Firebird Server Pre-Authentication Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Firebird Server, an open-source relational database management system. This issue affects versions prior to 5.0.4, 4.0.7, and 3.0.14. The vulnerability arises during the authentication process when the server processes 'CNCT_specific_data' segments. The server expects these segments to arrive in a strict ascending order. If they arrive out of order, the 'Array' class's 'grow()' method calculates a negative size, leading to a segmentation fault (SIGSEGV) and crashing the server. An unauthenticated attacker who knows the server's IP and port can exploit this vulnerability to disrupt the service.

Impact

Exploitation of this vulnerability causes the Firebird server to crash, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending 'CNCT_specific_data' segments out of order during the authentication process. For example, sending a segment numbered 253 (0xFD) followed by a segment numbered 0 (or any number less than 253) will trigger the vulnerability. The first segment will cause the server to allocate memory for all preceding segments, and the second segment will create a negative offset, causing a segmentation fault and crashing the server.

Remediation

Users can upgrade to Firebird versions 5.0.4, 4.0.7, or 3.0.14 to address this vulnerability.