Re: The Register: OpenVMS among most-secure of operating systems

From: Mark Berryman (Mark.Berryman_at_Mvb.Saic.Com)
Date: 01/15/04 

Date: Wed, 14 Jan 2004 15:02:27 -0800

Andrew Harrison SUNUK Consultancy wrote:
> Mark Berryman wrote:
>
>> Andrew Harrison SUNUK Consultancy wrote:
>>
>>> Bob Koehler wrote:
>>>
>>>> In article <bu12iq$qi9$1@new-usenet.uk.sun.com>, Andrew Harrison
>>>> SUNUK Consultancy <Andrew_No.Harrison_No@nospamn.sun.com> writes:
>>>>
>>>>
>>>>> Ohhh yessssss yooou are.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Care to speculate as to which one of us has access to the source
>>>> listings and NDA info?
>>>>
>>>> I have no reason to BS you, Andrew. When I say I'm not guessing
>>>> its a fact. Not a boast, a fact.
>>>>
>>>
>>> Well lets just examine the external evidence shall we rather than
>>> your rahter laughable secret squirrel response.
>>>
>>> Even CERT which is a highly unreliable source puts OpenVMS way
>>> ahead of VMS for vunerabilities. There was the DECnet Worm
>>> and thats just about it.
>>>
>>> On the other had the current OS has SSH, Bind, and a number of
>>> other advisories posted for it.
>>>
>>> Security through obscurity cuts both ways because it removes
>>> your ability to prove your point while I at least have
>>> collateral to support mine.
>>>
>>> So Ohhh Yesss You Arrr untill that is you can prove you
>>> arn't
>>
>>
>>
>> But I have proven it. Unfortunately, for whatever reason, you have
>> not been able to accept (or perhaps understand) the proof. It
>> probably isn't worth it but I will try again.
>>
>> I have SSH on my VMS system. It is NOT openssh. Are you aware of any
>> advisories against it? I can state that my VMS system has never been
>> in any sort of security or DoS danger because of SSH.
>>
>> I have BIND on my system. None of the vulnerabilities posted for BIND
>> have ever been able to impact my VMS version of BIND and I test every
>> one. So, how does the fact that I run BIND impact the level of
>> security of my VMS system?
>>
>
> There is only 2 reasons why you claim could be true.
>
> 1. You arn't running a commecial version of bind on OpenVMS
> all the commercial versions either have CERT advisories
> for them or patches for cert advisories (if you understand
> the sorry state of OpenVMS CERT reporting you will know
> what this means).

No. I run a commercial version.
>
> 2. You have installed a version more recent than the advisories
> anything else and you are at odds with reality.

No, again not true. I apply the vendor-supplied patches after I test
for whether my system is vulnerable or not.

Ah, I think I see the crux of the matter. You seem to think that
anything that has been patched for security reasons must mean that any
VMS system running that piece of software must have had a security
issue. If so, then this is a proven false belief. I will try to state
things a little clearer.

Vendors that distribute opensource products (e.g. BIND) as part of their
  product apply the patches released by the maintainers of the
opensource product in order to keep their code in sync. This does NOT
mean that the issue being addressed by the patch necessarily impacted
the vendor's product.

So, name one security flaw in BIND that caused a security issue for a
VMS system running BIND.

>> You have tried to claim the certain patches to VMS layered products
>> should have been reported to CERT (if CERT was to be used as a valid
>> metric) because they addressed security issues. However, when I
>> followed up on the ones you claimed, that claim turned out to be
>> specious (the patches were not, in fact, fixing any kind of security
>> issue).
>>
>
> Rubbish, Teardrop, Bind, SSH all require patches and the information
> for this is either in the CERT advisory or in the case of Teardrop
> available from HP.

They required patches, yes. But in all three of the cases you cite, the
problem that was patched was not exploitable on any of the hundreds of
VMS systems I've been responsible for. I've tried to tell you before
that I have explicitly tested each of these cases. You have no first
hand knowledge but are simply drawing assumptions from reading something.

>
>> So, let's get specific. You say the CERT advisories aren't valid as a
>> metric because too many security issues in VMS don't get reported to
>> CERT. Let's start there. Name some. I'll follow up and verify your
>> accuracy. Remember, it has to be something that impacts the security
>> or stability of VMS.
>
>
>
>
> VMS722_DW_MOT_MUP-V0100 DECWindows MUP, No CERT Advisory.
  Bulletin number ESB-2001.460
> ACMS_U2_043, ACMS security hole No CERT Advisory.
  Quoting from the patch release notes:
                       **** NOTE ****

      This problem does not compromise the security of the OpenVMS
      operating system.

> ALPSMUP01_070 No CERT Advisory (Know what a SMUPis)
 From the Release Notes:
      Digital has received reports of possible unintended disclosure of user
      access information on Alpha systems running OpenVMS Alpha or SEVMS
      Alpha.

I did not find this one at CERT.

> DCE_030_SSRT3608-V0100 COM/DCE Denial of Service no CERT
This was a "potential" error that impacted only DCE. It had no impact
on VMS or the data maintained on it. According to the info I have this
was a case of "we don't know if anyone could exploit this, we haven't
heard that anyone has, but let's fix it anyway" which is typical of the
proactive stance people buy VMS for. This does not qualify for
submission to CERT.

>
> I can provide more if you are interested but to be
> honest your just lost the argument so lets not
> rub salt in your wounds.

Considering your low batting average, you might want to consider trying
again.

> And just to illustrate that 3rd party layered products
> are just as bad or put another way more OpenVMS CERT
> BS gets trashed.
>
> http://www.multinet.process.com/scripts/eco/eco_tlb.com?FTP-053_A044
>
> Look for mandatory security update.
> Now wouldn't it be nice to know what that was, again no CERT.
>
> http://www.multinet.process.com/scripts/eco/eco_tlb.com?NAMED-011_A044
> No reference to which CERT advisories they are fixing and of
> course no response in the Vendor section of the CERT advisories.
>
> http://www.multinet.process.com/scripts/eco/eco_tlb.com?SMTP-030_A044
> Mandatory Security Update
> Again no CERT advisory.

I've never looked for Multinet issues in CERT so I'll have to table this
until I have a little time for research.

>>
>> Step two. Name any opensource product that is now available on VMS
>> for which an exploit was discovered that could be used to compromise a
>> VMS system (or even provide a means to make a DoS attack against it).
>> I am aware of one, but that was in a product that no one concerned
>> about security would ever run. Remember, the fact that an exploit was
>> discovered does NOT necesarily mean that the exploit could actually be
>> used against a VMS system.
>>
>
> Why should I bother with OpenSource closed source is good
> enough.

Um, *you* are the one who brought up opensource (you know, BIND, SSH, etc.).

>> I'm calling you on your bluff. You claim the security concerns with
>> VMS tend to get obfuscated. Trot 'em out and show 'em to us.
>>
> I guess that you now regret even posting but thanks
> for being a very usefull fall guy.

Nope, no regrets at all.

Mark Berryman

Relevant Pages

  • Re: The Register: OpenVMS among most-secure of operating systems
    ... >> ahead of VMS for vunerabilities. ... > I have SSH on my VMS system. ... > any sort of security or DoS danger because of SSH. ... > should have been reported to CERT (if CERT was to be used as a valid ...
    (comp.os.vms)
  • Re: The Register: OpenVMS among most-secure of operating systems
    ... I have SSH on my VMS system. ... any sort of security or DoS danger because of SSH. ... I have BIND on my system. ...
    (comp.os.vms)
  • Re: OpenVMS Security
    ... > NOT a security issue. ... Someone can blow up the local power utility ... Not for the VMS system, but maybe for the power company. ... Since all the OpenVMS vunerabilities I have listed are from CERT ...
    (comp.os.vms)
  • Re: Just getting started in pen-testing
    ... mailing list because now I'm taking a network security class. ... Pentesting to me as I said before is similar to an art. ... my most "coveted" for lack of better terms cert is the OSCP because I ... me to understand network and systems heavily before even focusing on tools. ...
    (Pen-Test)
  • RE: CISSP-ISSMP
    ... they did not need a cert to get the same job you ... security attributes if that is the test bank you were lucky enough to ... You have an option to go with a managed service (Cenzic ... FREE whitepaper on how a managed service can help you: ...
    (Pen-Test)