[ SOURCE: http://www.secureroot.com/security/advisories/9641752134.html ]



                   Advisory on OSF/DCE Security Hole

                             July 19, 1995

     

    

       It has been discovered that OSF/DCE security has a flawed aliasing

       mechanism in its registry that can potentially yield a less secure

       DCE cell.



     PROBLEM:

       Multiple administrators in a DCE cell (i.e., principals with the

       privileges required to create principals and accounts within the DCE

       registry), some of which are intended to be less trusted than the

       cell administrator (e.g., principals intended to be restricted to

       create principals and accounts only within a subset of DCE registry

       name space), cannot be prevented from acquiring full privileges of

       the cell administrator. Due to a flaw in the DCE security registry

       such less privileged administrators are able to gain full privileges

       by creating an alias to the cell administrator. The security server

       grants an alias principal full rights of the principal it is aliased

       to.



       DCE security registry principals are generally not allowed to create

       accounts. Only an account designated as some type of administrator,

       by explicitly creating ACL entries for that principal, allows it to

       do things to the registry that normal users are not allowed to do,

       that is, create principals and accounts in a certain part of the

       security name space. In OSF/DCE as it ships, only cell_admin is

       given such privileges. To that effect, the DCE cell administrator can

       prevent any loss of security by following the guidelines described

       below.



     HOW TO AVOID:

       This security hole has existed in all releases of OSF/DCE todate.

       To avoid the problem in releases prior to OSF/DCE 1.1, the DCE cell

       administrators should not explicitly give registry administration

       rights to principals that would not otherwise have access to the

       cell administrator account itself. As distributed by OSF, only

       cell_admin is given such rights.



       OSF is in the process of providing a fix for this defect to DCE 1.1

       support licensees for them to apply to their DCE 1.1 based products.

       The end-users may ask their DCE vendors for such a fix. All future

       releases of OSF/DCE will have this fix incorporated.



     **********************************************************************



     OSF Systems Engineering



     Open Software Foundation

     11 Cambridge Center,

     Cambridge, MA 02142



     Telephone: +1 617 621 8990

     E-mail:    dce-support-admin@osf.org