We will try and keep these pages up to date
Copyright 1995 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included.
To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from the Open Software Foundation. OSF urges you to act on this information as soon as possible. OSF contact information is included in the forwarded text below; please contact them if you have any questions or need further information.
It has been discovered that OSF/DCE security has a flawed aliasing mechanism in its registry that can potentially yield a less secure DCE cell.
Multiple administrators in a DCE cell (i.e., principals with the privileges required to create principals and accounts within the DCE registry), some of which are intended to be less trusted than the cell administrator (e.g., principals intended to be restricted to create principals and accounts only within a subset of DCE registry name space), cannot be prevented from acquiring full privileges of the cell administrator. Due to a flaw in the DCE security registry such less privileged administrators are able to gain full privileges by creating an alias to the cell administrator. The security server grants an alias principal full rights of the principal it is aliased to.
DCE security registry principals are generally not allowed to create accounts. Only an account designated as some type of administrator, by explicitly creating ACL entries for that principal, allows it to do things to the registry that normal users are not allowed to do, that is, create principals and accounts in a certain part of the security name space. In OSF/DCE as it ships, only cell_admin is given such privileges. To that effect, the DCE cell administrator can prevent any loss of security by following the guidelines described below.
This security hole has existed in all releases of OSF/DCE todate. To avoid the problem in releases prior to OSF/DCE 1.1, the DCE cell administrators should not explicitly give registry administration rights to principals that would not otherwise have access to the cell administrator account itself. As distributed by OSF, only cell_admin is given such rights.
OSF is in the process of providing a fix for this defect to DCE 1.1 support licensees for them to apply to their DCE 1.1 based products. The end-users may ask their DCE vendors for such a fix. All future releases of OSF/DCE will have this fix incorporated.
If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet e-mail: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 Postal address: CERT Coordination Center , Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890, USA. CERT advisories and bulletins are posted on the USENET news group comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. Past CERT publications, information about FIRST representatives, and other information related to computer security are available by anonymous FTP from info.cert.org.
Thanks for visiting DataSure's CERT Advisory Pages. As the pages are developed further we hope to provide more, so please bear with us during the ongoing development process.
For more information on DataSure Services's products and services, please send e-mail to mackinnn@datasure.com phone us at ( 604) 598-6831, 1-800-598-6831, or FAX your request to (604) 598-6841. If you have problems or comments concerning our WWW service, please send e-mail to the above address.
This page has been accessed times.
Victoria, B.C. local time is Tuesday, 07-Feb-2012 11:47:30 PST
This page last modified Thursday, 15-Nov-2001 17:07:27 PST
This page, and all contents, are Copyright (C) 1996 by DataSure Services , Victoria, Canada.