MCI Telecommunications internetMCI Security Group Report Name: iMCI MIIGS Security Alert Report Number: iMCISE:IMCICERT:091896:01:P1R1 Report Date: 09/18/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) ------------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Vendor-Initiated Bulletin VB-96.16 September 17, 1996 Topic: Solaris AFS/DFS Integrated login bug if user is in too many groups Source: Transarc Corp. To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Transarc Corp. Transarc urges you to act on this information as soon as possible. Transarc contact information is included in the forwarded text below; please contact them if you have any questions or need further information. =======================FORWARDED TEXT STARTS HERE============================ - ---------------------------------------------------------------------- Topic: Solaris AFS/DFS Integrated login bug if user is in too many groups Source: Transarc Corp. - -------------------------------- Problem: Vulnerability in Transarc DCE Integrated login for sites running DFS I. Description On systems running the DCE Distributed File System (DFS), users placed in more than NGROUPS_MAX-1 (usually 15) groups in the DCE registry and in /etc/group will have an incorrect grouplist upon login. For systems running both AFS and DFS, this limit is reduced to NGROUPS_MAX-3 (13). The vulnerability is caused by a change in the setgroups(2) system call under DFS, which can cause it to fail when passed a large set of supplementary groups. Thus, it can cause problems in non-Transarc-supplied programs which use setgroups(2) if they do not handle error conditions correctly. Vulnerable products include Transarc DCE and DFS 1.1 for Solaris 2.4 and Solaris 2.5. This vulnerability is not present on sites not running DFS (even if they are running AFS). II. Impact Users with accounts on the system may gain unauthorized access to resources. Access to resources controlled by DCE/DFS is unaffected, as the DCE PAC is correct. Users without accounts on the system cannot take advantage of this vulnerability. III. Solution The following patches are available from Transarc: DCE/DFS 1.1 for Solaris 2.4: patch 22 DCE/DFS 1.1 for Solaris 2.5: patch 2 A workaround is possible as well: simply ensure that no user is listed in more than NGROUPS_MAX-3 groups in /etc/group (including the user's primary group, which may not appear in /etc/group). With this workaround, only the primary group and groups which appear in /etc/group will appear in the grouplist upon login. Contact Transarc customer support by telephone at 412-281-5852 or via email (dfs-help@transarc.com) for additional information or questions. IV. Other Platform Impact HP has advised that this problem does not affect the HP product. IBM has advised that this problem does not affect the IBM product. ========================FORWARDED TEXT ENDS HERE============================= If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT is a service mark of Carnegie Mellon University. This file: ftp://info.cert.org/pub/cert_bulletins/VB-96.16.transarc -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMj7JiHVP+x0t4w7BAQEljgP/RHRL2ifIJQjMnaAfMis62pysC8PPzJ/n SZzGlbKiKf765nS2yLi8IZFuVyRMibGCXj07TAxtQwtJuJbPA33+J2Qcvsucvx1b R88z6P9HhBZqfrPKMnCmvxPa1FNUFMRkmQy37xg9wfZbeZkhjjU+c05uP2pgP/Or pDS2H+AJXLY= =chOF -----END PGP SIGNATURE----- ===============================================================