There’s a critical remotely exploitable vulnerability in all of the current versions of the Oracle database server that can enable an attacker to intercept traffic and execute arbitrary commands on the server.
The bug, which Oracle reported as fixed in the most recent Critical Patch Update, is only fixed in upcoming versions of the database, not in currently shipping releases, and there is publicly available proof-of-concept exploit code circulating.
The vulnerability lies in the TNS Listener service, which on Oracle databases functions as the service that routes connection requests from clients to the server itself. A researcher, Joxean Koret, said he discovered the vulnerability several years ago and then sold the details of the bug to a third party broker, who reported it to Oracle in 2008. Oracle credited Koret for reporting the bug in its April CPU, but Koret said the flaw remains in the current versions of the Oracle database server.
“Some days ago, after the release of Oracle Critical Patch Update April 2012, a friend of mine told me that Oracle gave me credit in the “Security-In-Depth” program for a vulnerability they fixed. After this, I asked both Oracle and iSightPartners (the company I sold the vulnerability in 2008) for information about the vulnerability they fixed in this CPU. Oracle told us that the vulnerability with tracking id #13793589 (the TNS poison vulnerability) was the one fixed,” Koret wrote in a post.
Koret said he worried about part of the Oracle statement saying the company fixed the bug in future versions. So he contacted the company and a security representative responded, saying the company decided that fixing the flaw in current versions of the database was too risky because of the location and complexity of the flaw.
“So, as previously stated, this is a zero day vulnerability with no patch, Oracle refuses to patch the vulnerability in any existing version and Oracle refuses to give details about which versions will have the fix. But they say the vulnerability is fixed,” Koret wrote.
Security experts said the vulnerability is about as serious as they come, and customers should deploy workarounds as soon as possible.
“This vulnerability allows an attacker to intercept traffic between the client and the Oracle database, it’s classic ‘man in the middle’. The attacker can now, read all the data that is exchanged between the client and the server. The attacker can also hijack the connection and inject arbitrary commands or queries and execute them with the privileges of the authenticated user, in short if the attacker intercepts a DBA connection, it’s game over and the attacker owns the database,” said Alex Rothacker, director of security research at Application Security’s Team SHATTER research group.
Rothacker recommended customers deploy a workaround to protect against exploits of this vulnerability.