Skip to main content

Securing Firebird 2.5 Against External Access

Submitted by Leroy on

Securing Firebird

RPM Remote Print Manager® (RPM) uses Firebird as its local configuration and job database. By default, Firebird listens on all network interfaces, which means port 3050 is reachable from other machines on your network. For most print environments this poses no practical risk, but customers in regulated or security-sensitive environments may choose to restrict Firebird to the loopback address so that it accepts connections only from the local machine.

This page explains a recent vulnerability, what RPM ships, and how to lock down Firebird in two steps.

About CVE-2025-54989

CVE-2025-54989 is a NULL pointer dereference in Firebird's wire protocol. An unauthenticated attacker who can reach port 3050 over the network can send a specially crafted packet that crashes the Firebird service. This is a denial of service vulnerability only — there is no data exposure, no remote code execution, and no privilege escalation. The Firebird service would restart automatically on the next service restart.

How RPM's architecture limits exposure: Before addressing the patch and configuration steps, it helps to understand where Firebird sits in RPM's architecture — because the practical risk in a typical RPM deployment is narrower than a scanner finding alone might suggest.

The remote print client — the software running on workstations that submit jobs to RPM — communicates exclusively with the RPM service. It never connects to Firebird directly. Firebird is an internal component; the only process that accesses it is RPM itself, running on the same machine.

Additionally, all SQL operations within RPM are composed from parameters that RPM controls internally. There is no path by which user-supplied input reaches the SQL layer, which eliminates SQL injection as an attack vector entirely.

This means that even without the configuration change described below, exploiting CVE-2025-54989 requires an unauthenticated attacker to reach port 3050 from the local network — and the only result is a service restart with no data exposure. Binding Firebird to the loopback address, as described below, eliminates that remaining exposure entirely.

What RPM ships: RPM bundles the Firebird 2.5.9 build released by IBPhoenix that backports the CVE-2025-54989 fix. This is a drop-in replacement for stock Firebird 2.5.9 with the single security patch applied and no other changes. If you installed or updated RPM after August 2025, you have this build. If you are running an earlier version, you should upgrade as soon as possible.

Upgrade Firebird: First stop the RPM service, close the user interface, and ensure there are no active connections to any Firebird databases. Then stop the Firebird service using either Services.msc or by running net stop firebirdserverdefaultinstance from an elevated command prompt.

Once the service has stopped, run the latest Firebird installation program located in the RPM installation folder. Accept the default options and proceed with the upgrade.

At the final step of the installation, you may choose to start the Firebird service. After the installation completes, restart the RPM service and reopen the user interface.

At this point, Firebird will be upgraded to the latest version with no known vulnerabilities.

Best practice regardless of patch status: Restricting Firebird to the loopback address eliminates network exposure entirely and is the recommended configuration for any security-sensitive deployment.

Step 1 — Edit firebird.conf

firebird.conf is the main Firebird configuration file. It is located in the Firebird installation folder, typically:

C:\Program Files\Firebird\Firebird_2_5\firebird.conf
Before editing: Make a backup copy of firebird.conf. Open Notepad (or any plain-text editor) as Administrator — the file is in a protected folder and cannot be saved without elevated permissions.

Search the file for the RemoteBindAddress setting. You will find it commented out with a # at the start of the line:

#RemoteBindAddress =

Change it to the following (remove the # and set the value):

RemoteBindAddress = 127.0.0.1

Save the file.

Step 2 — Restart the Firebird service

The change takes effect only after the Firebird service is restarted. You can do this from an Administrator command prompt:

net stop FirebirdServerDefaultInstance
net start FirebirdServerDefaultInstance

Or open Services (services.msc), find Firebird Server — DefaultInstance, and restart it.

RPM will reconnect automatically. No RPM configuration changes are needed — RPM connects to Firebird on localhost, which remains accessible after this change.

Step 3 — Verify the change (optional)

To confirm Firebird is no longer listening on all interfaces, open an Administrator command prompt and run:

netstat -an | findstr :3050

Before the change you would see a line like:

  TCP    0.0.0.0:3050    0.0.0.0:0    LISTENING

After the change it should show:

  TCP    127.0.0.1:3050    0.0.0.0:0    LISTENING

The 127.0.0.1 confirms Firebird is now accepting connections from the local machine only.

Windows Firewall

The Firebird installer creates a Windows Firewall inbound exception for port 3050. Once Firebird is bound to the loopback address, that rule has no practical effect (no external traffic can reach a loopback-bound service), but you may remove or disable it as part of your security hardening.

To remove the rule from an Administrator command prompt:

netsh advfirewall firewall delete rule name="Firebird Server"
If you ever move the Firebird database to a different machine or allow a remote administration tool to connect, you will need to revert RemoteBindAddress and restore the firewall rule.

Need help?

If you have questions about this configuration or need assistance, please contact Brooks Internet Software support.