-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Don Stikvoort                               Index  :    S-95-14
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : OSF/DCE Security Hole                       Date   :  25-Jul-95
===============================================================================

By courtesy of the Open Software Foundation and CERT/CC we received the 
following information about a security hole in OSF/DCE. 

We advise you to take proper notice if this applies to your situation,
and take relevant steps.

==============================================================================

                   Advisory on OSF/DCE Security Hole
                             July 19, 1995     
    
       It has been discovered that OSF/DCE security has a flawed aliasing
       mechanism in its registry that can potentially yield a less secure
       DCE cell.

     PROBLEM:
       Multiple administrators in a DCE cell (i.e., principals with the
       privileges required to create principals and accounts within the DCE
       registry), some of which are intended to be less trusted than the
       cell administrator (e.g., principals intended to be restricted to
       create principals and accounts only within a subset of DCE registry
       name space), cannot be prevented from acquiring full privileges of
       the cell administrator. Due to a flaw in the DCE security registry
       such less privileged administrators are able to gain full privileges
       by creating an alias to the cell administrator. The security server
       grants an alias principal full rights of the principal it is aliased
       to.

       DCE security registry principals are generally not allowed to create
       accounts. Only an account designated as some type of administrator,
       by explicitly creating ACL entries for that principal, allows it to
       do things to the registry that normal users are not allowed to do,
       that is, create principals and accounts in a certain part of the
       security name space. In OSF/DCE as it ships, only cell_admin is
       given such privileges. To that effect, the DCE cell administrator can
       prevent any loss of security by following the guidelines described
       below.

     HOW TO AVOID:
       This security hole has existed in all releases of OSF/DCE todate.
       To avoid the problem in releases prior to OSF/DCE 1.1, the DCE cell
       administrators should not explicitly give registry administration
       rights to principals that would not otherwise have access to the
       cell administrator account itself. As distributed by OSF, only
       cell_admin is given such rights.

       OSF is in the process of providing a fix for this defect to DCE 1.1
       support licensees for them to apply to their DCE 1.1 based products.
       The end-users may ask their DCE vendors for such a fix. All future
       releases of OSF/DCE will have this fix incorporated.

     **********************************************************************

     OSF Systems Engineering

     Open Software Foundation
     11 Cambridge Center,
     Cambridge, MA 02142

     Telephone: +1 617 621 8990
     E-mail:    dce-support-admin@osf.org
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IFjSYjBqwfc9jEQIpDgCfQkaFrgIQHwyYAaVBWQfe+Ap6BbMAoL2A
sn4iAhzHLKkQxrfD5Ms4kyce
=RHi7
-----END PGP SIGNATURE-----