| Subject | Re: [ib-support] IB Security Back Door and Preventing Network Access |
|---|---|
| Author | Jason Wharton |
| Post date | 2001-01-16T21:22:11Z |
Rob,
me "rebel scum". <g>
based on the license keys from pre-v6 databases. Although I think it was
enforced at the client which made that a risky proposition. With InterBase
v6 the licensing stuff was removed from the sources that were made open. So,
right now I don't think it wise to look to this avenue for a solution.
sources yourself.
As for which patch you should apply, I myself would be most comfortable with
the one Firebird has put together because it should impact the EXE much
less. It simply changes the fixed known backdoor password bytes to something
random. This makes your server more secure than another denominating factor.
For example, everyone already knows that there is a SYSDBA account and so
getting the password for it by brute force is faster than trying to figure
out both an unknown password and an unknown username. Plus, this is the
access one would want if they wanted to cause the most havoc.
As for the Borland patch, I am assuming that they had to make fairly
significant changes in the logic of the program to do what they have stated,
which for all we know could have opened up other insecurities or created
some undesirable result. We would apply the Firebird fix except that this
would void our maintenance agreement with them and we don't want that to
happen. For now our firewall and patience is our path of action.
FWIW,
Jason Wharton
CPS - Mesa AZ
http://www.ibobjects.com
> I had a couple of questions about the recently announced security problemHey, at least you can post there, unlike myself... Darth Scheick has branded
> in IB (I posted this a few days ago on the ib@mers list-but got no
> response, so I thought I'd try here):
me "rebel scum". <g>
> First, under earlier versions of IB, it was necessary to use a license keyconnectivity).
> to determine what level of access was purchased and, thus, available. I
> believe one option was "local access only" (i.e., no outside
> Would obtaining and using that type of license prevent the exploitation ofIt was possible to prevent connections on your server from a remote client
> the documented back door? I realize this would be a problem for databases
> that needed to be networked to other clients, but might it work for
> stand-alone applications that reside on the same system (NT based) as the
> database server??
based on the license keys from pre-v6 databases. Although I think it was
enforced at the client which made that a risky proposition. With InterBase
v6 the licensing stuff was removed from the sources that were made open. So,
right now I don't think it wise to look to this avenue for a solution.
> Second, is it possible to restrict access to the Firebird or IB 6databases
> in a similar manner (i.e., only allow clients to connect locally to theNot sure about this. You would probably need to do a custom build from the
> database from the same machine-no TCP or other network connections)??
sources yourself.
As for which patch you should apply, I myself would be most comfortable with
the one Firebird has put together because it should impact the EXE much
less. It simply changes the fixed known backdoor password bytes to something
random. This makes your server more secure than another denominating factor.
For example, everyone already knows that there is a SYSDBA account and so
getting the password for it by brute force is faster than trying to figure
out both an unknown password and an unknown username. Plus, this is the
access one would want if they wanted to cause the most havoc.
As for the Borland patch, I am assuming that they had to make fairly
significant changes in the logic of the program to do what they have stated,
which for all we know could have opened up other insecurities or created
some undesirable result. We would apply the Firebird fix except that this
would void our maintenance agreement with them and we don't want that to
happen. For now our firewall and patience is our path of action.
FWIW,
Jason Wharton
CPS - Mesa AZ
http://www.ibobjects.com