Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Antique Systems :: ciacb18.txt

CIAC # B18 IBM MVS Security Problem with TSO Reconnect Facility




        _____________________________________________________

             The Computer Incident Advisory Capability

                         ___  __ __    _     ___

                        /       |     / \   /

                        \___  __|__  /___\  \___

        _____________________________________________________

                         Information Bulletin



March 11, 1991, 1330 PST                                     Number B-18



               MVS Security Problem with TSO Reconnect Facility 

________________________________________________________________________

PROBLEM:  MVS security problem with TSO Reconnect Facility 

PLATFORM: IBM MVS systems running TSO

DAMAGE:  Allows unintended reconnect to TSO address space from a

different term inal without appropriate terminal check or address space

modification 

SOLUTIONS: IBM is working on a permanent solution, but an interim

workaround is to set reconnect time (RECONLIM) to 0 in SYS1.PARMLIB

(TSOKEYxx) 

IMPACT OF WORKAROUND:  Disallows the use of the TSO Reconnect Facility

for all users

_______________________________________________________________________

                 Critical TSO Reconnect Facility Information



CIAC has learned of a potential problem that exists in some IBM MVS

systems.  This potential problem exists in MVS systems that support

TSO (Time Sharing Option) and a security package (e.g., RACF), and

also use special groups to grant access to information only at

designated locations (terminals).  If uncorrected, this problem may

allow a user to reconnect to a previous session without resetting the

special group information.  This may allow someone to bypass a

security feature that is designed to limit the access to sensitive

files to a particular set of terminals.  Note that user IDs and

passwords are still required to reconnect a session using the TSO

Reconnect Facility.  The problem, therefore, cannot result in

unauthorized access to systems.



IBM is aware of this problem, and is working toward a permanent

solution.  An interim workaround has been devised.  When the RECONLIM

parameter in the SYS1.PARMLIB(TSOKEYxx)* file is set to zero, any

given TSO session will immediately time-out and not allow the

reconnect facility to be activated.  This will prevent a user from

disconnecting and using the Reconnect Facility to resume the session

at a later time.  Only the Reconnect Facility address space will be

modified.  No other address spaces will be affected by this change.



For additional information or assistance, please contact CIAC:   

 

        Tom Longstaff

        (415) 423-4416 or (FTS) 543-4416, or



        Call CIAC at (415) 422-8193 or (FTS) 532-8193 or 

        send e-mail to ciac@cheetah.llnl.gov.  

    

        Send FAX messages to:  (415) 423-0913 or (FTS) 543-0913

_____

* - The TSOKEY is delivered from IBM with the version TSOKEY00, but

many sites have modified this to be some other number, for example

TSOKEY01.  The RECONLIM parameter should be modified in the appropriate

SYS1.PARMLIB file used during the system IPL (Initial Program Load).



Tim Harrington provided information contained in this bulletin.  This

document was prepared as an account of work sponsored by an agency of

the United States Government. Neither the United States Government nor

the University of California nor any of their employees, makes any

warranty, express or implied, or assumes any legal liability or

responsibility for the accuracy, completeness, or usefulness of any

information, apparatus, product, or process disclosed, or represents

that its use would not infringe privately owned rights. Reference

herein to any specific commercial products, process, or service by

trade name, trademark, manufacturer, or otherwise, does not necessarily

constitute or imply its endorsement, recommendation or favoring by the

United States Government or the University of California. The views and

opinions of authors expressed herein do not necessarily state or

reflect those of the United States Government or the University of

California, and shall not be used for advertising or product

endorsement purposes.





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH