Firebird Database Cryptographic Callback Vulnerability Leading to Segmentation Fault and Unauthorized Access to Encrypted Data

A vulnerability exists in Firebird database versions 4.0.0 prior to 4.0.6.3183, 5.0.0 through 5.0.2.1610, and 6.0.0 prior to 6.0.0.609. The issue arises when the external connection pool size is not set to zero, allowing connections to be stored without proper verification of the cryptographic callback interface. This can lead to a segmentation fault in the server process, especially when encrypted databases are accessed via chained execute statements. Additionally, encrypted databases may be accessed by an attachment lacking the necessary decryption key, and this segmentation fault can also affect unencrypted databases.

Impact

Exploitation of this vulnerability can cause a segmentation fault in the Firebird server process, disrupting service. Furthermore, it can lead to unauthorized access to encrypted databases via the execute statement on external, potentially allowing sensitive data to be accessed without the proper decryption keys.

Reproduction

The vulnerability can be reproduced by setting the ExtConnPoolSize parameter in firebird.conf to a value greater than zero, which enables the external connection pool. Once this is configured, establish a connection that uses a cryptographic callback interface. Then, execute a series of statements that chain execute statements on external, which will trigger the callback. This process can be automated with a script or a database tool that supports executing external statements, such as ISQL. The combination of these steps will result in a segmentation fault when the callback interface is destroyed, demonstrating the vulnerability.

Remediation

To address this vulnerability, users can update to Firebird versions 4.0.6.3183, 5.0.2.1610, or 6.0.0.609. If an immediate update is not possible, the ExtConnPoolSize parameter can be set to 0 in firebird.conf, which is the default value and mitigates the vulnerability.