Re: security holes, notification protocols, and a clarification

[nneul () UMR EDU (Nathan Neulinger)]

On Thu, May 14, 1998 at 06:29:41PM +0000, Michael Tiemann wrote:
> I have been informed that this list exists to serve users who have
> become disenchanted with CERT and "the establishment," and hence the
> readership values _immediate_ disclosure of _all_ security-related
> problems, and I have no complaint about that, either.

I'd certainly agree with that. I haven't been on this list for long, but a
while (months ago) back I reported a very serious problem with Informix
database servers to CERT, and basically never heard squat back. Sure, they
said they were looking into it, but nothing ever got done.

The security hole is severe enough to basically null out any security
database/table permissions that you use.

The problem boiled down to - they are using BSD ruserok() type security
for their remote database access for other unix hosts, but they don't
bother to check the source port. So, if you enable another host (that you
rightly trust on a secure network) to connect to your database server,
you have unwittingly given ALL users on that host access to ALL users in
the database server. What's worse, within a couple of minutes, a user on
the remote machine can run a program (rinetd for example) that will allow
ANYONE from ANYWHERE to connect to the database as any user.

The problem definately exists in the 5.x and 7.x series of servers, both
SE and Online. I am not sure about their newer workgroup or universal
servers.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul () umr edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216