[Secure-testing-team] Bug#481389: Debian package allows passwordless SYSDBA remote connections
Damyan Ivanov
dmn at debian.org
Thu May 15 18:20:20 UTC 2008
Package: firebird2.0-super
Version: 2.0.3.12981.ds1-13
Severity: grave
Tags: security
The only reason for this to not be of critical severity is that database
services are typically firewalled.
This is CVE-2008-1880[1]
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1880
The init.d script used by Debian packages exports ISC_PASSWORD into the
environment before starting fbguard. fbguard itself spawns fbserver
process without cleaning environment.
fbserver uses ISC_PASSWORD from the environment when remote connection
does not supply a password. This makes it possible to connect remotely
as SYSDBA user without giving a password.
That last part is already fixed in upstream CVS HEAD, but backporting
the change is reported to be non-trivial.
So the way to close the hole is to stop exporting ISC_PASSWORD in the
init.d script. That variable is used only for stopping the server and
there is another way to achieve this -- via start-stop-daemon and a PID
file.
I am working on the implementation.
--
dam
More information about the Secure-testing-team
mailing list