[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-developers] Interbase Warning

Subject: RE: [cobalt-developers] Interbase Warning
From: "Kal Amry" <kamry1888@xxxxxxxxx>
Date: Fri Jan 26 19:44:01 2001
List-id: Discussion Forum for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>
I don't think it's out, yet Borland released a batch for every single
platform other than Cobalt 'cause I guess not much people are using IB on
the Cobalt. The same applies to the APOP current problem. I think they need
to start improving the response time for such issues 'cause new technologies
are introduced every day and as a Cobalt owner/developer there should be a
quick turn over for these technologies to be added for us to use. From this
point of view, I guess the Cobalt is doing great since the Raq 4 has PHP,
ASP, and variety of choices that can be activated in an easy way. I won't
even be surprised if the next Cobalt had a ready to use JVM for Servlets,
Beans, and others. The weakness I guess in my thinking is found in how to
provide continuous updates and stuff like that in a timely manner for the
Cobalt Community. I'm not attacking Cobalt or have anything against them,
and we like the product and use it, however if we can't keep the machine up
up-to-date within a reasonable timeframe then what's the idea of using the
product as opposed to using a Linux Machine. Information regarding
installing, updating the Linux is spread every where but for the Cobalt we
depend on Cobalt Staff so our business depends on how fast the Support Team
can provide us with instructions of doing an update, install, etc...

I don't have much experience with the rpm and pkg files, yet I know that the
Cobalt supports rpm thus if a pkg file takes time, then why not posting an
rpm that would install to the right directories. This way at least you give
an option for us to look up information on rpms and do the install without
any problems...


Kal

-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of Peter Ball
Sent: Friday, January 26, 2001 6:36 PM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-developers] Interbase Warning


Hi Tim, or anyone from Cobalt,

Any idea when the bug fix for this will be released by Cobalt? Or has it
been released and I missed it?



-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of Jon
Rosenberg
Sent: Thursday, 11 January 2001 8:33 AM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: [cobalt-developers] Interbase Warning


For those of you using Interbase:

CERT Advisory CA-2001-01 Interbase Server Contains Compiled-in Back Door
Account

   Original release date: January 10, 2001
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * Borland/Inprise Interbase 4.x and 5.x
     * Open source Interbase 6.0 and 6.01
     * Open source Firebird 0.9-3 and earlier

Overview

   Interbase is an open source database package that had previously been
   distributed in a closed source fashion by Borland/Inprise. Both the
   open and closed source verisions of the Interbase server contain a
   compiled-in back door account with a known password.

I. Description

   Interbase is an open source database package that is distributed by
   Borland/Inprise at http://www.borland.com/interbase/ and on
   SourceForge. The Firebird Project, an alternate Interbase package, is
   also distributed on SourceForge. The Interbase server for both
   distributions contains a compiled-in back door account with a fixed,
   easily located plaintext password. The password and account are
   contained in source code and binaries previously made available at the
   following sites:

          http://www.borland.com/interbase/
          http://sourceforge.net/projects/interbase
          http://sourceforge.net/projects/firebird
          http://firebird.sourceforge.net
          http://www.ibphoenix.com
          http://www.interbase2000.com

   This back door allows any local user or remote user able to access
   port 3050/tcp [gds_db] to manipulate any database object on the
   system. This includes the ability to install trapdoors or other trojan
   horse software in the form of stored procedures. In addition, if the
   database software is running with root privileges, then any file on
   the server's file system can be overwritten, possibly leading to
   execution of arbitrary commands as root.

   This vulnerability was not introduced by unauthorized modifications to
   the original vendor's source. It was introduced by maintainers of the
   code within Borland. The back door account password cannot be changed
   using normal operational commands, nor can the account be deleted from
   existing vulnerable servers [see References].

   This vulnerability has been assigned the identifier CAN-2001-0008 by
   the Common Vulnerabilities and Exposures (CVE) group:

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008

   The CERT/CC has not received reports of this back door being exploited
   at the current time. We do recommend, however, that all affected sites
   and redistributors of Interbase products or services follow the
   recommendations suggested in Section III, as soon as possible due to
   the seriousness of this issue.

II. Impact

   Any local user or remote user able to access port 3050/tcp [gds_db]
   can manipulate any database object on the system. This includes the
   ability to install trapdoors or other trojan horse software in the
   form of stored procedures. In addition, if the database software is
   running with root privileges, then any file on the server's file
   system can be overwritten, possibly leading to execution of arbitrary
   commands as root.

III. Solution

Apply a vendor-supplied patch

   Both Borland and The Firebird Project on SourceForge have published
   fixes for this problem. Appendix A contains information provided by
   vendors supplying these fixes. We will update the appendix as we
   receive more information. If you do not see your vendor's name, the
   CERT/CC did not hear from that vendor. Please contact your vendor
   directly.

   Users who are more comfortable making their own changes in source code
   may find the new code available on SourceForge useful as well:

          http://sourceforge.net/projects/interbase
          http://sourceforge.net/projects/firebird

Block access to port 3050/tcp

   This will not, however, prevent local users or users within a
   firewall's adminstrative boundary from accessing the back door
   account. In addition, the port the Interbase server listens on may be
   changed dynamically at startup.

Appendix A. Vendor Information

Borland

   Please see:

          http://www.borland.com/interbase/

IBPhoenix

   The Firebird project uncovered serious security problems with
   InterBase. The problems are fixed in Firebird build 0.9.4 for all
   platforms. If you are running either InterBase V6 or Firebird 0.9.3,
   you should upgrade to Firebird 0.9.4.

   These security holes affect all version of InterBase shipped since
   1994, on all platforms.

   For those who can not upgrade, Jim Starkey developed a patch program
   that will correct the more serious problems in any version of
   InterBase on any platform. IBPhoenix chose to release the program
   without charge, given the nature of the problem and our relationship
   to the community.

   At the moment, name service is not set up to the machine that is
   hosting the patch, so you will have to use the IP number both for the
   initial contact and for the ftp download.

   To start, point your browser at

          http://firebird.ibphoenix.com/

Apple

   The referenced database package is not packaged with Mac OS X or Mac
   OS X Server.

Fujitsu

   Fujitsu's UXP/V operating system is not affected by this problem
   because we don't support the relevant database.

References

    1. VU#247371: Borland/Inprise Interbase SQL database server contains
       backdoor superuser account with known password CERT/CC,
       01/10/2001, https://www.kb.cert.org/vuls/id/247371
     _________________________________________________________________

   Author: This document was written by Jeffrey S Havrilla. Feedback on
   this advisory is appreciated.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2001-01.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@xxxxxxxx
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site

   http://www.cert.org/

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@xxxxxxxxx Please include in the body of your
   message

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History
January 10, 2001:  Initial release



_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers

_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Follow-Ups:
- RE: [cobalt-developers] Interbase Warning
  - From: Gordon Garb
References:
- RE: [cobalt-developers] Interbase Warning
  - From: Peter Ball
Prev by Date: RE: [cobalt-developers] RAMEN worm
Next by Date: RE: [cobalt-developers] Sub Domains
Previous by thread: RE: [cobalt-developers] Interbase Warning
Next by thread: RE: [cobalt-developers] Interbase Warning
Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index