Firebird on Gentoo Linux /etc/conf.d/firebird Invocation ISC_PASSWORD Authentication Bypass

high Nessus Plugin ID 32316

Synopsis

The remote database server allows remote connections to its administrative account without a password.

Description

The version of Firebird on the remote host sets the 'ISC_PASSWORD' environment variable before starting the database server and uses that for remote client connections when a password is not supplied. An attacker can leverage this issue to connect as 'SYSDBA' with an empty password and gain access to any database on the affected host except for 'security2.fdb', which holds the database user credentials.

Solution

If running under Gentoo, use emerge to upgrade to dev-db/firebird-2.0.3.12981.0-r6 or later.

Otherwise, ensure that the environment variables 'ISC_USER' and 'ISC_PASSWORD' are not set when starting the service.

See Also

https://bugs.gentoo.org/show_bug.cgi?id=216158

https://www.securityfocus.com/archive/1/491871/30/0/threaded

Plugin Details

Severity: High

ID: 32316

File Name: firebird_isc_password_set.nasl

Version: 1.13

Type: remote

Family: Databases

Published: 5/14/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:firebirdsql:firebird

Exploit Ease: No known exploits are available

Reference Information

CVE: CVE-2008-1880

BID: 29123

CWE: 255

GLSA: 200805-06

SECUNIA: 30162