thr3ads.net - Secure testing team - [Secure-testing-team] Bug#481389: Debian package allows passwordless SYSDBA remote connections [May 2008]

If this information is useful, please help other people find it:
Share via:

Damyan Ivanov

2008-May-15 18:20 UTC

[Secure-testing-team] Bug#481389: Debian package allows passwordless SYSDBA remote connections

Package: firebird2.0-super
Version: 2.0.3.12981.ds1-13
Severity: grave
Tags: security

The only reason for this to not be of critical severity is that database
services are typically firewalled.

This is CVE-2008-1880[1]

    [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1880

The init.d script used by Debian packages exports ISC_PASSWORD into the
environment before starting fbguard. fbguard itself spawns fbserver
process without cleaning environment.

fbserver uses ISC_PASSWORD from the environment when remote connection
does not supply a password. This makes it possible to connect remotely
as SYSDBA user without giving a password.

That last part is already fixed in upstream CVS HEAD, but backporting
the change is reported to be non-trivial.

So the way to close the hole is to stop exporting ISC_PASSWORD in the
init.d script. That variable is used only for stopping the server and
there is another way to achieve this -- via start-stop-daemon and a PID
file.

I am working on the implementation.

--
    dam

Secure testing team - May 2008 - Bug#481389: Debian package allows passwordless SYSDBA remote connections

[Secure-testing-team] Bug#481389: Debian package allows passwordless SYSDBA remote connections