Just looking at this week's list of kernel updates and noticed this very
interesting item tucked in there:

Davide Ornaghi discovered that the DECnet network protocol implementation
in the Linux kernel contained a null pointer dereference vulnerability. A
remote attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. Please note that kernel support for the
DECnet has been removed to resolve this CVE. (CVE-2023-3338)

I can't tell if this is a good or a bad thing.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

On Oct 6, 2023, Scott Dorsey wrote
(in article <ufpc1h$cql$1@panix2.panix.com>):

> Just looking at this week's list of kernel updates and noticed this very
> interesting item tucked in there:
>
> Davide Ornaghi discovered that the DECnet network protocol implementation
> in the Linux kernel contained a null pointer dereference vulnerability. A
> remote attacker could use this to cause a denial of service (system crash)
> or possibly execute arbitrary code. Please note that kernel support for the
> DECnet has been removed to resolve this CVE. (CVE-2023-3338)
>
> I can't tell if this is a good or a bad thing.
> --scott

The DECnet protocol was removed from all forward development starting with
with Kernel 6.1.x. This appears to be the removal from long term support
kernels.

John.

On 10/6/2023 12:18 PM, Scott Dorsey wrote:
> Just looking at this week's list of kernel updates and noticed this very
> interesting item tucked in there:
>
> Davide Ornaghi discovered that the DECnet network protocol implementation
> in the Linux kernel contained a null pointer dereference vulnerability. A
> remote attacker could use this to cause a denial of service (system crash)
> or possibly execute arbitrary code. Please note that kernel support for the
> DECnet has been removed to resolve this CVE. (CVE-2023-3338)
>
> I can't tell if this is a good or a bad thing.

Probably an insignificant thing.

There may still be a big part of VMS users that use DECnet
for VMS - VMS comm, but I cannot imagine many using DECnet
for VMS - Linux comm.

Arne

On 2023-10-06, Scott Dorsey <kludge@panix.com> wrote:
> Just looking at this week's list of kernel updates and noticed this very
> interesting item tucked in there:
>
> Davide Ornaghi discovered that the DECnet network protocol implementation
> in the Linux kernel contained a null pointer dereference vulnerability. A
> remote attacker could use this to cause a denial of service (system crash)
> or possibly execute arbitrary code. Please note that kernel support for the
> DECnet has been removed to resolve this CVE. (CVE-2023-3338)
>
> I can't tell if this is a good or a bad thing.

Removing it is a very good thing. The sooner all trace of that protocol
is removed from everything, especially in today's security environment,
the better.

BTW, as a reminder, these are the, erm, "strange" features I found in the
VMS DECnet stack when I gave it a quick inspection a couple of years ago:

https://groups.google.com/g/comp.os.vms/c/Bjp0hRkSnh4

I never heard anything final back from VSI, so I don't know if they have
fixed any of them.

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

On Friday, October 6, 2023 at 9:59:48 AM UTC-7, Arne Vajhøj wrote:

(snip)

> There may still be a big part of VMS users that use DECnet
> for VMS - VMS comm, but I cannot imagine many using DECnet
> for VMS - Linux comm.

There might be some compuarchaologists (that is, people running
ancient computers) out there. They will be happy to run the older
versions of Linux.

Likely on their 80486 host and 10 megabit Ethernet.

On 10/6/23 12:18, Scott Dorsey wrote:
> Just looking at this week's list of kernel updates and noticed this very
> interesting item tucked in there:
>
> Davide Ornaghi discovered that the DECnet network protocol implementation
> in the Linux kernel contained a null pointer dereference vulnerability. A
> remote attacker could use this to cause a denial of service (system crash)
> or possibly execute arbitrary code. Please note that kernel support for the
> DECnet has been removed to resolve this CVE. (CVE-2023-3338)
>
> I can't tell if this is a good or a bad thing.

It was, of course, a bad thing.

But the problem has been addressed. John Forecast has released his
DECnet for Linux stack, based on the original, with a great many fixes,
and many changes to reduce its dependency on moving-target kernel APIs.

https://github.com/JohnForecast/LinuxDECnet

We're testing it here, and so far it works well, and not on ancient
Linux. We're testing it with Ubuntu 22.04 in a VM under SmartOS.

-Dave

--
Dave McGuire, President/Curator
Large Scale Systems Museum
New Kensington, PA

On Wed, 08 Nov 2023 11:29:33 -0500, Dave McGuire wrote:

> On 10/6/23 12:18, Scott Dorsey wrote:
>> Just looking at this week's list of kernel updates and noticed this
>> very interesting item tucked in there:
>>
>> Davide Ornaghi discovered that the DECnet network protocol
>> implementation in the Linux kernel contained a null pointer dereference
>> vulnerability. A remote attacker could use this to cause a denial of
>> service (system crash) or possibly execute arbitrary code. Please note
>> that kernel support for the DECnet has been removed to resolve this
>> CVE. (CVE-2023-3338)
>>
>> I can't tell if this is a good or a bad thing.
>
> It was, of course, a bad thing.
>
> But the problem has been addressed. John Forecast has released his
> DECnet for Linux stack, based on the original, with a great many fixes,
> and many changes to reduce its dependency on moving-target kernel APIs.
>
> https://github.com/JohnForecast/LinuxDECnet
>
> We're testing it here, and so far it works well, and not on ancient
> Linux. We're testing it with Ubuntu 22.04 in a VM under SmartOS.

John Forecast! A name from the past! I met him at Essex University in
1974, and was later able to help him by giving him a copy of his own
source code from his Ph.D.

On Wednesday, November 8, 2023 at 8:29:37 AM UTC-8, Dave McGuire wrote:
> On 10/6/23 12:18, Scott Dorsey wrote:
> > Just looking at this week's list of kernel updates and noticed this very
> > interesting item tucked in there:
> >
> > Davide Ornaghi discovered that the DECnet network protocol implementation
> > in the Linux kernel contained a null pointer dereference vulnerability. A
> > remote attacker could use this to cause a denial of service (system crash)
> > or possibly execute arbitrary code. Please note that kernel support for the
> > DECnet has been removed to resolve this CVE. (CVE-2023-3338)
> >
> > I can't tell if this is a good or a bad thing.
> It was, of course, a bad thing.
>
> But the problem has been addressed. John Forecast has released his
> DECnet for Linux stack, based on the original, with a great many fixes,
> and many changes to reduce its dependency on moving-target kernel APIs.
>
> https://github.com/JohnForecast/LinuxDECnet
>
> We're testing it here, and so far it works well, and not on ancient
> Linux. We're testing it with Ubuntu 22.04 in a VM under SmartOS.
>
> -Dave
>
> --
> Dave McGuire, President/Curator
> Large Scale Systems Museum
> New Kensington, PA

So you're saying that DECnet belongs in a (computer) museum? That sounds about right. :)

Coincidentally, I was thinking this morning about how I have no interest in setting up either version of DECnet on my x86-64 VMS VM, and wondering how many VMS shops are still using it, and how increasingly difficult it must be for them to route those non-TCP/IP packets. I was also thinking about the exploitable bugs that Simon had posted about discovering, at least in Phase IV, and concerned about how many of those must be still lurking in the code.

I went through a DECnet and VMScluster phase about 10 years ago, when I had two VAXstations and two Alphas, but hadn't bought the Itanium rx2620 blades yet. If I were interested in old versions of VAX/VMS or any of the pre-VAX Digital OS's, it'd still be useful for that. I do know, thanks to YouTuber moshix, that there's a hobbyist global DECnet network called HECnet, along with a hobbyist version of BITNET called HNET.

BITNET/HNET uses IBM's Network Job Entry (NJE) protocol, and HNET has some emulated VAX/VMS systems on it as well as the MVS 3.8j OS that everyone emulates in Hercules because it's the last version that isn't copyright restricted. There's an old commercial app called JNET that allows VAX/VMS to talk to mainframes via TCPNJE. I found a blog post on setting it all up, "VAX/VMS 4.7 with DECnet link to HECnet and IBM Mainframe TCPNJE link to HNET using JNET":

https://supratim-sanyal.blogspot.com/2020/04/vaxvms-47-with-decnet-link-to-hecnet.html

"30-Oct-2023 Update: There is a VMS 4.7 Turnkey Distribution now available for a while from our Discord group. It includes everything and is available here."

"As a working example, JNET version 3.5 works on old VAX/VMS 4.7 operating system."