Bugtraq mailing list archives

CERT Vendor-Initiated Bulletin VB-96.16 - Transarc Corp.

From: cert-advisory () cert org (CERT Bulletin)
Date: Tue, 17 Sep 1996 16:36:11 -0500


-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT(sm) Vendor-Initiated Bulletin VB-96.16
September 17, 1996

Topic: Solaris AFS/DFS Integrated login bug if user is in too many groups
Source: Transarc Corp.

To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Transarc
Corp. Transarc urges you to act on this information as soon as
possible. Transarc contact information is included in the forwarded text
below; please contact them if you have any questions or need further
information.


=======================FORWARDED TEXT STARTS HERE============================

- ----------------------------------------------------------------------

Topic:  Solaris AFS/DFS Integrated login bug if user is in too many
groups
Source: Transarc Corp.
- --------------------------------


Problem: Vulnerability in Transarc DCE Integrated login for sites
running DFS


I. Description

On systems running the DCE Distributed File System (DFS), users placed
in more than NGROUPS_MAX-1 (usually 15) groups in the DCE registry and
in /etc/group will have an incorrect grouplist upon login.

For systems running both AFS and DFS, this limit is reduced to
NGROUPS_MAX-3 (13).

The vulnerability is caused by a change in the setgroups(2) system
call under DFS, which can cause it to fail when passed a large set of
supplementary groups.  Thus, it can cause problems in
non-Transarc-supplied programs which use setgroups(2) if they do not
handle error conditions correctly.

Vulnerable products include Transarc DCE and DFS 1.1 for Solaris 2.4
and Solaris 2.5.  This vulnerability is not present on sites not
running DFS (even if they are running AFS).


II. Impact

Users with accounts on the system may gain unauthorized access to
resources.  Access to resources controlled by DCE/DFS is unaffected,
as the DCE PAC is correct.

Users without accounts on the system cannot take advantage of this
vulnerability.


III. Solution

The following patches are available from Transarc:
        DCE/DFS 1.1 for Solaris 2.4:    patch 22
        DCE/DFS 1.1 for Solaris 2.5:    patch 2


A workaround is possible as well: simply ensure that no user is listed
in more than NGROUPS_MAX-3 groups in /etc/group (including the user's
primary group, which may not appear in /etc/group).  With this
workaround, only the primary group and groups which appear in
/etc/group will appear in the grouplist upon login.

Contact Transarc customer support by telephone at 412-281-5852 or
via email (dfs-help () transarc com) for additional information or
questions.

IV.  Other Platform Impact

HP has advised that this problem does not affect the HP product.
IBM has advised that this problem does not affect the IBM product.



========================FORWARDED TEXT ENDS HERE=============================

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key


CERT Contact Information
- ------------------------
Email    cert () cert org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT publications, information about FIRST representatives, and other
security-related information are available from
        http://www.cert.org/
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request () cert org


CERT is a service mark of Carnegie Mellon University.

This file: ftp://info.cert.org/pub/cert_bulletins/VB-96.16.transarc



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMj7JiHVP+x0t4w7BAQEljgP/RHRL2ifIJQjMnaAfMis62pysC8PPzJ/n
SZzGlbKiKf765nS2yLi8IZFuVyRMibGCXj07TAxtQwtJuJbPA33+J2Qcvsucvx1b
R88z6P9HhBZqfrPKMnCmvxPa1FNUFMRkmQy37xg9wfZbeZkhjjU+c05uP2pgP/Or
pDS2H+AJXLY=
=chOF
-----END PGP SIGNATURE-----

Current thread:

Re: BUG in /bin/bash Roger Espel Llima (Sep 13)
- Re: BUG in /bin/bash Yiorgos Adamopoulos (Sep 13)
  - Re: BUG in /bin/bash Julian Assange (Sep 13)
  - Re: BUG in /bin/bash Alan Cox (Sep 14)
  - Re: BUG in /bin/bash Aggelos P. Varvitsiotis (Sep 16)
- <Possible follow-ups>
- Re: BUG in /bin/bash Eugene Bradley (Sep 13)
- Re: BUG in /bin/bash Dan Stromberg (Sep 14)
  - Re: BUG in /bin/bash Alan Cox (Sep 17)
  - CERT Vendor-Initiated Bulletin VB-96.16 - Transarc Corp. CERT Bulletin (Sep 17)
- Re: BUG in /bin/bash Dan Thorson (Sep 16)
  - Re: sh and ^ bitblt () cybercom net (Sep 17)