Four-year old critical Oracle bug still alive

A critical vulnerability in early versions of Oracle remains unpatched some four years after it was revealed, says the researcher who discovered it.

The remote pre-authenticated vulnerability dubbed TNS Poison was patched in April but Joxean Koret, software develeoper at Hex Rays, and then independent security researcher said the fix did not cover older versions.

Koret reported the flaw which carried a CVSS rating of 10 to bug-bounty program iSight Partners which shared the details with Oracle per its reward program specifications.

In last week's quarterly security update, the database giant finally fixed the bug and Koret was given credit by Oracle in its "Security-In-Depth" program.

He later published a proof-of-concept for the bugthat affected database versions 8i to 11g Release 2, the most current iteration.

But he discovered in an email exchange with Oracle that the hole was only repaired in future versions of the database.

Attackers can exploit the vulnerability to "sniff any connection" made to the database without the need for credentials, and can also inject malicious commands, Koret told SC Magazine.

"In short, whatever they want," he said, adding that he is not aware of any in-the-wild attacks underway.

An Oracle spokesman did not respond to a request for comment from SC Magazine.

Koret published what he said was an email exchange between him and a company representative, who told him that the vulnerability wasn't remediated in existing versions -- only in internal development versions -- because a patch is complex and may cause performance regressions for customers.

There may be another explanation. Oracle may not consider the vulnerability as serious as Koret.

According to Oracle: "People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in critical patch updates."

Alex Rothacker, director of security research for Application Security Inc.'s TeamSHATTER, corroborated Koret's explanation of the threat, and said database administrators should consider workarounds in lieu of a permanent fix.

"Disable remote registration in the TNS Listener by setting ‘dynamic_registration = off' in the listener.ora file, then restart the listener," he said.

"However, if your installation is using this feature, you will need to make sure to now manually register all legitimate servers. This is also not a valid workaround for RAC (Real Application Clusters). Another workaround is to use valid node checking, but this is not foolproof, since an attacker could still attack from a valid client."

This article originally appeared at scmagazineus.com