From: Hallas John John.Hallas_at_btcellnet.net Date: Thu, 19 Jul 2001 :06 -0700 Message-ID: F001.0034E2BF.20010718235556 fatcity.com You can t get more.

Oracle 0-day TNS Listener Poison Attack

A lot has been written in the last week about the Oracle TNS Listener Poison Attack CVE-2012-1675. Not everything that has been published is correct. I have spent a great deal of time investigating the topic and  I want to share my views on the issue.

On April 18th, the security researcher Joxean Koret published the following advisory on the full disclosure mailing list. Assuming it was fixed in the April 2012 CPU, he discusses a vulnerability that he discovered in the Oracle TNS Listener in 2008, including proof of concept code. Koret reported the vulnerability to Oracle through iSightPartners.

A few days later on April 26, he again posted to full disclosure, saying the vulnerability is in reality a 0-day, and no patch is currently available.

On April 30th, Oracle released a Security Alert for this vulnerability, including detailed instructions on how to secure the Listener and protect it from attacks exploiting the vulnerability.

So, to sum it up:

The vulnerability was discovered and reported to Oracle in 2008 4 years ago

Koret was credited as a Security in Depth contributor in the Oracle Critical Patch Update Advisory – April 2012

A full advisory, describing the vulnerability and exploit, including proof of concept code is publicly available

The April 2012 CPU does not contain a fix for the vulnerability

Oracle s Security Alert describes a workaround

To this point Oracle has not released a patch for the vulnerability

Every Oracle installation that has not applied the workaround, or had been previously configured securely is vulnerable to an attack by a remote unauthenticated attacker

What everybody should know about the vulnerability:

The vulnerability allows an attacker to intercept traffic between the client and the Oracle database. it s a classic man in the middle attack. The attacker can now read all of the data that is exchanged between the client and the server. The attacker can also hijack the connection and inject arbitrary commands or queries and execute them with the privileges of the authenticated user.   In short if the attacker intercepts a DBA connection, it is game over and the attacker owns the database. All current versions of the Oracle Database are vulnerable to the exploit and it is assumed that versions dating as far back as Oracle 8i are also vulnerable.  A public exploit is available. As a vulnerability that gives an attacker full control over the database server, this warrants the highest possible CVSS score of 10.

How to protect an Oracle installation from this exploit:

Luckily, some workarounds that change the listener configuration to only accept secure transports are available.    To accomplish  this, the COST parameter SECURE_LISTENER_listener_name needs to be configured according to the details listed in the Oracle Metalink login required articles https://support.oracle.com/CSP/main/article.cmd show type NOT id 1453883.1 for non RAC systems, or https://support.oracle.com/CSP/main/article.cmd show type NOT id 1340831.1 for RAC systems. In order to keep using TCP as a transport, a patch for bug: 12880299 must also be deployed and for RAC systems, the workaround requires the use of some features that are part of the Oracle Advanced Security – a premium add on.  Fortunately, Oracle has  changed their licensing to allow the use of the require Advanced Security features necessary to implement the workaround at no charge..

Our recommendation is for all deployments to apply the workaround ASAP.  This is especially important if the Oracle Listener and/or the Database are not on dedicated network segments.

Why did this all blow up like this.

Researchers discover vulnerabilities all the time.   Software vendors fix them and life goes on. In general, this process has become so smooth that end users barely realize their OS, PDF reader, etc. have been updated.. All major software vendors release patches on a regular basis.  Microsoft has Patch Tuesday.  Oracle has the quarterly Critical Patch Update CPU.

So. what happened that created all the confusion, that led to a responsible disclosure researcher dropping a 0-day,  and left Oracle to struggling to get out a workaround.

It all started with Oracle crediting Koret in their April CPU as a Security-in-Depth contributor. This is explained in their FAQ:

4.4 What is the Security-In-Depth program referenced in the Credit Section of the CPU Advisory.

Starting with the July 2008 Critical Patch Update, Oracle instituted a Security-In-Depth program to provide credit to people that provide information, observations or suggestions to Oracle pertaining to security vulnerability issues that result in significant modifications of Oracle code or documentation in future releases, but are not of such a critical nature that the modifications would be distributed in Critical Patch Updates.

According to his full-disclosure posting, Koret exchanged e-mails with Oracle after being credited in the CPU and received confirmation of the vulnerability for which he was credited and received confirmation that it was fixed.  However, there appears to have been a misunderstanding and what Oracle really meant was that the vulnerability is only fixed in the main code line that will ship with the next major release.

Room for improvements:

There are some important lessons to be learned from this debacle and I sincerely hope that Oracle rethinks some of their security practices.

Oracle s Critical Patch Update Advisories are notoriously brief when it comes to vulnerability information.  I wish that for every vulnerability there was a section, or even better a separate security bulletin, including the following: credit statement, workaround information, mitigation factors, detection guidance, severity rating by affected product version and in addition to the CVSS score, an easy to understand severity rating.

Finally and most importantly I think it is ridiculous that Oracle took 4 years to fix  such a critical and easy to exploit vulnerability.

Hi, this is Eric Maurice.

Oracle just released Security Alert CVE-2012-1675 to address the TNS Listener Poison Attack in the Oracle Database.  With a CVSS Base Score of 7.5, this vulnerability is remotely exploitable without authentication, and if successfully exploited, can result in a full compromise of the targeted Database.

In the April 2012 Critical Patch Update, Oracle provided Security-in-Depth recognition to Joxean Koret.  As stated in the Critical Patch Update advisories, People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

As stated in previous blog entries, Oracle fixes vulnerability first in the main code line, and then tries to backport fixes through the Critical Patch Update program for exploitable vulnerabilities that were externally reported.  In certain instances, such backporting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions, or because there is no reasonable way to automate the application of the fix for example when user interaction is required to change configuration parameters.  

Shortly after the release of the Critical Patch Update, mistakenly assuming that the issue had been backported through the CPU, Joxean Koret, the initial reporter of this vulnerability, fully disclosed its details, initially stating that it had been fixed by Oracle, then after realizing that it had not been fixed in current releases, reported the vulnerability as a 0-day.   

As a result of this disclosure, Oracle has issued Security Alert CVE-2012-1675 to provide customers with a number of technical measures to provide effective defense against this vulnerability in all deployment scenarios.

Customers on single-node configurations i.e., non Real Application Cluster RAC customers should refer to the My Oracle Support Note titled Using Class of Secure Transport COST to Restrict Instance Registration Doc ID 1453883.1 to limit registration to the local node and the IPC protocol through the COST Class Of Secure Transport feature in the listener.

RAC and Exadata customers should refer to the My Oracle Support Note Using Class of Secure Transport COST to Restrict Instance Registration in Oracle RAC Doc ID 1340831.1 to implement similar COST restrictions. 

Note that implementing COST restrictions in RAC environments require the use of SSL/TLS encryption.  Such network encryption features were previously only available to customers who were licensed for Oracle Advanced Security.  However, RAC customers who were previously not licensed for Oracle Advanced Security need not be concerned about a licensing restriction as Oracle has updated its licensing to allow these customers a restricted use of these features namely SSL and TLS to protect themselves against vulnerability CVE-2012-1675.  In other words, Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters Oracle RAC and RAC One Node options, and added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters.

Considering that the technical details of vulnerability CVE-2012-1675 have now widely been distributed, Oracle highly recommends that customers make the configuration changes documented in the above mentioned My Oracle Support Notes as soon as possible.  Customers should also feel free to contact Oracle Support if they have questions or concerns.

For More Information.

Oracle Net Listener Parameters. This section lists and describes the listener.ora file parameters. Oracle Database Advanced Security Administrator s Guide.

8 Integrigy Oracle Database Listener Security Guide The simplest method to remotely issue commands to a Listener is to use lsnrctl with command-line.

Security Alert for CVE-2012-1675 Released

Configuring and Administering the Listener. the listener assumes its Oracle home for It is important to provide security through a password for the listener.

From: John Lewis jlewis_at_punchnetworks.com Date: Wed, 18 Jul 2001 :10 -0700 Message-ID: F001.0034DF7E.20010718150113 fatcity.com Just installed.

10 Managing Oracle Software and Applying Patches. Oracle issues product fixes for its software called patches. When you apply the patch to your Oracle software.

Hi, this is Eric Maurice. Oracle just released Security Alert CVE-2012-1675 to address the TNS Listener Poison Attack in the Oracle Database.