Security hole found in Borland database

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-200-4450732.html?tag=st.ne.1002.bgif.ni

By Stephen Shankland
Staff Writer, CNET News.com
January 11, 2001, 3:50 p.m. PT

Borland's InterBase database software contains a "back door" that
allows anyone with the appropriate password to wreak major havoc with
the database and the computer it's running on, security experts said.

A back door is an undocumented way to get access to a computer system,
typically using a secret password. In this case, the back door lets an
attacker change the information stored in an InterBase database and
insert programs that could enable even more damaging actions,
according to an advisory posted Wednesday by the Computer Emergency
Response Team.

The username and password--"politically" and "correct,"
respectively--are written into the program, easy to find, and can't be
removed by changing settings, CERT said.

"It's definitely very severe," said SecurityFocus.com analyst Ben
Greenbaum. "Anyone running one of these servers and not reading
security resources will remain wide open" to attack, he said.

Borland acknowledged the back door and has begun releasing patches.
The company has notified customers and sales partners and will begin
shipping repaired versions this week, said Jon Arthur, director of the
InterBase project for Borland. The problem exists in versions 4, 5 and
6 of InterBase.

InterBase, which runs on Windows, Linux and a variety of Unix
versions, is used by Motorola, Nokia, Boeing and the Boston Stock
Exchange, Arthur confirmed. In addition, Cobalt Networks, now part of
Sun Microsystems, ships InterBase on its special-purpose servers.

Back-door vulnerabilities are a serious problem because of how open
they leave a computer to attack. Internet Security Systems, a security
software and consulting company, has recorded four back-door
vulnerabilities in recent months, said analyst Chris Rouland.

The back-door feature was an innocent addition to the code in 1994
that enabled one part of the database software to communicate with
another password-protected part, said Jim Starkey, who launched
InterBase but left in 1991 before the back door was added to the
software. Starkey, though not a Borland employee, still works with
InterBase, as does his wife, Ann Harrison, who runs an InterBase
support company called IBPhoenix.

Borland released the InterBase program as open-source software in
July, meaning that anyone may scrutinize the software, modify it and
redistribute it. In fact, two such projects exist: the open-source
InterBase and Firebird. Both the open-source versions are vulnerable
to the back door, CERT said.

Programmer Frank Schlottman-Godde from the open-source Firebird
project discovered the vulnerability Dec. 18, said Starkey and
IBPhoenix, which develops and supports the Firebird version.

"Firebird administrators exchanged panic emails across the globe for
some hours," said programmer site InterBase Developer Initiative. The
project stopped the planned release of Firebird and fixed its own
software.

The problem illustrates the double-edged sword of open-source software
regarding security. On the good side is the fact that so many more
programmers can scrutinize the software and find such
problems--exactly what happened with InterBase. Many open-source
advocates list this openness as a major advantage over closed,
proprietary software such as the kind Microsoft distributes. Who knows
what nefarious code lies within the millions of lines of Windows
programming code, they ask.

On the other hand, it can be easier for a malicious programmer to find
vulnerabilities. This particular back door has existed since 1994, and
nothing was preventing a malicious programmer from finding it in the
last six months.

Another advantage to open-source software is that people, if skilled
enough, can fix problems themselves instead of waiting for a company
to release a software patch. But that can be a problem. Borland
cautions that applying patches that don't come from Borland voids the
company's warranty.

Though speedy repair is a benefit of the open-source world, lack of
formal support can be a problem, Rouland said. For example, it often
requires a lot of programming expertise to apply a patch.

"Open source advances the technology quickly and gets patches out
quickly, but you have to have gurus on staff," Rouland said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".