Firebird XNET denial of service

firebird-xnet-dos (36353) The risk level is classified as LowLow Risk

Description:

Firebird is vulnerable to a denial of service, caused by an error when registering events in parallel with an XNET client. A local attacker on the adjacent network could exploit this vulnerability to cause the server to crash.

Platforms Affected:

  • FirebirdSQL, Firebird 1.0
  • FirebirdSQL, Firebird 1.0.2
  • FirebirdSQL, Firebird 1.5
  • FirebirdSQL, Firebird 1.5.0.4306
  • FirebirdSQL, Firebird 1.5.1
  • FirebirdSQL, Firebird 1.5.2
  • FirebirdSQL, Firebird 1.5.2.4731
  • FirebirdSQL, Firebird 1.5.3.4870
  • FirebirdSQL, Firebird 2.0.0
  • FirebirdSQL, Firebird 2.0.1

Remedy:

Upgrade to the latest version of Firebird (2.0.2 or later), available from the SourceForge.net : Files Web site. See References.

Consequences:

Denial of Service

References:

  • Firebird Bug Tracker CORE-1403, Server crashes if a few events are being registered simultaneously by the client connected via XNET at http://tracker.firebirdsql.org/browse/CORE-1403.
  • SourceForge.net: Files, Firebird - File Release Notes and Changelog - Release Name: 2.0.2-Release at http://sourceforge.net/project/shownotes.php?release_id=535898.
  • BID-25497: Firebird Multiple Vulnerabilities
  • CVE-2007-4665: Unspecified vulnerability in the server in Firebird before 2.0.2 allows remote attackers to cause a denial of service (daemon crash) via an XNET session that makes multiple simultaneous requests to register events, aka CORE-1403.
  • DSA-1529: firebird -- multiple vulnerabilities
  • FrSIRT/ADV-2007-3021: Firebird Multiple Buffer Overflow and Remote Denial of Service Vulnerabilities
  • SA26615: Firebird Multiple Vulnerabilities
  • SA29501: Debian firebird2 Multiple Vulnerabilities

Reported:

Aug 03, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page