[ISN] Oracle patches critical database server vulnerability

From: InfoSec News (isnat_private)
Date: Tue Apr 29 2003 - 23:10:51 PDT

  • Next message: InfoSec News: "[ISN] Los Alamos failed to track its computers, feds report"

    http://www.nwfusion.com/news/2003/0429oraclpatch.html
    
    By Paul Roberts
    IDG News Service
    04/29/03
    
    Oracle released a patch for a recently discovered critical security
    vulnerability affecting its database servers.
    
    The buffer overflow vulnerability affects all supported versions of
    Oracle database servers and could enable a remote attacker to
    compromise the data stored in Oracle and gain control over the machine
    hosting the database server, according to a security alert posted by
    Oracle. Affected versions include Oracle7 Release 7.3.x, all releases
    of Oracle8 and 8i and Release 1 and 2 of the Oracle 9i database.
    
    On Friday, Oracle provided an interim or "one-off" patch for two
    versions of its 9i database and one version of its 8i database.
    
    A patch for Oracle 8 database version 8.0.6.3 was available for
    customers with extended maintenance support, but the company said it
    had no plans to provide patches for earlier versions of its database.
    
    Oracle encouraged customers running affected versions of its database
    software for which patches were available to apply the patch
    immediately.
    
    The vulnerability exists in code responsible for handling Create
    Database Link queries, which enable one Oracle database to query
    information stored in another database, according to security company
    Next Generation Security Software (NGSSoftware) of Sutton, U.K., which
    discovered the vulnerability.
    
    Attackers can create an extra long value for the Oracle database link,
    then attempt to use that link, causing the buffer overflow. The buffer
    overflow can cause a denial of service to the Oracle database and,
    possibly, enable attackers to execute their own attack code on the
    database machine, NGSSoftware said.
    
    The Create Database Link privilege is enabled by default for the
    Connect role, which is a standard role assigned to almost every active
    Oracle account, enabling users to connect to databases. The privilege
    is enabled regardless of whether additional Oracle database servers
    exist on a network, according to NGSSoftware.
    
    Organizations that are unable to apply the patch can protect
    themselves by removing the Create Database Link privilege from the
    Connect role. However, a careful study should first be done of the
    affect such a move may have on applications that use the Oracle
    database, Litchfield said.
    
    In its alert, Oracle said that the vulnerability was unlikely to be
    exploited remotely, except in cases where the Oracle database was
    connected directly to the Internet without the protection of a
    firewall or application server.
    
    However, the widespread availability of the Create Database Link
    privilege means the vulnerability could provide an avenue of attack
    for an insider with low-level access to an Oracle database, enabling
    the insider to abscond with more sensitive information, according to
    David Litchfield, managing director of NGSSoftware.
    
    The widespread use of Oracle's product to store critical information
    that could be the target of corporate espionage or identity theft
    schemes makes the database link vulnerability particularly serious,
    Litchfield said.
    
    Still, the vulnerability is not easy to exploit. Attackers would need
    to have an advanced knowledge of the Oracle database and be able to
    code low-level exploits using Assembly Language to take advantage of
    the flaw, Litchfield said.
    
    However, once one exploit has been created, it could easily be
    distributed to other attackers on the Internet who could then use it
    to carry out attacks without any knowledge of either Oracle or
    advanced coding techniques, he said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Apr 30 2003 - 01:18:26 PDT