As
 always, Compaq urges you to periodically review your system
 management and security procedures. Compaq will continue to
 review and enhance the security features of its products and
 work with customers to maintain and improve the security 
 and integrity of their systems.

 Copyright 2001 Compaq Computer Corporation. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBO98aCznTu2ckvbFuEQJHCwCeMqyf/8TLcahaQCTLeA5jUm84eqIAoNdE
Q8QC3RrVcEwKJvES5DTir7sv
=xzXa
-----END PGP SIGNATURE-----


---
You are currently subscribed to security as: ***********************
To unsubscribe send a blank email to *********************@list.support.compaq.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC