-----BEGIN PGP SIGNED MESSAGE-----

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    
          Automated Systems Security Incident Support Team
                                                _____
             ___   ___  _____   ___  _____     |     /
      /\    /   \ /   \   |    /   \   |       |    / Integritas
     /  \   \___  \___    |    \___    |       |   <      et
    /____\      \     \   |        \   |       |    \ Celeritas
   /      \ \___/ \___/ __|__  \___/   |       |_____\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  
    
                       Bulletin  95-31
 
       Release date: 31 July, 1995, 4:10 PM EDT (GMT -4)

SUBJECT: OSF/DCE Security Hole. 

SUMMARY: The Open Software Foundation (OSF) has distributed
information regarding a flawed aliasing mechanism in its registry 
that can potentially yield a less secure DCE cell.

BACKGROUND: Multiple administrators in a DCE cell (i.e., principals 
with the privileges required to create principals and accounts 
within the DCE registry), some of which are intended to be less 
trusted than the cell administrator (e.g., principals intended to 
be restricted to create principals and accounts only within a 
subset of DCE registry name space), cannot be prevented from 
acquiring full privileges of the cell administrator.  Due to a flaw 
in the DCE security registry such less privileged administrators 
are able to gain full privileges by creating an alias to the cell 
administrator.  The security server grants an alias principal full 
rights of the principal it is aliased to.

DCE security registry principals are generally not allowed to 
create accounts.  Only an account designated as some type of 
administrator, by explicitly creating ACL entries for that 
principal, allows it to do things to the registry that normal users 
are not allowed to do, that is, create principals and accounts in a 
certain part of the security name space.  In OSF/DCE as it ships, 
only cell_admin is given such privileges.  To that effect, the DCE 
cell administrator can prevent any loss of security by following 
the guidelines described below.

IMPACT: Less privileged administrators are able to gain full 
privileges to OSF/DCE systems.

RECOMMENDED SOLUTIONS: This security hole has existed in all
releases of OSF/DCE to date.  To avoid the problem in releases prior 
to OSF/DCE 1.1, the DCE cell administrators should not explicitly 
give registry administration rights to principals that would not 
otherwise have access to the cell administrator account itself.  As 
distributed by OSF, only cell_admin is given such rights.  OSF is 
in the process of providing a fix for this defect to DCE 1.1 support 
licensees for them to apply to their DCE 1.1 based products.  The 
end-users may ask their DCE vendors for such a fix. All future 
releases of OSF/DCE will have this fix incorporated.  OSF can be
reached at:

     OSF Systems Engineering

     Open Software Foundation
     11 Cambridge Center,
     Cambridge, MA 02142

     Telephone: +1 617 621 8990
     E-mail:    dce-support-admin@osf.org

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

ASSIST is an element of the Defense Information Systems Agency 
(DISA), Center for Information Systems Security (CISS), that 
provides service to the entire DoD community. Constituents 
of the DoD with questions about ASSIST or computer security 
security issues, can contact ASSIST using one of the methods
listed below.  Non-DoD organizations/institutions, contact
the Forum of Incident Response and Security Teams (FIRST)
(FIRST) representative.  To obtain a list of FIRST member
organizations and their constituencies send an email to
docserver@first.org with an empty "subject" line and a message body
containing the line "send first-contacts".

ASSIST Information Resources: To be included in the distribution
list for the ASSIST bulletins, send your Milnet (Internet) e-mail
address to assist-request@assist.mil.  Back issues of ASSIST 
bulletins, and other security related information, are available
from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous 
FTP from assist.mil (IP address 199.211.123.11).  Note: assist.mil 
will only accept anonymous FTP connections from Milnet addresses 
that are registered with the NIC or DNS.  If your system is not 
registered, you must provide your MILNET IP address to ASSIST before 
access can be provided.
 
ASSIST Contact Information: 
PHONE: 800-357-4231 (or 703-607-4700 DSN 327), duty hours are 06:00
to 22:30 EDT (GMT -4) Monday through Friday.  During off duty hours, 
weekends and holidays, ASSIST can be reached via pager at 800-791-
4857.  The page will be answered within 30 minutes, however if a 
quicker response is required, prefix the phone number with "999".
ELECTRONIC MAIL: Send to assist@assist.mil. 
ASSIST BBS: Leave a message for the "sysop". 

ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital 
signature mechanism for bulletins.   PGP 2.6.2 incorporates the 
RSAREF(tm) Cryptographic Toolkit under license from RSA Data 
Security, Inc.  A copy of that license is available via anonymous 
FTP from net-dist.mit.edu (IP 18.72.0.3) in the file 
/pub/PGP/rsalicen.txt, and through the world wide web from
http://net-dist.mit.edu/pgp.html.  In accordance with the terms 
of that license,  PGP 2.6.2 may be used for non-commercial 
purposes only.  Instructions for downloading the PGP 2.6.2 
software can also be obtained from net-dist.mit.edu in the 
pub/PGP/README file.  PGP 2.6.2 and RSAREF may be subject to the 
export control laws of the United States of America as 
implemented by the United States Department of State Office of 
Defense Trade Controls.  The PGP signature information will be 
attached to the end of ASSIST bulletins.
  
Reference herein to any specific commercial product, process, or
service by trade name, trademark manufacturer, or otherwise, does
not constitute or imply its endorsement, recommendation, or
favoring by ASSIST.  The views and opinions of authors expressed
herein shall not be used for advertising or product endorsement
purposes. 

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6

mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM
W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw
FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR
tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQL1xx7tH6sbnW
3Io9AQEBYwP9FvIJbnKjtMLUj8ghd6hophSx8WZnfQsOmZX/BbX8vKz1a5BkBn4q
ANvW+uKGdUlE8LLMEm1PD59Cihcb3OoWDOU8zIOIErvry4eqa+LzEXV8nnBdes+A
a1MCMGSz+K3OaP78lQ7JCGoY9TXTWIelfAdBVBG4VQcSQRn8tjRdG2e0KEFTU0lT
VCBUZWFtIDxhc3Npc3RAYXNzaXN0Lmltcy5kaXNhLm1pbD6JAJUCBRAuLnHoh0Y9
0jC+b6kBAU0TA/4yXSL7K6tcfVm9ACnP4crCoutFM2w10e7YKxD850ajhWrh6rI9
O+sjU5WObqiPJ7sZHdEw/KARzPSijH/5h8HlyYa6ClksWxYuymzCsUYYJctdjcGr
uakfXgYQ1TkkyUfNrN5G90NuRK/vTRe7bkmyGNYjN9Njac1Q18WVF59Chg==
=d5rP
- -----END PGP PUBLIC KEY BLOCK-----


-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBMB018dH6sbnW3Io9AQH+ygP/bVtK9KPflm0BjXkvqAnhXG8LTl95Q7Fq
ByaM+pYzDtM3Bpr2lpXhUjqkYC/A2VR7Tjgc/zvKLt8BsrwFMkc9j36nNT7A+fBG
ugyphQ8TXXQCRRw7E/26w7Ini8nBizXpPUVUx3CXZPDT4roXUFz/dzlEUCAqV0J9
6YJ9wn04r2k=
=lGDJ
-----END PGP SIGNATURE-----