Home · Articles · Downloads · Hobby Wear · Forums · Web Links · News CategoriesMonday, July 16, 2018
Navigation
Home
Articles
Downloads
Hobby Wear
FAQ
Forums
Web Links
News Categories
Contact Us
Photo Gallery
OpenVMS Bigot
Search
Users Online
Guests Online: 6
No Members Online

Registered Members: 7,163
Newest Member: willajpeck
PdfFactory Pro Enterprise 2.31, MATFOR 4.00.061031 in Lahey Fortran, Adobe PhotoShop 9.0 CS2 oem, Trend Micro InterScan VirusWall 6.0, Adobe Acrobat 7.0 Professional sale, Salon Iris 5.05, Drafix Pro Landscape 11.2, oem Adobe PhotoShop CS 8.0 cheap buy, Catia 5 R12 P3 with SP2, Mcafee Secure Internet Gateway 4.5, oem Adobe Acrobat Professional 8 oem, Visual UML 4.1 Developer Edition, sale Adobe CS3 Design Premium Vol for Mac low price, Nuance Dragon Naturally Speaking 9.0 Professional With SP1, Adobe After Effects Plugins, low price AutoCAD 2006 cheap buy, Avid NewsCutter XP 3.8, The Movie Library 1.7.11, oem Adobe Creative Suite Premium Edition 2.0, ProFlyers 6.0 PDF Forms for Adobe Acrobat, PTC Pro Engineer Routed Systems Designer 5.0, sale DVDXCopy Platinum 4.0.38, CyberBizPlan v1.0.165 WinAll, NeverCenter Silo 1.16b, cheap buy AutoCAD 2005, Norton Save And Restore 11, sale Adobe Creative Suite 3 Design Premium sale, Adobe Premiere Plugins Collection 2007, cheap buy Adobe Creative Suite Premium Edition 2.0 for Mac sale, Active Desktop Calendar 6.5.061124, sale Adobe Acrobat 6.0 Professional, X-Rite MonacoPROFILER Platinum 4.8, EmailUnlimited 6.1 Win98NTME, oem Adobe Photoshop CS3 Extended sale
Sponsors
Island Computer
OpenVMS - Doesn't mean "Unable to be Insecure"
SecurityGot pointed to this recent DEFCON presentation on OpenVMS. We're glad to see after all this time, there's still references to OpenVMS at DEFCON. The foray into the Lions Den by a group of Dallas folks is even mentioned in the talk. But, it's an excellent example that even one of the most secure operating systems can still be compromised by bad coding. And even from within OpenVMS Engineering. In particular, the TCP/IP team. Which managed to be bug-compatible with other similar functions. A very interesting talk.


My only critique of the session is "People still run 'finger' on OpenVMS?" Apparently so. A tip o' the hat to Dave Smith from the UK for letting me know about this.
Comments
maveri on March 07 2011 10:27
The video was good and well worth the view.

Sort of shows what happens when OpenVMS starts importing all the non-native tools / stacks etc into it doesn't it?

Still, at the end of the day it shows up security flaws - whether non-native or not and it has the potential to shake existing and future OpenVMS houses.

If HP were smart, they would hire some unix guru's to go over all the various stuff that has been imported into OpenVMS to ensure it doesn't fall to more of these exploits/ As these people pointed out - these are basic exploits in unix, which sort of implied what else was out there!

A lot of people are staying with OpenVMS because of it's perceived security - if they let that image walk out the door there will be a flood away from it.

With HP wanting to bring more and more cross-porting functionality to OpenVMS, one has to wonder what else is going to come across?

Being an OpenVMS advocate myself this video was hard to take in some ways as it stood in the face of many a year of belief that OpenVMS was inherently secure - let's hope all of us OpenVMS folk realise what's at stake here if we sit back and ignore this shot across the bow.

We can all laugh at Windows and unix for lots of things but one thing they do have is an active presence in the security arena and they are not afraid to see the dark side of their OS's in terms of exploits - I feel a number of OpenVMS users are not like this relying more upon historical notions of OpenVMS security than realising all the imported code into OpenVMS can sometimes bite us

Sad to think that in some ways HP must have not rewritten the code from the ground up with OpenVMS design philosophy in mind and instead went the cut and paste route. Still - this is what we have to deal with now.
medhurstt on April 07 2011 19:48
Re : "Sort of shows what happens when OpenVMS starts importing all the non-native tools / stacks etc into it doesn't it?"

Maybe I misunderstood the exploit, but didn't it centre on the CLI 511 character then up-arrowx3 bug rather than the application it was triggered within?

That would squarely make it an OpenVMS problem although there is a fair argument that a crash within TELNET|TCP/IP ought to be handled by the application better too.
JCE on September 16 2011 04:57
Just want to update any who view on comments from the OpenVMS Team...
+++++++++++++++++++++++++++++++++++++++++


The Defcon 16 slides mainly talk about 2 exploits on OpenVMS. Both of these exploits were fixed more than two and a half years ago. The details about the fixes are given below:

1. The Screen Management overflow vulnerability - This issue was fixed in August 2008 and SMGRTL patches were made available for all affected VAX, Alpha and Integrity versions of OpenVMS.

A bulletin was also issued during the time (note: links may have changed or require account login to view):
ITRC URL: http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01539423
BSC URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01539423
SAW URL: http://saw.cce.hp.com/km/saw/view.do?docId=emr_na-c01539423


2. Finger Client Format String vulnerability - This issue was fixed in September 2008 and images were provided for TCPIP V5.4 ECO 7, V5.5 ECO 3, and V5.6 ECO 2. This fix was also included in the subsequent TCPIP V5.6 ECO 3.

http://h71000.www7.hp.com/network/new.html

Please note that all update kits since Sep 2008 have the necessary fixes.


In addition to the above fixes, OpenVMS security as well as multiple teams from OpenVMS engineering have investigated and fixed 16 other vulnerabilities since 2009. These include

SSRT100354, SSRT090267, SSRT090249, SSRT090245, SSRT090244, SSRT100023, SSRT090161, SSRT080078, SSRT080058, SSRT071479, SSRT71449, SSRT051029, SSRT4812, SSRT5999, SSRT5956 and SSRT3624.

The details for these can be found at the link given below.

http://intranet.hp.com/tsg/GSE/SSRT/_layouts/listfeed.aspx?List=c093bb37-fae7-4d77-bc12-20d338f3c628&View=b3bfed1a-e80f-4cd7-a2e7-16b05219966a

We have also investigated many vulnerabilities reported in products for other operating systems and found that they are not applicable or do not affect the corresponding products on OpenVMS.

It is our Endeavour to make sure that OpenVMS continues to be the most secure operating system and we are continuously working towards this.
Post Comment
Please Login to Post a Comment.
Ratings
Rating is available to Members only.

Please login or register to vote.

No Ratings have been Posted.
Login
Username

Password



Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.
Member Poll
Are you going to OpenVMS Boot Camp 2016?

Yes

No

You must login to vote.
Shoutbox
You must login to post a message.

malmberg
June 26 2018
https://www.openvmshobbyi
st.com/forum/viewthread.p
hp?forum_id=10&thread_id=
2363


bhamakripa
June 24 2018
I am trying OpenVMS via SIMH. Need to get OS binaries for v7.3. Registered here but don't have any membership number yet which is needed to get license. Pls suggest what to do. I hardly know anyth

basilh
June 05 2018
Any other forum members in Perth, Australia?

LouF91
April 05 2018
ah maybe they love that!

malmberg
March 24 2018
Probably. More people hang out on the comp.os.vms newsgroup.

vaxpert
March 23 2018
I have a PE42A and other Alpha system stuff for sale. I'm in So California. Any interest out there?

goodbyespy
February 27 2018
To Prohorenko. Please, visit group OpenVMS in the ok.ru

peteherrera
February 24 2018
How much does it cost to buy a complete OpenVMS hardcopy documentation set of the latest version

prohorenko
February 17 2018
Please help to obtain the license on OpenVMS

malmberg
December 12 2017
HPE only makes the most current version of OpenVMS Alpha / IA64 /VAX available to hobbyists. When I had access to the Alliance 1 program it was the same. No public downloads are allowed by HPE.

nmbonao
December 08 2017
Is anybody knows OpenVMS 8.2 version downloadable version? or CD copy? Thank you very much

aarommes
December 02 2017
Bitcoin and Blockchain enthusiasts ( plus distributed computing ) please connec / reply: http://www.openvmshobbyis
t.com/forum/viewthread.ph
p?forum_id=130&thread_id=
2991


malmberg
September 10 2017
https://sourceforge.net/p
/vms-ports/wiki/VMSInstal
lation/ For the most part just use VMS 6.1 media instead of 7.3. But why run the older release?


DoeveR
August 07 2017
Where can I find the write up on running VMS 6.1 using the simh emulator?

Bart
March 20 2017
Happy to have found my password again!

Shoutbox Archive