Firebird on Gentoo Linux /etc/conf.d/firebird Invocation ISC_PASSWORD Authentication Bypass

This script is Copyright (C) 2008-2013 Tenable Network Security, Inc.


Synopsis :

The remote database server allows remote connections to its
administrative account without a password.

Description :

The version of Firebird on the remote host sets the 'ISC_PASSWORD'
environment variable before starting the database server and uses that
for remote client connections when a password is not supplied. An
attacker can leverage this issue to connect as 'SYSDBA' with an empty
password and gain access to any database on the affected host except
for 'security2.fdb', which holds the database user credentials.

See also :

http://bugs.gentoo.org/show_bug.cgi?id=216158
http://www.securityfocus.com/archive/1/491871/30/0/threaded

Solution :

If running under Gentoo, use emerge to upgrade to
dev-db/firebird-2.0.3.12981.0-r6 or later.

Otherwise, ensure that the environment variables 'ISC_USER' and
'ISC_PASSWORD' are not set when starting the service.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 32316 (firebird_isc_password_set.nasl)

Bugtraq ID: 29123

CVE ID: CVE-2008-1880