COMMAND

    Solaris DCE Integrated login bug if AFS klog not installed

SYSTEMS AFFECTED

    Transarc DCE 1.1  for Solaris 2.4  and Solaris 2.5  in conjunction
    with any version of AFS.

PROBLEM

    Transarc  Corp.  published  next  advisory.   On  systems  running
    Transarc's  Solaris  DCE  integrated  login  program (login.dce in
    place of  /bin/login) which  have AFS  installed but  no AFS  klog
    binary in any  of the standard  locations, unauthorized users  may
    gain  access  to  local  system  resources  as  any  valid user by
    supplying a valid  username for login,  with any arbitrary  string
    as a password.

    The vulnerability  stems from  an incorrect  interpretation of the
    situation which  occurs when  an AFS  klog binary  is not found by
    login.dce.

    Users without accounts on the system may gain unauthorized  access
    to local resources.  Access to resources controlled by AFS/DCE/DFS
    is  unaffected,  as  no  network  credentials are granted unless a
    valid password is supplied.

SOLUTION

    If  there  is  a  klog  binary  in  ANY  of the following standard
    locations, the vulnerability will NOT occur:

        /opt/dcelocal/bin/klog
        /usr/afsws/bin/klog
        /usr/vice/etc/klog

    Systems not  running AFS  are not  vulnerable to  this issue.  The
    following patches are available from Transarc:

        DCE 1.1 for Solaris 2.4:        patch 40 and higher
        DCE 1.1 for Solaris 2.5:        patch 25 and higher

    A workaround is possible as well: simply install any program which
    produces output on stdout in  one of the standard klog  locations.
    (A "hello, world" program or  shell script is sufficient; as  long
    as it  puts something  on stdout,  it's good  enough.   Optimally,
    install the actual AFS klog program in one of the above locations)
    Contact Transarc customer support by telephone at 412-281-5852  or
    via email (dce-help@transarc.com) for additional information.