PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
{ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER
{IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
U-1,236/DS-SIM {DCPO}
SUBJ:  VULNERABILITIES IN SAS{STAR-SIGN}{R} SYSTEM RELEASE 5.18 FOR
VAX/VMS {AUTOMATED SYSTEMS SECURITY INCIDENT SUPPORT TEAM {ASSIST}
92-43}
1.  ASSIST HAS LEARNED OF A VULNERABILITY IN SAS SYSTEM RELEASE 5.18
DISTRIBUTED IN 1988 FOR THE VAX/VMS OPERATING SYSTEM. INSTALLATION
OF SAS SYSTEM 5.18 WILL INCORRECTLY SET PROTECTIONS ON DIRECTORIES
{000000]SAS518.DIR AND {SAS518}TOOLS.DIR, AS WELL AS ITS STARTUP
FILE {SAS518.TOOLS}SAS518.COM.  THESE INCORRECT SETTINGS COULD
RESULT IN AN UNPRIVILEGED USER GAINING ALL PRIVILEGES.  LATER
RELEASES {6 AND ABOVE} DO NOT HAVE THIS PROBLEM.  RELEASE 5.18 IS
STILL IN USE AND SUPPORTED BY THE SAS INSTITUTE.
2.  ISSUE THE FOLLOWING COMMANDS FROM THE SYSTEM ACCOUNT:
$ SET PROTECTION={S:RWE,0:RWE,G:RE,W:RE}
DISK{UNDERSCORE}NAME:{000000}SAS518.DIR 
$ SET PROTECTION={S:RWED,0:RWED,G:RE,W:RE}
SAS$ROOT:{000000...}{STAR}.{STAR};{STAR} 
SAS HAS SENT AN ADVISORY NOTICE CONCERNING THIS VULNERABILITY TO
SUPPORTED SAS INSTALLSTIONS.  THE PROBLEM IS ALSO DOCUMENTED BY SAS
NOTE SYS.INST-V5722I.  YOU CAN ALSO DISCUSS THIS PROBLEM WITH SAS
BY CALLING THE TECHNICAL SUPPORT LINE, 919-677-8008, AND ASKING FOR
A VMS CONSULTANT {9 TO 5 EASTERN TIME}.
3.  POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS
MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55.  ASSIST
CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE,
PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK
NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE
THE ASSIST DUTY OFFICER PAGED.  ASSIST CAN BE REACHED VIA E-MAIL AT
"DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."