💾 Archived View for spam.works › mirrors › textfiles › internet › span04.vir captured on 2023-11-14 at 10:26:07.

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

NETWORK SECURITY SUPPLEMENTAL INFORMATION - PROTECTING THE DECNET ACCOUNT

The most important thing that needs to be done to protect a system 
against the current WORM attacks is to modify accounts where
USERNAME=PASSWORD.  This is the default configuration for the DECNET
account.  This can be changed easily, but there appears to be some
confusion about the effect that this has on a network. Changing the
DECnet default password DOES NOT IMPACT the normal operation of DECnet
in any way. 
                            --------

The following section provides some background material to illustrate
this point: 

On your system, issue the following commands from a priviliged
(CMKRNL,BYPASS,SYSPRV) account:

        $MCR NCP (or $RUN SYS$SYSTEM:NCP)
        NCP> show executor characteristics

This will produce a list that resembles the following:
 
 
        Node Volatile Characteristics as of 31-OCT-1989 11:02:23
         
        Executor node = 6.133 (NSSDCA)
 
        Identification           = DECnet-VAX V4.7,  VMS V4.7
        .
        .
        .
        Nonprivileged user id    = DECNET
        Nonprivileged password   = DECNET
        .
        .
        .
 
This is your DECnet executor database.  The information listed is the
default configuration for your node.  The information contained in this
list includes "Nonprivileged user id" and "Nonpriviliged Password". 

This information is what DECnet uses for userid/password when the 
connecting process a)does not have a proxy, b)does not specify a
username/password as part of the access string, and c)does not
have a different userid/password defined for the network object
being invoked.

The access information contained in the executor database is used for
reference only. The candidate userid and password (in this case DECNET
and DECNET respectively) are then passed to LOGINOUT to validate them
against the *REAL* information contained in SYSUAF.DAT.  If the
information matches, the access is allowed. If the information does not
match, the connecting user gets the following error messages: 

         Unable to connect to listner
         Login Information Invalid at Remote Node

                          --------

In order to correctly change your default network password so that your
system cannot be easily exploited by the current DECnet WORM, the
following 2 steps must be followed: 

1)  Change the password for user DECNET in SYSUAF.DAT:

        UAF> modify DECNET/Password=NEW_DECNET_PASSWORD

                               *NOTE*
           It is advisable at this time to check that
           certain other attributes of the DECNET user
           are properly set:

           The ONLY access method for this account should 
           be NETWORK. The BATCH, REMOTE, INTERACTIVE, 
           and DIALUP fields should all read "--no access--"

           The value of PRCLM should be set to ZERO. This is
           the number of (SPAWNed) sub-processes allowed.

           The flag LOCKPWD should be set. This prevents
           anyone but a priviliged user from changing the 
           password. The following command can be used:

      UAF> MOD DECNET/FLAGS=LOCKPWD/PRCLM=0/NOBATCH/NODIAL/NOINTER/NOREM/NETW


2) Change the password for DECNET in your network executor database:

        NCP> set exec nonpriviliged password NEW_DECNET_PASSWORD
        NCP> define exec nonpriviliged password NEW_DECNET_PASSWORD

The important thing to remember is that the password must be changed in
BOTH places, otherwise your network WILL break.  The worm is breaking
nodes by penetrating the DECNET account, and changing only the UAF
password with the $SET PASSWORD command.  By not changing the NCP
password, the network no longer accepts INBOUND connections. 

For more information, consult the VAX/VMS manuals:

   VMS V4.X - Volume 6 "Networking Manual"
   VMS V5.x - Volume 5A&5B "Guide to DECnet-VAX Networking"
---------------------------------------------------------------------------
Ron Tencati                           |   NCF::TENCATI /6277::TENCATI
SPAN Security Manager                 |   Tencati@Nssdca.gsfc.nasa.gov
NASA/Goddard Space Flight Center      |   (301)286-5223
Greenbelt, MD. USA                    |
---------------------------------------------------------------------------

Downloaded From P-80 International Information Systems 304-744-2253