Four-year old critical Oracle bug still alive

Powered by SC Magazine
 

Patch ignored older installs.

A critical vulnerability Oracle's database product remains unpatched some four years after it was revealed, says the researcher who discovered it.

Oracle claimed to have patched the remote pre-authenticated vulnerability, dubbed TNS Poison, in April but security researcher Joxean Koret said the fix did not cover older versions.

In 2008, Koret reported the flaw to bug-bounty program iSight Partners which shared the details with Oracle per its reward program specifications. He later published a proof-of-concept for the bug that affected database versions 8i to 11g Release 2, the most current iteration.

Oracle acknowledged the bug in its quarterly security update this month and credited Koret for identifying it, in its "Security-In-Depth" program.

But an email exchange published by Koret indicated that Oracle had chosen not to patch the bug in existing versions of its database product because a patch may cause performance issues for customers.

Instead, Oracle addressed the vulnerability only in internal development versions, Koret said, noting that the company had not revealed which versions would receive the fix.

Koret told SC Magazine US that attackers could exploit TNS Poison to "sniff any connection" made to the database without the need for credentials, and inject malicious commands.

"In short, whatever they want," he said, adding that he was not aware of any in-the-wild attacks underway.

Oracle did not respond to a request for comment from SC Magazine.

The lack of a patch for older versions may indicate that Oracle does not consider the vulnerability as serious as Koret.

According to Oracle: "People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in critical patch updates."

Alex Rothacker, director of security research for Application Security Inc.'s TeamSHATTER, corroborated Koret's explanation of the threat, and said database administrators should consider workarounds in lieu of a permanent fix.

"Disable remote registration in the TNS Listener by setting ‘dynamic_registration = off' in the listener.ora file, then restart the listener," he said.

"However, if your installation is using this feature, you will need to make sure to now manually register all legitimate servers. This is also not a valid workaround for RAC (Real Application Clusters).

"Another workaround is to use valid node checking, but this is not foolproof, since an attacker could still attack from a valid client."

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Four-year old critical Oracle bug still alive
 
 
 
Top Stories
Abbott brings back Science minister in cabinet reshuffle
Science tacked onto to Industry title.
 
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  3%
 
A Federal Government agency (ATO, Centrelink etc)
  19%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1900

Vote
Do you support the abolition of the Office of the Information Commissioner?