Info

Disclosure

Jul 28, 2009

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Jul 20, 2009

Description

Firebird contains a flaw that may allow a remote denial of service. The issue is triggered when op_connect_request handles a malformed packet, and will result in loss of availability for the port for the 2.x versions and the server for the 1.x versions.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service
Impact: Loss of Availability
Solution: Patch / RCS
Exploit: Exploit Public
Disclosure: Vendor Verified, Vendor Verified, Coordinated Disclosure

Solution

Upgrade to version 2.5 Beta 2, 2.1.3,2.0.6 , 1.5.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Firebird	Firebird	2.5 Beta 1
		2.1.2
		2.0.5
		2.1.1
		2.5 Alpha 1
		2.0.4
		2.1.0
		1.5.5
		2.0.3
		2.0.2
		2.0.1
		1.5.4
		2.0.0

References

CVE ID: 2009-2620 (see also: NVD)
Bugtraq ID: 35842
Secunia Advisory ID: 36026 36544
Milw0rm: 9295
Exploit Database: 9295
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2009-07/0218.html
Vendor Specific News/Changelog Entry: http://tracker.firebirdsql.org/browse/CORE-2563
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01341.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01370.html
Other Advisory URL: http://www.coresecurity.com/content/firebird-sql-dos

Credit

Francisco Falcon -

Direct URL: http://osvdb.org/56606