7 August,20 at 04:29 PM
This CVE names the Windows DNS server as attack surface. Centrify is a DNS client so we are NOT exposed to this issue.
We do strongly recommend that our customer's follow Microsoft's suggestion to fix this issue.
Additional information:
One note on the following information from the recommended fix from Microsoft:
"After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients if the DNS response from the upstream server is larger than 65,280 bytes."
A DNS response that large is unheard of (even for a SRV query), but not impossible if it was crafted by malicious upstream DNS server.
As far as we are aware, there is no known legitimate response that big.
KB-20210: Common Questions Regarding Centrify DirectControl and CoreOS
KB-11689: Are the Centrify products affected by Speakup backdoor CVEs CVE-2012-0874, CVE-2010-1871, JBoss AS 3/4/5/6, CVE-2017-10271, CVE-2018-2894, Hadoop YARN ResourceManager, CVE-2016-3088?
KB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role?
KB-6041: How to show current license type in use by adclient
KB-30546: When using the Centrify Client for Windows™ why must network level authentication (NLA) be disabled?
KB-6040: How to change the license type in use after adclient successful joined to the AD?
[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I
KB-6038: How to specify the license type to use when joining the server to AD using adjoin?
[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III