Vulnerability in Firebird database
Security service provider Core Security has announced the discovery of a vulnerability in the Firebird open source database. Attackers could exploit the vulnerability to inject arbitrary code onto the server.
The problem can occur if an overlong username is entered during remote log-on. The result can be a buffer overflow. In addition, attackers could exploit the flaw to take down the server in a denial-of-service attack by sending the server manipulated data.
All of this is the result of the flawed implementation of the XDR protocol (external data representation) used. Core Security says that the parser for the XDR protocol does not properly check some data, thereby allowing integer overflows to occur, which in turn may lead to buffer overflows.
The developers of Firebird have released version 2.1 RC 1, which remedies the flaw. The corrected version 2.0.4 is to be released in February, with version 1.5.6 being released later in the year. The vulnerability affects older versions of these development branches as well as Firebird 1.0.3 and earlier versions, for which the developers will not, however, be releasing an update. Administrators are advised to limit access to the Firebird database to trusted computers via a firewall and install the update when it becomes available.
See also:
- Firebird Remote Memory Corruption, Core Security's security advisory
- Change log for version 2.1 RC1 by the Firebird developers
(ehe)