Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4825: adsetgroups vulnerability

Centrify DirectControl ,  

12 April,16 at 11:07 AM

 

Vulnerability Summary:

/usr/share/centrifydc/libexec/adsetgroups is a setuid root utility and is used on older UNIX systems (such as Solaris, AIX, HPUX, etc) where the system is only able to support smaller sets ( 16 ) of groups per user. Working in conjuction with a large customer, Centrify has discovered a bug in the adsetgroups utility that may result in data leakage in certain circumstances.

Acknowledgements:

  • Centrify would like to thank Travis Emmert for working with us in reporting the issue and protecting our customers.

Affected Products:

  • Centrify Server Suite 2008 through Centrify Server Suite 2014.1 
  • Centrify DirectControl 3.x.x through 4.2.0 (which were shipped prior to Centrify Server Suite 2008)

Customer Mitigation:

This tool is not commonly used anymore and new systems such as Linux do not have the small group set limitation. For users who do not use this tool (e.g. not using an older UNIX system), Centrify recommends removing the adsetgroups utility or, as an alternative, removing the setuid bit on the executable using “chmod -s”. This command can be pushed via group policy or through Deployment Manager. Please refer to KB-4825 for additional details.

Resolution:

This has been fixed in the refreshed version of Centrify Suite 2014.1

Centrify recommends customers to follow the steps from the Mitigation plan above and/or upgrade to the current release of 2014.1 as soon as possible. The release is available on the Download Center.

For assistance or questions open a case with Centrify Support on the Portal.

For further information on Centrify Security Policies:
http://www.centrify.com/support/product-security-policies.asp

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-9946: Is Centrify vulnerable to SAML Authentication Bypass vulnerability? articleKB-7865: Centrify Customer Advisory - Security Vulnerability with some Stored Procedures in DirectAudit database articleKB-3271: Centrify Product Support Policies - Vulnerability Disclosure Policy articleKB-1862: Is Centrify-Enabled OpenSSH affected by vulnerability CVE-2010-3864? articleKB-9655: How Does the Meltdown & Spectre Vulnerabilities Affect Centrify articleKB-10035: When does Centrify release upgrade that address CVE-2017-3737 and CVE-2017-3738 vulnerability? articleKB-1619: Does "Kerberos ASN decoder vulnerability CVE-2009-0846 (MITKRB5-SA-2009-002)" apply to DirectControl ? articleKB-6131: Is the Centrify ssh client affected by OpenSSH vulnerabilities CVE-2016-0777 and CVE-2016-0778? articleKB-6864: Do CVE-2016-2109, CVE-2016-2108, CVE-2016-2107,CVE-2016-2106, CVE-2016-2105, CVE-2016-2176 vulnerabilities affect Centrify DirectControl?