Cobalt is working with InterBase to make a fix for this problem available.
Once it is, I will post information to this discussion forum on how
to download the fix.
Best Regards,
/Gordon Garb
>For those of you using Interbase:
>
>CERT Advisory CA-2001-01 Interbase Server Contains Compiled-in Back Door
>Account
>
> Original release date: January 10, 2001
> Last revised: --
> Source: CERT/CC
>
> A complete revision history is at the end of this file.
>
>Systems Affected
>
> * Borland/Inprise Interbase 4.x and 5.x
> * Open source Interbase 6.0 and 6.01
> * Open source Firebird 0.9-3 and earlier
>
>Overview
>
> Interbase is an open source database package that had previously been
> distributed in a closed source fashion by Borland/Inprise. Both the
> open and closed source verisions of the Interbase server contain a
> compiled-in back door account with a known password.
>
>I. Description
>
> Interbase is an open source database package that is distributed by
> Borland/Inprise at http://www.borland.com/interbase/ and on
> SourceForge. The Firebird Project, an alternate Interbase package, is
> also distributed on SourceForge. The Interbase server for both
> distributions contains a compiled-in back door account with a fixed,
> easily located plaintext password. The password and account are
> contained in source code and binaries previously made available at the
> following sites:
>
> http://www.borland.com/interbase/
> http://sourceforge.net/projects/interbase
> http://sourceforge.net/projects/firebird
> http://firebird.sourceforge.net
> http://www.ibphoenix.com
> http://www.interbase2000.com
>
> This back door allows any local user or remote user able to access
> port 3050/tcp [gds_db] to manipulate any database object on the
> system. This includes the ability to install trapdoors or other trojan
> horse software in the form of stored procedures. In addition, if the
> database software is running with root privileges, then any file on
> the server's file system can be overwritten, possibly leading to
> execution of arbitrary commands as root.
>
> This vulnerability was not introduced by unauthorized modifications to
> the original vendor's source. It was introduced by maintainers of the
> code within Borland. The back door account password cannot be changed
> using normal operational commands, nor can the account be deleted from
> existing vulnerable servers [see References].
>
> This vulnerability has been assigned the identifier CAN-2001-0008 by
> the Common Vulnerabilities and Exposures (CVE) group:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008
>
> The CERT/CC has not received reports of this back door being exploited
> at the current time. We do recommend, however, that all affected sites
> and redistributors of Interbase products or services follow the
> recommendations suggested in Section III, as soon as possible due to
> the seriousness of this issue.
>
>II. Impact
>
> Any local user or remote user able to access port 3050/tcp [gds_db]
> can manipulate any database object on the system. This includes the
> ability to install trapdoors or other trojan horse software in the
> form of stored procedures. In addition, if the database software is
> running with root privileges, then any file on the server's file
> system can be overwritten, possibly leading to execution of arbitrary
> commands as root.
>
>III. Solution
>
>Apply a vendor-supplied patch
>
> Both Borland and The Firebird Project on SourceForge have published
> fixes for this problem. Appendix A contains information provided by
> vendors supplying these fixes. We will update the appendix as we
> receive more information. If you do not see your vendor's name, the
> CERT/CC did not hear from that vendor. Please contact your vendor
> directly.
>
> Users who are more comfortable making their own changes in source code
> may find the new code available on SourceForge useful as well:
>
> http://sourceforge.net/projects/interbase
> http://sourceforge.net/projects/firebird
>
>Block access to port 3050/tcp
>
> This will not, however, prevent local users or users within a
> firewall's adminstrative boundary from accessing the back door
> account. In addition, the port the Interbase server listens on may be
> changed dynamically at startup.
>
>Appendix A. Vendor Information
>
>Borland
>
> Please see:
>
> http://www.borland.com/interbase/
>
>IBPhoenix
>
> The Firebird project uncovered serious security problems with
> InterBase. The problems are fixed in Firebird build 0.9.4 for all
> platforms. If you are running either InterBase V6 or Firebird 0.9.3,
> you should upgrade to Firebird 0.9.4.
>
> These security holes affect all version of InterBase shipped since
> 1994, on all platforms.
>
> For those who can not upgrade, Jim Starkey developed a patch program
> that will correct the more serious problems in any version of
> InterBase on any platform. IBPhoenix chose to release the program
> without charge, given the nature of the problem and our relationship
> to the community.
>
> At the moment, name service is not set up to the machine that is
> hosting the patch, so you will have to use the IP number both for the
> initial contact and for the ftp download.
>
> To start, point your browser at
>
> http://firebird.ibphoenix.com/
>
>Apple
>
> The referenced database package is not packaged with Mac OS X or Mac
> OS X Server.
>
>Fujitsu
>
> Fujitsu's UXP/V operating system is not affected by this problem
> because we don't support the relevant database.
>
>References
>
> 1. VU#247371: Borland/Inprise Interbase SQL database server contains
> backdoor superuser account with known password CERT/CC,
> 01/10/2001, https://www.kb.cert.org/vuls/id/247371
> _________________________________________________________________
>
> Author: This document was written by Jeffrey S Havrilla. Feedback on
> this advisory is appreciated.
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2001-01.html
> ______________________________________________________________________
>
>CERT/CC Contact Information
>
> Email: [EMAIL PROTECTED]
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> Monday through Friday; they are on call for emergencies during other
> hours, on U.S. holidays, and on weekends.
>
>Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
>
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
>Getting security information
>
> CERT publications and other security information are available from
> our web site
>
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to [EMAIL PROTECTED] Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2001 Carnegie Mellon University.
>
> Revision History
>January 10, 2001: Initial release
>
>
>
>_______________________________________________
>cobalt-developers mailing list
>[EMAIL PROTECTED]
>http://list.cobalt.com/mailman/listinfo/cobalt-developers
--
-- --
Gordon Garb [EMAIL PROTECTED]
Senior Manager - Developer Relations
http://developer.cobalt.com/
http://www.cobalt.com/solutions
Cobalt Networks -- the Sun Microsystems Server Appliance Business Unit
555 Ellis Street +1 650 623-2501 fax
Mountain View, CA 94043 USA +1 650 623-2534 voice
_______________________________________________
cobalt-developers mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-developers
