There’s a critical remotely exploitable vulnerability in all of the current versions of the Oracle database server that can enable an attacker to intercept traffic and execute arbitrary commands on the server. The bug, which Oracle reported as fixed in the most recent Critical Patch Update, is only fixed in upcoming versions of the database, not in currently shipping releases, and there is publicly available proof-of-concept exploit code circulating.
The vulnerability lies in the TNS Listener service, which on Oracle databases functions as the service that routes connection requests from clients to the server itself. A researcher named Joxean Koret said that he discovered the vulnerability several years ago and then sold the details of the bug to a third party broker, who reported it to Oracle in 2008. Oracle credited Koret for reporting the bug in its April CPU, but Koret said in a post on the Full Disclosure mailing list this week that the flaw was not actually fixed in the current versions of the Oracle database server.
“Some days ago, after the release of Oracle Critical Patch Update April 2012, a friend of mine told me that Oracle gave me credit in the “Security-In-Depth” program for a vulnerability they fixed. After this, I asked both Oracle and iSightPartners (the company I sold the vulnerability in 2008) for information about the vulnerability they fixed in this CPU. Oracle told us that the vulnerability with tracking id #13793589 (the TNS poison vulnerability) was the one fixed,” Koret wrote.
Koret said he was worried about part of the Oracle statement about the bug that said the vulnerability was fixed in future versions. So he contacted the company and a security representative responded, saying that the company had decided that fixing the flaw in current versions of the database was too risky because of the location and complexity of the flaw.
“So, as previously stated, this is a 0day vulnerability with no patch, Oracle refuses to patch the vulnerability in *any* existing version and Oracle refuses to give details about which versions will have the fix. But they say the vulnerability is fixed,” Koret wrote.
Security experts say that the vulnerability is about as serious as they come, and customers should deploy workarounds as soon as possible.
“This vulnerability allows an attacker to intercept traffic between the client and the oracle database, it’s classic ‘man in the middle’. The attacker can now, read all the data that is exchanged between the client and the server. The attacker can also hijack the connection and inject arbitrary commands or queries and execute them with the privileges of the authenticated user, in short if the attacker intercepts a DBA connection, it’s game over and the attacker owns the database,” Alex Rothacker, director of security research at Application Security’s Team SHATTER research group.
Rothacker recommended that customers deploy a workaround to protect against exploits of this vulnerability.
“Disable remote registration in the TNS Listener by setting ‘dynamic_registration = off’ in the listener.ora file, then restart the listener. However, if your installation is using this feature, you will need to make sure to now manually register all legitimate servers. This is also not a valid workaround for RAC. Another workaround is to use valid node checking, but this is not foolproof, since an attacker could still attack from a valid client,” he said. “Last workaround is for clients that are using ‘Oracle Advanced Security’. Configure the system to require the use of SSL/TLS for connections.”