CERT Vendor-Initiated Bulletin VB-95:05 - OSF
CERT Bulletin
cert-advisory at cert.org
Fri Jul 21 20:51:37 UTC 1995
CERT Vendor-Initiated Bulletin VB-95:05
July 21, 1995
Topic: OSF/DCE Security Hole
Source: Open Software Foundation (OSF)
To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from the Open
Software Foundation. OSF urges you to act on this information as soon as
possible. OSF contact information is included in the forwarded text
below; please contact them if you have any questions or need further
information.
========================FORWARDED TEXT STARTS HERE============================
Advisory on OSF/DCE Security Hole
July 19, 1995
It has been discovered that OSF/DCE security has a flawed aliasing
mechanism in its registry that can potentially yield a less secure
DCE cell.
PROBLEM:
Multiple administrators in a DCE cell (i.e., principals with the
privileges required to create principals and accounts within the DCE
registry), some of which are intended to be less trusted than the
cell administrator (e.g., principals intended to be restricted to
create principals and accounts only within a subset of DCE registry
name space), cannot be prevented from acquiring full privileges of
the cell administrator. Due to a flaw in the DCE security registry
such less privileged administrators are able to gain full privileges
by creating an alias to the cell administrator. The security server
grants an alias principal full rights of the principal it is aliased
to.
DCE security registry principals are generally not allowed to create
accounts. Only an account designated as some type of administrator,
by explicitly creating ACL entries for that principal, allows it to
do things to the registry that normal users are not allowed to do,
that is, create principals and accounts in a certain part of the
security name space. In OSF/DCE as it ships, only cell_admin is
given such privileges. To that effect, the DCE cell administrator can
prevent any loss of security by following the guidelines described
below.
HOW TO AVOID:
This security hole has existed in all releases of OSF/DCE todate.
To avoid the problem in releases prior to OSF/DCE 1.1, the DCE cell
administrators should not explicitly give registry administration
rights to principals that would not otherwise have access to the
cell administrator account itself. As distributed by OSF, only
cell_admin is given such rights.
OSF is in the process of providing a fix for this defect to DCE 1.1
support licensees for them to apply to their DCE 1.1 based products.
The end-users may ask their DCE vendors for such a fix. All future
releases of OSF/DCE will have this fix incorporated.
**********************************************************************
OSF Systems Engineering
Open Software Foundation
11 Cambridge Center,
Cambridge, MA 02142
Telephone: +1 617 621 8990
E-mail: dce-support-admin at osf.org
=========================FORWARDED TEXT ENDS HERE=============================
CERT bulletins, CERT advisories, information about FIRST representatives, and
other information related to computer security are available for anonymous
FTP from info.cert.org.
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request at cert.org.
If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted. The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).
Internet email: cert at cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA
CERT is a service mark of Carnegie Mellon University.
More information about the NANOG
mailing list