| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Do not connect Oracle DB to the Internet. Oracle Alert #59
Dennis,
Note 251910.1
"Oracle Security Alert #59
Dated: 20 October 2003
Updated: 22 October 2003
Severity: 2
Buffer Overflow in Oracle Database Server Binaries
Description
A potential buffer overflow has been discovered in the "oracle" and
"oracleO" (the letter O) binaries of the
Oracle Database. A knowledgeable and malicious local user can exploit this
buffer overflow to execute
code on the operating system hosting the Oracle Database server.
Products Affected
Oracle 9i Database Release 2, Version 9.2.x
Oracle 9i Database Release 1, Version 9.0.x
Platforms Affected
All supported UNIX and Linux operating system variants.
Required conditions for exploit
A valid account on the operating system hosting the Oracle Database server.
Risk to exposure
The "oracle" and "oracleO" (the letter O) binaries are typically
owned by the "oracle" operating
system user account and by the "dba" operating system group. A
malicious local user (a user
defined in the operating system hosting the Oracle Database) can
write code that attempts to exploit
the buffer overflow in these binaries to run with the privileges of
the "oracle" owner and potentially
compromise the operating system hosting the Oracle Database server.
Unless you connect the
Oracle Database directly to the Internet (e.g., no intervening
application server or firewall), a
remote exploit via the Internet is, in our opinion, unlikely. We
strongly recommend that you do not
connect the Oracle Database directly to the Internet. However, this
vulnerability is susceptible to an
insider attack originated on an Intranet if the required conditions
for exploit are met.
Oracle is aware of an exploit for this vulnerability.
How to minimize risk
See Workaround, below. Follow Oracle's best practices for database
http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf
http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf
and best practices for operating system security.
Ramification for customer
Oracle recommends that customers review the severity rating for this
Alert and patch
accordingly. See
http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf for a
definition of severity ratings.
Workaround
Remove the "execute" permission from the operating system group "other"
associated with the affected
binaries. Perform the following steps:
# cd $ORACLE_HOME/bin
# chmod o-x oracle oracleO
In addition, verify that only trusted users are in the same group as are the oracle and oracleO binaries.
No other changes are required. For example, do not remove setuid or setgid from the affected binaries.
NOTE: This workaround protects customers from the potential vulnerability.
However, after performing
the steps listed above, depending on the configuration of Oracle Net
Services, certain users may no longer
be able to connect to the Oracle Database. Specifically, if the database is
configured to use the bequeath
protocol[1], then local users not in the operating system "dba" group will
no longer be able to connect to
the database. With the workaround applied, the Oracle Net Listener runs as
the same user who owns the
oracle binary, or as a user who is a member of the "dba" group. Although
this is already the case for a
typical installation/configuration, it is not normally required that the
user running the listener has these
privileges.
For those customers who are unable to implement the workaround as
suggested, Oracle recommends
applying the patch as soon as it is available.
Fixed by
An interim (one-off) patch for this issue is available for the following
release:
Oracle 9i Database Release 9.2.0.4 for Linux x86.
Download this one-off patch from the Oracle Support Services web site,
Metalink (
http://metalink.oracle.com):
1.Click on the Patches button.
2.Click on the "Simple Search".
3.In the "Search By" option select "Patch Number(s)" from the drop-down
menu, and enter 3157063
in the box.
4.Select the required platform and language.
5.Click on the "Go" button.
and instructions.
Please review Metalink, or check with Oracle Support Services periodically
for patch availability if the
patch for your platform is unavailable. Oracle strongly recommends that you
backup and comprehensively
test the stability of your system upon application of any patch prior to
deleting any of the original file(s) that
are replaced by the patch.
Modification History
20-OCT-03: Initial release, version 1
22-OCT-03: Identified restrictions of the provided workaround, provided
patch details for Linux x86,
Oracle 8i Database Release 8.1.x and earlier proved not vulnerable.
[1] If the client and server exist on the same machine, a client connection
can be
bequeathed (passed) directly to a dedicated server process without going
through
the listener. The application initiating the session spawns a dedicated server
process for the connection request using the bequeath protocol. This happens
automatically if an application is used to start the database on the same
machine
as the database. "
Also at http://otn.oracle.com/deploy/security/pdf/2003alert59.pdf
The 8.1.7 Support Status and Alerts note [Note 120607.1] has also been updated with a reference to this [Vulnerability#59] Note 251910.1 However, 251910.1 specifically says that 8.1.x and earlier has been proved as not vulnerable.
Hemant
At 08:19 AM 23-10-03 -0800, you wrote:
>Ian - I haven't been able to locate this on Metalink, but can you give a
>quick idea about how I can ensure I don't have a vulnerability here? Our
>databases are behind firewalls and all access is through app servers.
>Thanks.
>
>
>
>Dennis Williams
>DBA
>Lifetouch, Inc.
>dwilliams_at_lifetouch.com
>
>-----Original Message-----
>Sent: Thursday, October 23, 2003 9:25 AM
>To: Multiple recipients of list ORACLE-L
>
>
>The exploit involves passing a large argv[1] argument to the oracle or
>oracle0 binary. Credit for discovering the vulnerability goes to
>cOntex_at_hushmail.com <mailto:cOntex_at_hushmail.com> . The error was first
>discovered on a LINUX box but I have seen notes that AIX is vulnerable as
>well. What is not published in North America yet, is the Oracle alert you
>mention. The first security note I saw on this was published on 19
>October. Yes there are people who know how to exploit the vulnerability.
>The vulnerability was shown to Oracle over a month ago, according to the
>comments in a proof of concept exploit.
>
>One workaround is to take off the setuid bit from the Oracle binary Is it
>really necessary to set this. How many places still have users log into
>the database server? Oracle has recommended putting its databases behind
>firewalls for some time.
>
>Ian MacGregor
>Stanford Linear Accelerator Center
>ian_at_slac.stanford.edu <mailto:ian_at_slac.stanford.edu>
>
>-----Original Message-----
>Sent: Thursday, October 23, 2003 6:25 AM
>To: Multiple recipients of list ORACLE-L
>
>
>Important: Please read the following Oracle Alert.
>
>We strongly recommend that you do not connect the Oracle Database
>directly to the Internet.
>
>Got your attention? That is what is in the Alert. These alerts are
>beginning
>to come all too often. Sounds just like Microsoft's software, yeah?
>
>Buffer Overflow in Oracle Database Server Binaries
>This is with the Oracle kernel/binary itself ie 'oracle' or 'oracleO' file
>in $ORACLE_HOME/bin.
>
>
>Description
>A potential buffer overflow has been discovered in the "oracle" and
>"oracleO" (the letter O) binaries
>of the Oracle Database. A knowledgeable and malicious local user can exploit
>this buffer overflow
>to execute code on the operating system hosting the Oracle Database server.
>Products Affected
>* Oracle 9i Database Release 2, Version 9.2.x
>* Oracle 9i Database Release 1, Version 9.0.x
>Platforms Affected
>All supported UNIX and Linux operating system variants.
>
>
>Patch only available for Linux right now.
>
>So who found out this vulnerability? David Litchfield? Aaron Newman?
>I know it is a bit silly to ask but does anyone know how
>to exploit this vulnerability? Send it to me directly if you dont want to
>reply publicly
>
>ta
>tony
>
>
>--
>Please see the official ORACLE-L FAQ: http://www.orafaq.net
>--
>Author: DENNIS WILLIAMS
> INET: DWILLIAMS_at_LIFETOUCH.COM
>
>Fat City Network Services -- 858-538-5051 http://www.fatcity.com
>San Diego, California -- Mailing list and web hosting services
>---------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from). You may
>also send the HELP command for other information (like subscribing).
Hemant K Chitale
Oracle 9i Database Administrator Certified Professional
My personal web site is : http://hkchital.tripod.com
-- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Hemant K Chitale INET: hkchital_at_singnet.com.sg Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Thu Oct 23 2003 - 11:39:34 CDT
 |
 |