Discussion:
Potential multiple architecture vulnerability question
(too old to reply)
Simon Clubley
2017-01-03 20:27:15 UTC
Permalink
Given that normal HPE VMS Alpha support has now ended, I have
a question:

Assume a potential multiple architecture security issue was found
by a security researcher but they only had access to Alpha and VAX
based systems and not IA64 (due to, say, emulator availability).

Further assume the researcher submits the proven Alpha security
issue to HPE but without any direct evidence that IA64 was affected.
They do however warn HPE that IA64 _may_ also be affected.

Question: would HPE evaluate the security issue against an IA64
system or would the issue be rejected out of hand by HPE simply
because it was only demonstrated on Alpha ?

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
David Froble
2017-01-04 01:50:21 UTC
Permalink
Post by Simon Clubley
Given that normal HPE VMS Alpha support has now ended, I have
Assume a potential multiple architecture security issue was found
by a security researcher but they only had access to Alpha and VAX
based systems and not IA64 (due to, say, emulator availability).
Further assume the researcher submits the proven Alpha security
issue to HPE but without any direct evidence that IA64 was affected.
They do however warn HPE that IA64 _may_ also be affected.
Question: would HPE evaluate the security issue against an IA64
system or would the issue be rejected out of hand by HPE simply
because it was only demonstrated on Alpha ?
Simon.
Jezzz Simon, that's an easy one. HPE doesn't care. Any excuse will be used.

They would probably also insist the "security researcher" (script kiddy /
hacker) first prove it on the itanic.

With VSI now developing VMS, why would your "hacker" even submit anything to HPE?
Simon Clubley
2017-01-04 14:08:14 UTC
Permalink
Post by David Froble
Jezzz Simon, that's an easy one. HPE doesn't care. Any excuse will be used.
They would probably also insist the "security researcher" (script kiddy /
hacker) first prove it on the itanic.
Yes, I suspect as much. All you can do then is to make it clear to
HPE at the time of submission that you are providing the information
under the responsible disclosure protocols and that the security
issue will become public knowledge regardless of whether HPE do
something or not.

If, after the security issue becomes public, it turns out to affect
IA64 then HPE can deal with the fallout from the IA64 customers
whose systems now have a public vulnerability for which HPE have not
produced a patch.

After a couple of rounds of that, I suspect HPE will be forced to
change their tune.
Post by David Froble
With VSI now developing VMS, why would your "hacker" even submit anything to HPE?
Because there are probably a lot more HPE VMS customers than VSI VMS
customers and both sets of customers may well be equally impacted by
the security issue.

It's not the new upcoming customers you need to think about with
security issues; it's the existing customer base you need to think
about.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Bob Gezelter
2017-01-04 02:23:48 UTC
Permalink
Post by Simon Clubley
Given that normal HPE VMS Alpha support has now ended, I have
Assume a potential multiple architecture security issue was found
by a security researcher but they only had access to Alpha and VAX
based systems and not IA64 (due to, say, emulator availability).
Further assume the researcher submits the proven Alpha security
issue to HPE but without any direct evidence that IA64 was affected.
They do however warn HPE that IA64 _may_ also be affected.
Question: would HPE evaluate the security issue against an IA64
system or would the issue be rejected out of hand by HPE simply
because it was only demonstrated on Alpha ?
Simon.
--
Microsoft: Bringing you 1980s technology to a 21st century world
Simon,

I essentially agree with David.

If I were to identify a vulnerability in OpenVMS Alpha, I would certainly be inclined to check it on IA-64.

If for some reason, I was not able to check it myself on IA-64, I would notify the OpenVMS Engineering Team at VSI. I would take care to identify what I knew and what I suspected.

Of course, if one wants to be more discreet than email, there is always Registered Mail or one of the Overnight services (e.g., UPS, FedEx). For addressee on such a package, I would specify Sue Skonetski, Clair Grant, or Jim Janetos (all of whom are well known on comp.os.vms).

- Bob Gezelter, http://www.rlgsc.com
Simon Clubley
2017-01-04 14:15:50 UTC
Permalink
Post by David Froble
Simon,
I essentially agree with David.
If I were to identify a vulnerability in OpenVMS Alpha, I would certainly be
inclined to check it on IA-64.
If for some reason, I was not able to check it myself on IA-64, I would
notify the OpenVMS Engineering Team at VSI. I would take care to identify
what I knew and what I suspected.
I have access to Vax and Alpha systems mainly via emulators and the
odd physical box but I don't have an IA64 system because there are
no full system IA64 emulators available.
Post by David Froble
Of course, if one wants to be more discreet than email, there is always
Registered Mail or one of the Overnight services (e.g., UPS, FedEx). For
addressee on such a package, I would specify Sue Skonetski, Clair Grant,
or Jim Janetos (all of whom are well known on comp.os.vms).
No one will do _that_ these days, myself included. :-) That's why
companies are expected to have a public facing and secure security
reporting mechanism in place.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
IanD
2017-01-04 04:53:30 UTC
Permalink
I guess it depends on the professionalism of what is left within HPE ?

MS for example I believe produced Windows XP security releases well after XP was out of support. Security is one of those things that if you are shown to not give a dam comes back to bite you hard

HPE may do the same in regards to at least notifying VSI that a major security hole was found or they may still have special contracts in place to keep producing security releases? I don't know but i assume there might be customers out there willing to stump up the cash for such special support?

Who knows for sure? HPE of late has certainly turned it's back more on VMS than it has in the past, I guess it depends on what the devil in the detail is in regards to the contract HPE and VSI signed together?
Bob Gezelter
2017-01-04 10:52:34 UTC
Permalink
Post by IanD
I guess it depends on the professionalism of what is left within HPE ?
MS for example I believe produced Windows XP security releases well after XP was out of support. Security is one of those things that if you are shown to not give a dam comes back to bite you hard
HPE may do the same in regards to at least notifying VSI that a major security hole was found or they may still have special contracts in place to keep producing security releases? I don't know but i assume there might be customers out there willing to stump up the cash for such special support?
Who knows for sure? HPE of late has certainly turned it's back more on VMS than it has in the past, I guess it depends on what the devil in the detail is in regards to the contract HPE and VSI signed together?
Ian,

"T'is many a slip between the cup and the lip." In theory, the escalation path for a supported customer should work properly and Engineering should get notified. However, this is not always the case. Additionally, as you have noted, researchers may not be working on a system with a support contract, or may be working on a system with a support contract, but have no pathway to place a support call.

For normal, non-security issues, comp.os.vms often presents a good way to clear one's understanding. Some problems are bugs, other problems represent a misunderstanding of the documentation or an example.

Security issues are a different category. If one identifies a vulnerability, a public call for verification is probably not the best idea. Here, there are essentially two choices: 1) notify those actually responsible for the product (VSI); or 2) arrange for someone technically qualified to privately verify the research.

The preceding is the advice I would dispense at the present time. To be clear, it is the same advice I would have given when DIGITAL was in its heyday. The course of action is driven not by HP, but by the particular challenges of security problems.

- Bob Gezelter, http://www.rlgsc.com
Simon Clubley
2017-01-04 14:20:42 UTC
Permalink
Post by IanD
I guess it depends on the professionalism of what is left within HPE ?
MS for example I believe produced Windows XP security releases well after XP was out of support. Security is one of those things that if you are shown to not give a dam comes back to bite you hard
HPE may do the same in regards to at least notifying VSI that a major
security hole was found or they may still have special contracts in place to
keep producing security releases? I don't know but i assume there might be
customers out there willing to stump up the cash for such special support?
HPE based VMS IA64 contract support doesn't expire for several years yet;
it's only the normal Alpha support which has now expired.

That means HPE are obliged to produce patches for their IA64 customers
if a security issue is proven to exist on IA64. My question was based
around if HPE would regard proof of vulnerability on Alpha as meaning
it was worth them exploring the issue on IA64.

Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Loading...