************************************************************************** Security Bulletin 9531 DISA Defense Communications System July 24, 1995 Published by: DISN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9510). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= Subject: CERT Vendor-Initiated Bulletin VB-95:05 - OSF Author: cert-advisory-request@cert.org at smtp Date: 7/21/95 8:36 PM CERT Vendor-Initiated Bulletin VB-95:05 July 21, 1995 Topic: OSF/DCE Security Hole Source: Open Software Foundation (OSF) To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from the Open Software Foundation. OSF urges you to act on this information as soon as possible. OSF contact information is included in the forwarded text below; please contact them if you have any questions or need further information. ========================FORWARDED TEXT STARTS HERE============================ Advisory on OSF/DCE Security Hole July 19, 1995 It has been discovered that OSF/DCE security has a flawed aliasing mechanism in its registry that can potentially yield a less secure DCE cell. PROBLEM: Multiple administrators in a DCE cell (i.e., principals with the privileges required to create principals and accounts within the DCE registry), some of which are intended to be less trusted than the cell administrator (e.g., principals intended to be restricted to create principals and accounts only within a subset of DCE registry name space), cannot be prevented from acquiring full privileges of the cell administrator. Due to a flaw in the DCE security registry such less privileged administrators are able to gain full privileges by creating an alias to the cell administrator. The security server grants an alias principal full rights of the principal it is aliased to. DCE security registry principals are generally not allowed to create accounts. Only an account designated as some type of administrator, by explicitly creating ACL entries for that principal, allows it to do things to the registry that normal users are not allowed to do, that is, create principals and accounts in a certain part of the security name space. In OSF/DCE as it ships, only cell_admin is given such privileges. To that effect, the DCE cell administrator can prevent any loss of security by following the guidelines described below. HOW TO AVOID: This security hole has existed in all releases of OSF/DCE todate. To avoid the problem in releases prior to OSF/DCE 1.1, the DCE cell administrators should not explicitly give registry administration rights to principals that would not otherwise have access to the cell administrator account itself. As distributed by OSF, only cell_admin is given such rights. OSF is in the process of providing a fix for this defect to DCE 1.1 support licensees for them to apply to their DCE 1.1 based products. The end-users may ask their DCE vendors for such a fix. All future releases of OSF/DCE will have this fix incorporated. ********************************************************************** OSF Systems Engineering Open Software Foundation 11 Cambridge Center, Cambridge, MA 02142 Telephone: +1 617 621 8990 E-mail: dce-support-admin@osf.org =========================FORWARDED TEXT ENDS HERE============================= CERT bulletins, CERT advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet email: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT is a service mark of Carnegie Mellon University. **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DDN Security bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes. From scc@nic.ddn.mil Fri Aug 4 11:46:33 1995 Received: from nic.ddn.mil (NIC.DDN.MIL [192.112.36.5]) by wss.nic.ddn.mil (8.6.9/DDN-NIC) with ESMTP id LAA05741 for ; Fri, 4 Aug 1995 11:46:32 -0700 Received: (scc@localhost) by nic.ddn.mil (8.6.12/DNIC) id OAA19273 for jorier; Fri, 4 Aug 1995 14:47:42 -0400 From: SCC Message-Id: <199508041847.OAA19273@nic.ddn.mil> Subject: DISN Security Bulletin 9531 To: jorier@nic.ddn.mil (Jorie Robert) Date: Fri, 4 Aug 1995 14:47:41 -0400 (GMT-0400) Organization: Security Coordination Center (SCC), Defense Data Network, Network Information Center (DDN NIC) Phone: 1-(800)-365-3642 Reply-To: scc@nic.ddn.mil X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 9012 Status: O ______________________________ Forward Header __________________________________ ************************************************************************** Security Bulletin 9531 DISA Defense Communications System July 24, 1995 Published by: DISN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9510). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= Subject: CERT Vendor-Initiated Bulletin VB-95:05 - OSF Author: cert-advisory-request@cert.org at smtp Date: 7/21/95 8:36 PM CERT Vendor-Initiated Bulletin VB-95:05 July 21, 1995 Topic: OSF/DCE Security Hole Source: Open Software Foundation (OSF) To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from the Open Software Foundation. OSF urges you to act on this information as soon as possible. OSF contact information is included in the forwarded text below; please contact them if you have any questions or need further information. ========================FORWARDED TEXT STARTS HERE============================ Advisory on OSF/DCE Security Hole July 19, 1995 It has been discovered that OSF/DCE security has a flawed aliasing mechanism in its registry that can potentially yield a less secure DCE cell. PROBLEM: Multiple administrators in a DCE cell (i.e., principals with the privileges required to create principals and accounts within the DCE registry), some of which are intended to be less trusted than the cell administrator (e.g., principals intended to be restricted to create principals and accounts only within a subset of DCE registry name space), cannot be prevented from acquiring full privileges of the cell administrator. Due to a flaw in the DCE security registry such less privileged administrators are able to gain full privileges by creating an alias to the cell administrator. The security server grants an alias principal full rights of the principal it is aliased to. DCE security registry principals are generally not allowed to create accounts. Only an account designated as some type of administrator, by explicitly creating ACL entries for that principal, allows it to do things to the registry that normal users are not allowed to do, that is, create principals and accounts in a certain part of the security name space. In OSF/DCE as it ships, only cell_admin is given such privileges. To that effect, the DCE cell administrator can prevent any loss of security by following the guidelines described below. HOW TO AVOID: This security hole has existed in all releases of OSF/DCE todate. To avoid the problem in releases prior to OSF/DCE 1.1, the DCE cell administrators should not explicitly give registry administration rights to principals that would not otherwise have access to the cell administrator account itself. As distributed by OSF, only cell_admin is given such rights. OSF is in the process of providing a fix for this defect to DCE 1.1 support licensees for them to apply to their DCE 1.1 based products. The end-users may ask their DCE vendors for such a fix. All future releases of OSF/DCE will have this fix incorporated. ********************************************************************** OSF Systems Engineering Open Software Foundation 11 Cambridge Center, Cambridge, MA 02142 Telephone: +1 617 621 8990 E-mail: dce-support-admin@osf.org =========================FORWARDED TEXT ENDS HERE============================= CERT bulletins, CERT advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet email: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT is a service mark of Carnegie Mellon University. **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DDN Security bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.