--- "Hughes, Jim - OIT" <[EMAIL PROTECTED]> wrote: > One of the management types near me is concerned > about TCPIP "buffer > overrun security exposure" on our ZVM 5.2 Z890 > system. > > I am not an expert with windows and linux tcpip > security exposures. The > management type is windows and linux fluent. > > Should I be concerned with buffer overrun security > exposures?
Despite what others say I personally have seen buffer run security exposures in the VSCS SNA console support in VM where it was possible for one user to see anothers console buffers, so exposing passwords. The problem was I believe in VM/SP4 (might have been 5) so its a very long time ago, and once identified it was quickly fixed, but it was there. I don't remeber the exact nature of the problem but it was similar to an IP buffer run type issue as it involved passing illegal lengths to the SNA *CCS service. We found it whilst developing X.25 support. So buffers runs are possible on the mainframe. > If I > should not be concerned, how would I go about giving > comfort to the > concerned management types? > As others have pointed out the zVM architecture is different to Linux and Windows. I think the following should serve:- 1) zVM is less susceptible to such attacks. Whilst the possability exists zVM for many reasons such attacks on it are very unlikely. One big reason is not many hackers have a mainframe and a copy of zVM. Unlike Linux which can be got for free, or Windows which is legally available for minimal fee, zVM is harder to obtain... This is born out by looking at known issues. Checking the C.E.R.T. vunerabilty database there are no warnings posted for zVM (or any other varient of VM) that I could find.. Note there are C.E.R.T. warnings for MVS, due to the use of ported UNIX software:- http://www.kb.cert.org/vuls/id/AAMN-5L4Q2J So again this shows buffer runs may be possible on zVM. There was also a CERT for Oracle on VM (does this still exist) which appears also to have similar issues. 2) Given an attack the window that is opened is smaller. The consequences of a buffer over run in zVM are generally less serious than in Linux/Windows/MVS. In effect each virtual machine runs in a very stout "sandbox" Whilst these machines may have additional privledges its not like on Linux or Windows where the Deamons may run with effectivley "root" permissions, and so if a hacker can inject code can control the machine. On zVM they only gain control of the affected VM. They can't inject code into the "real" OS (CP).. So for example if they comromise a web server they can still only see the web servers mini disks (you don't put web servers on SFS do you?) not the whole file store as with Windows or Linux... I guess at this point you could say you will review what rights the service machines have.... 3) Mainframe are generally better isolated from the internet. >From what I have seen many folks don't put there mainframe near the internet. They open only a few ports. Much more secure. > Thanks. > Hope that does not give you VMers too many sleepless nights. > _______________________ > Jim Hughes > 603-271-5586 > "Impossible is just an opinion." > Dave. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com