Preventing VAX running VMS / Multinet from being used as SMTP relay

Peter Coghlan cctalk at beyondthepale.ie
Thu Dec 7 05:12:01 CST 2017


Paul Koning wrote:
>
> > On Dec 2, 2017, at 5:48 AM, Doug Jackson via cctech <cctech at classiccmp.org> wrote:
> > 
> > Camiel,
> > 
> > Without sounding super negative (my day job as a security consultant let's
> > me do that  enough...)  I would be especially wary of connecting anything
> > with a 10 year old stack to the modern internet.  The range of automatic
> > attacks based on what the state of the OS was when it was last patched is
> > staggering.
>
> That's true to a point.  On the other hand, many attacks require that the
> machine is running on Intel instruction set hardware, and most of them also
> depend on the OS being Windows.
>
> While bugs happen, the level of security competence applied by VMS
> engineering is quite high compared to the usual "hack it till it no longer
> crashes" practice seen all too often nowadays.  That applies especially to
> network protocol implementations.
>
> If the issue is design defects in the protocol specifications, such as may
> be found in various revisions of SSL, then having a good OS is not a
> complete answer.  Even there, it can help; for example, I suspect that the
> "heartbreak" attack on older SSL stacks, if it were operable on VMS,
> wouldn't get you very far because of OS and instruction set differences.
> Certainly script kiddy attacks would not work.
>

Security is very good on VMS, however, the Bind DNS server code for example
is dropped more or less as-is into products like TCP/IP Services for VMS and
Multinet.  This brings in a bunch of vulnerabilities common to all other
platforms running this code.  Attempting to exploit these vulnerabilities is
unlikely to gain any access to the host VMS system they are running on but
there is no defence against vulnerabilities which target systems other than
the host system over the network with denial of service attacks and there are
lots of these vulnerabilities.  They are only fixed, worked around or whatever
in relatively recent versions of Bind and therefore only in relatively recent
versions of TCP/IP Services for VMS and Multinet.  Similar issues may well
exist with other TCP/IP servers running on VMS.

There is no use in thinking that the bad guys will never find my one little old
server which runs only occasionally and is tucked away in my corner of the
internet either.  They can and they will, just like the spammers can sniff out
the most obscure open mail relays and they continue to look for them long
after any sane person would persist.  I see attempts to exploit various kinds
of vulnerability all the time on my VMS systems and many would succeed in
causing grief to others on the internet if I did not keep an eye on recent
vulnerabilities in the TCP/IP software I am running and keep patchlevels up to
date.

Whatever about vulnerabilities of our classic computer systems themselves,
can we please ensure that what is just a hobby for most of us is not
inadvertently causing problems for others on the internet?

Regards,
Peter Coghlan.

>	paul


More information about the cctalk mailing list