COMMAND

    mSQL (Mini SQL) 2.0.6 and below

SYSTEMS AFFECTED

    UNIX (Not vendor specific)

PROBLEM

    Following is based on KSR[T] Security Advisory.  Remote  attackers
    could  potentially  gain  read  and/or  access  to  databases   by
    retrieving  authentication  information  that  is displayed in the
    response to a remote statistics query.  mSQL is a database  engine
    that supports a subset of  the ANSI SQL query specifications.   If
    remote access is enabled (as of 2.0.4.1 remote access is  disabled
    by default) a remote user can retrieve sensitive information.   By
    sending  a  ServerStats  request,  a  remote attacker can view the
    following information about the msqld process:

    1. The connection table
    =======================
    This table is  a 'finger' like  display of users  connected to the
    server, which databases  they are accessing,  what hosts they  are
    accessing  the  server  from,  and  other  less critical pieces of
    information.  Since mSQL uses either host based and/or user  based
    authentication, this table reveals all of the necessary components
    to access a particular database.   This is only true if a  user is
    accessing a database at the time of a query.

    2. The server version
    =====================
    This allows  an attacker  to determine  if a  machine is running a
    vulnerable version of mSQL.

    3. The current and maximum number of connections
    ================================================
    These two pieces of information can be used to launch an efficient
    denial of service attack.

    4. The user name and user id of the msqld process
    =================================================
    These  two  pieces  of  information  provide information about the
    underlying operating system.

    If host based  access control is  disabled, a remote  attacker can
    use  the  user  names  listed  in  the  connection table to access
    databases.   If host  based access  control is  enabled, a  remote
    attacker  could  launch  a  more  complex  attack  (like DNS cache
    poisoning) to access mSQL databases.

SOLUTION

    The  latest  version  of  mSQL  (2.0.7)  scheduled  for release on
    February  15th,  1999  has  disabled  remote statistics gathering.
    mSQL by  default (all  versions) DO  NOT have  hosts based  access
    control enabled.  Note that when you start the msql2d process  for
    the first time, you see message saying:

        Warning : No ACL file.  Using global read/write access.

    The  "Warning:"  is  the  important  part.   Even  if  you use the
    provided msql.acl.sample  file as  your acl  file, the permissions
    are as follows:

        database=test
        read=bambi,-root
        write=root
        host=*
        access=local,remote
        option=rfc931

        database=minerva
        read=*
        write=minerva
        access=local

    This sets up some form of access restrictions on databases  'test'
    and 'minerva' but  not on any  databases YOU create.   Please make
    sure to edit this file and use host based security.  Remote access
    is disabled  by default  going back  to at  least version 2.0.4.1.
    There  are  new  "Remote_Access"  and  "Local_Access"  keywords in
    msql.conf, set by default to False and True, respectively, in  the
    included sample  file.   These keywords  take precedence  over the
    "access" keyword in msql.acl.