[ SOURCE: http://www.secureroot.com/security/advisories/9641766257.html ] - ---------------------------------------------------------------------- Topic: Solaris AFS/DFS Integrated login bug if user is in too many groups Source: Transarc Corp. - -------------------------------- Problem: Vulnerability in Transarc DCE Integrated login for sites running DFS I. Description On systems running the DCE Distributed File System (DFS), users placed in more than NGROUPS_MAX-1 (usually 15) groups in the DCE registry and in /etc/group will have an incorrect grouplist upon login. For systems running both AFS and DFS, this limit is reduced to NGROUPS_MAX-3 (13). The vulnerability is caused by a change in the setgroups(2) system call under DFS, which can cause it to fail when passed a large set of supplementary groups. Thus, it can cause problems in non-Transarc-supplied programs which use setgroups(2) if they do not handle error conditions correctly. Vulnerable products include Transarc DCE and DFS 1.1 for Solaris 2.4 and Solaris 2.5. This vulnerability is not present on sites not running DFS (even if they are running AFS). II. Impact Users with accounts on the system may gain unauthorized access to resources. Access to resources controlled by DCE/DFS is unaffected, as the DCE PAC is correct. Users without accounts on the system cannot take advantage of this vulnerability. III. Solution The following patches are available from Transarc: DCE/DFS 1.1 for Solaris 2.4: patch 22 DCE/DFS 1.1 for Solaris 2.5: patch 2 A workaround is possible as well: simply ensure that no user is listed in more than NGROUPS_MAX-3 groups in /etc/group (including the user's primary group, which may not appear in /etc/group). With this workaround, only the primary group and groups which appear in /etc/group will appear in the grouplist upon login. Contact Transarc customer support by telephone at 412-281-5852 or via email (dfs-help@transarc.com) for additional information or questions. IV. Other Platform Impact HP has advised that this problem does not affect the HP product. IBM has advised that this problem does not affect the IBM product.