Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4825: adsetgroups vulnerability

Centrify DirectControl ,  

12 April,16 at 11:07 AM

 

Vulnerability Summary:

/usr/share/centrifydc/libexec/adsetgroups is a setuid root utility and is used on older UNIX systems (such as Solaris, AIX, HPUX, etc) where the system is only able to support smaller sets ( 16 ) of groups per user. Working in conjuction with a large customer, Centrify has discovered a bug in the adsetgroups utility that may result in data leakage in certain circumstances.

Acknowledgements:

  • Centrify would like to thank Travis Emmert for working with us in reporting the issue and protecting our customers.

Affected Products:

  • Centrify Server Suite 2008 through Centrify Server Suite 2014.1 
  • Centrify DirectControl 3.x.x through 4.2.0 (which were shipped prior to Centrify Server Suite 2008)

Customer Mitigation:

This tool is not commonly used anymore and new systems such as Linux do not have the small group set limitation. For users who do not use this tool (e.g. not using an older UNIX system), Centrify recommends removing the adsetgroups utility or, as an alternative, removing the setuid bit on the executable using “chmod -s”. This command can be pushed via group policy or through Deployment Manager. Please refer to KB-4825 for additional details.

Resolution:

This has been fixed in the refreshed version of Centrify Suite 2014.1

Centrify recommends customers to follow the steps from the Mitigation plan above and/or upgrade to the current release of 2014.1 as soon as possible. The release is available on the Download Center.

For assistance or questions open a case with Centrify Support on the Portal.

For further information on Centrify Security Policies:
http://www.centrify.com/support/product-security-policies.asp

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7865: Centrify Customer Advisory - Security Vulnerability with some Stored Procedures in DirectAudit database articleKB-1619: Does "Kerberos ASN decoder vulnerability CVE-2009-0846 (MITKRB5-SA-2009-002)" apply to DirectControl ? articleKB-3271: Centrify Product Support Policies - Vulnerability Disclosure Policy articleKB-1862: Is Centrify-Enabled OpenSSH affected by vulnerability CVE-2010-3864? articleKB-6030: Do CVE-2015-1794, CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, CVE-2015-3195 and CVE-2015-3196 vulnerabilities affect DirectControl? articleKB-6131: Is the Centrify ssh client affected by OpenSSH vulnerabilities CVE-2016-0777 and CVE-2016-0778? articleKB-6016: OpenSSL Vulnerabilities (CVE-2014-3569 et al) articleKB-8781: Does Centrify OpenSSH Address Specific Known Vulnerabilities? articleKB-5794: Nessus 5.2.9 scan vulnerability, flagging 'server signing' port 445 required for Samba