Four-year old critical Oracle bug still alive

Powered by SC Magazine
 

Patch ignored older installs.

A critical vulnerability Oracle's database product remains unpatched some four years after it was revealed, says the researcher who discovered it.

Oracle claimed to have patched the remote pre-authenticated vulnerability, dubbed TNS Poison, in April but security researcher Joxean Koret said the fix did not cover older versions.

In 2008, Koret reported the flaw to bug-bounty program iSight Partners which shared the details with Oracle per its reward program specifications. He later published a proof-of-concept for the bug that affected database versions 8i to 11g Release 2, the most current iteration.

Oracle acknowledged the bug in its quarterly security update this month and credited Koret for identifying it, in its "Security-In-Depth" program.

But an email exchange published by Koret indicated that Oracle had chosen not to patch the bug in existing versions of its database product because a patch may cause performance issues for customers.

Instead, Oracle addressed the vulnerability only in internal development versions, Koret said, noting that the company had not revealed which versions would receive the fix.

Koret told SC Magazine US that attackers could exploit TNS Poison to "sniff any connection" made to the database without the need for credentials, and inject malicious commands.

"In short, whatever they want," he said, adding that he was not aware of any in-the-wild attacks underway.

Oracle did not respond to a request for comment from SC Magazine.

The lack of a patch for older versions may indicate that Oracle does not consider the vulnerability as serious as Koret.

According to Oracle: "People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in critical patch updates."

Alex Rothacker, director of security research for Application Security Inc.'s TeamSHATTER, corroborated Koret's explanation of the threat, and said database administrators should consider workarounds in lieu of a permanent fix.

"Disable remote registration in the TNS Listener by setting ‘dynamic_registration = off' in the listener.ora file, then restart the listener," he said.

"However, if your installation is using this feature, you will need to make sure to now manually register all legitimate servers. This is also not a valid workaround for RAC (Real Application Clusters).

"Another workaround is to use valid node checking, but this is not foolproof, since an attacker could still attack from a valid client."

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Four-year old critical Oracle bug still alive
 
 
 
Top Stories
Microsoft confirms Australian Azure launch
Available from next week.
 
NBN Co names first 140 FTTN sites
National trial extended.
 
Cloud, big data propel bank CISOs into the boardroom
And this time, they are welcome.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  27%
TOTAL VOTES: 264

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  61%
 
No
  39%
TOTAL VOTES: 84

Vote