This script is Copyright (C) 2008-2013 Tenable Network Security, Inc.
The remote database server allows remote connections to its
administrative account without a password.
The version of Firebird on the remote host sets the 'ISC_PASSWORD'
environment variable before starting the database server and uses that
for remote client connections when a password is not supplied. An
attacker can leverage this issue to connect as 'SYSDBA' with an empty
password and gain access to any database on the affected host except
for 'security2.fdb', which holds the database user credentials.
See also :
If running under Gentoo, use emerge to upgrade to
dev-db/firebird-18.104.22.16881.0-r6 or later.
Otherwise, ensure that the environment variables 'ISC_USER' and
'ISC_PASSWORD' are not set when starting the service.
Risk factor :
High / CVSS Base Score : 7.5
CVSS Temporal Score : 6.2
Public Exploit Available : true
Nessus Plugin ID: 32316 (firebird_isc_password_set.nasl)
Bugtraq ID: 29123
CVE ID: CVE-2008-1880
The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.