Ghost in the DCL shell: OpenVMS, touted as ultra reliable, had a local root hole for 30 years

Patches available, bug affects Alpha and Itanic mainframes


Forget Meltdown and Spectre. Someone's found a local privilege escalation in the operating system world's elderly statesman OpenVMS when running it on VAX and Alpha processors.

On Itanium CPUs, the same bug can be exploited to crash a process.

More details on the flaw, which has been given the designation CVE-2017-17482, are due to be made public in March. The weeks between now and then are intended to give sysadmins time to test and deploy patches.

Software running on seemingly bulletproof OpenVMS systems tends to be rather business critical – the sort of code you deploy and keep running forever – so updates that may disrupt operations are treated with utmost care by administrators. Introduced to the world as VMS in 1977, OpenVMS today still powers a good chunk of billing systems, stock exchanges, semiconductor factories, and similar setups. It is touted as a reliable and secure OS for mission-critical applications.

By the way, the "open" part refers to its support of open standards, such as POSIX; its source code is closed, although copies of the listings can, apparently, be purchased.

The privilege-escalation vulnerability stems from a cockup in the command processing code within the VMS shell, called DCL. The hole can be exploited by normal users to run code in the privileged supervisor mode. That much is now public, though quite how it can be exploited has been held over until next month. Since OpenVMS installations tend to only grant access to trusted staff, the main threat here is dodgy or bribed employees seeking to commandeer systems, rather than outside hackers.

Crucially, the vulnerability dates back decades – as far back as version 4.0 when the OS used to be known simply as VMS – giving miscreants or spies plenty of time to stumble upon the same bug, and abuse it for corporate espionage or similar.

Simon Clubley, the security researcher who discovered the programming blunder, told El Reg this month that the flaw “allows anyone with shell access to totally compromise any version of OpenVMS released for the VAX or Alpha architectures in the last 30 years.”

"This situation is not helped by the very mistaken belief in some parts of the VMS user community that somehow VMS systems are not vulnerable to the same kinds of security issues that other operating systems have,” Clubley said. “These people are very wrong.”

Ask nicely for fixes

People running VSI's OpenVMS V8.4-2L1 or V8.4-2L2 on Alpha hardware should contact VSI for patches to kill the exploitable bug. VSI is a company that was formed in Massachusetts, USA, to port OpenVMS to modern x86-64 processors in a joint agreement with HPE, and it includes ex-DEC engineers and other folks from the OpenVMS world. Sysadmins managing VSI's OpenVMS V8.4-1H1, V8.4-2, or V8.4-2L1 on IA64, or any form of HPE OpenVMS, should contact HPE.

Everyone else, well, try hitting up VSI for help. VMS on VAX and early Alpha releases are unsupported, it appears, so on that hardware, you may be out of luck. Patches started appearing at the end of last year, and were announced on the comp.os.vms newsgroup at the end of January.

"There is a very distinct possibility that there are a significant number of unsupported and vulnerable VMS systems still in production use," Clubley warned.

For what it's worth, today's operating systems usually run applications on processors in what's called user mode, and the core OS and drivers in a privileged kernel mode. VMS uses four modes: user mode; supervisor mode where the DCL shell runs; executive mode for privileged services; and kernel mode, which has power over the system.

VMS runs its shell in supervisor mode. A program can pass malformed command line data to DCL to process, which overflows a buffer and clobbers a return pointer in memory. There are some portions of memory with fixed addresses that all programs which run in a process share, and for some reason can hold executable code. Thus, it's possible to stash some malicious code in those shared areas, pass a booby-trapped command line to the shell to parse, and have the shell jump to the evil attacker-controlled code while still in supervisor mode.

It gets worse

Furthermore, Clubley said he discovered in November that the boundary between supervisor and executive modes is not as watertight as folks are led to believe. Thus, it is possible to leverage the escalation from user mode to supervisor mode to jump into the executive and drill deeper into the system. More on this hidden supervisor-to-executive capability will be revealed next month by Clubley, we're told.

"In addition to those who wrongly believe that their old VMS systems are somehow immune to the security issues of other operating systems, there are also some in the VMS user community who would prefer not to make these issues public, and would prefer to keep them hidden," he added. "They believe that if you don't talk about these issues then everything will be OK.

"Well, over a very interesting few weeks in November 2017, I went from not knowing where to look for this hidden capability, to then finding this hidden capability and then on to developing an exploit that compromised every version of VAX and Alpha VMS released over the last 30 years.

"If I can do that, then so can the people who would want to harm you. By making these issues public, more people receive warning that these issues exist so they can protect themselves. Your desire for the illusion of security by obscurity is just that - an illusion."

VMS. Bulletproof. Depending on the bullet. ®


Other stories you might like

  • Google sours on legacy G Suite freeloaders, demands fee or flee

    Free incarnation of online app package, which became Workplace, is going away

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere.

    "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

    Continue reading
  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining this science, maybe not

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading

Biting the hand that feeds IT © 1998–2022