/usr/share/centrifydc/libexec/adsetgroups is a setuid root utility and is used on older UNIX systems (such as Solaris, AIX, HPUX, etc) where the system is only able to support smaller sets ( 16 ) of groups per user. Working in conjuction with a large customer, Centrify has discovered a bug in the adsetgroups utility that may result in data leakage in certain circumstances.
- Centrify would like to thank Travis Emmert for working with us in reporting the issue and protecting our customers.
- Centrify Server Suite 2008 through Centrify Server Suite 2014.1
- Centrify DirectControl 3.x.x through 4.2.0 (which were shipped prior to Centrify Server Suite 2008)
This tool is not commonly used anymore and new systems such as Linux do not have the small group set limitation. For users who do not use this tool (e.g. not using an older UNIX system), Centrify recommends removing the adsetgroups utility or, as an alternative, removing the setuid bit on the executable using “chmod -s”. This command can be pushed via group policy or through Deployment Manager. Please refer to KB-4825 for additional details.
This has been fixed in the refreshed version of Centrify Suite 2014.1
Centrify recommends customers to follow the steps from the Mitigation plan above and/or upgrade to the current release of 2014.1 as soon as possible. The release is available on the Download Center.
For assistance or questions open a case with Centrify Support on the Portal.
For further information on Centrify Security Policies: