|
| From: | X-FORCE | | Date: | 20.06.2001 | | Subject: | ISSalert: ISS Advisory: Multiple Oracle Listener Denial of Service Vulnerabilities |
Internet Security Systems Security Advisory
June 20, 2001
Multiple Oracle Listener Denial of Service Vulnerabilities
Synopsis:
Internet Security Systems (ISS) X-Force has identified four Denial of
Service attacks against the Oracle listener service:
1. Offset_to_data value too large
2. Requester_version value incorrect
3. Maximum Transport Data size too small
4. Fragmentation attack
These vulnerabilities allow an unauthenticated user to prevent other
users from connecting to the database. As a result, the Oracle database
becomes inaccessible.
1. Offset_to_data value too large
Description:
When connecting to an Oracle database, a connection is first made to the
listener process. This initial packet contains command data, such as the
instance to connect to and the client information. This packet also
contains a header with a field indicating the offset to the Oracle
command data. If this offset is set to an arbitrarily large value that
the listener does not expect, then the listener will crash.
This vulnerability exists on Oracle 7.3 and 8i (not 8.0) installations
of Unix, but does not affect Oracle versions running on Windows NT/2000.
Recommendations:
Oracle has fixed this security vulnerability in Oracle9i. Oracle is in
the process of backporting the fix to supported Oracle 8i Releases 8.1.7
and 8.1.6 on all Unix platforms. Download the patch for your platform
from Oracle's Worldwide Support Web site, Metalink,
http://metalink.oracle.com. Please check Metalink periodically for patch
availability if the patch for your platform is not yet available. Oracle
recommends using Oracle Advanced Security (an option to the Enterprise
Edition of the Oracle Database Server) to encrypt network traffic and
avoid packet capture and replay attacks. Oracle Advanced Security also
provides checksumming that verifies the data integrity of network packets.
2. Requester_version value incorrect
Description:
When connecting to an Oracle database, a connection is first made to
the listener process. This initial packet contains command data, such as
the instance to connect to and the client information. This packet also
contains a header with a field indicating the version of the client
drivers and the offset to the Oracle command data. If the version of the
driver does not match to the appropriate offset to the command data, the
listener will crash.
This vulnerability exists on Oracle 8.0 and later installations for all
platforms.
Recommendations:
Oracle has fixed this security vulnerability in Oracle9i. Oracle is in
the process of backporting the fix to supported Oracle 8i Releases 8.1.7
and 8.1.6 and Oracle8 Release 8.0.6 on all platforms. Download the patch
for your platform from Oracle's Worldwide Support Web site, Metalink,
http://metalink.oracle.com. Please check Metalink periodically for patch
availability if the patch for your platform is not yet available. Oracle
also recommends using Oracle Advanced Security.
3. Maximum Transport Data Size too small
Description:
When connecting to an Oracle database, a connection is first made to the
listener process. This initial packet contains command data, such as the
instance to connect to and the client information. This packet also
contains a header with a field indicating the maximum transport data
size of the client’s network. If the maximum transport data size is set
to 0, the listener will crash.
This vulnerability exists on Oracle8i on Sun Solaris.
Recommendations:
Oracle has fixed this security vulnerability in Oracle9i. Oracle is in
the process of backporting the fix to supported Oracle 8i Releases 8.1.7
and 8.1.6 on all platforms. Download the patch for your platform from
Oracle's Worldwide Support Web site, Metalink,
http://metalink.oracle.com. Please check Metalink periodically for patch
availability if the patch for your platform is not yet available. Oracle
also recommends using Oracle Advanced Security.
4. Fragmentation Attack
Description:
In addition to TCP/IP fragmentation, Oracle allows commands to be
fragmented at the application layer. This fragmentation allows commands
to be sent in two or more different packets. If the first packet of a
fragmented command is repeatedly sent and not followed up with the
remainder of the command, the listener hangs waiting for the completion
of these commands.
This vulnerability exists on all versions of the listener.
Recommendations:
Oracle has fixed this potential security vulnerability in Oracle9i.
Oracle is in the process of backporting the fix to supported Oracle8i
Releases 8.1.7 and 8.1.6, and supported Oracle8 Release 8.0.6 on all
platforms. Download the patch for your platform from Oracle's Worldwide
Support Web site, Metalink, http://metalink.oracle.com. Please check
Metalink periodically for patch availability if the patch for your
platform is not yet available. Oracle also recommends using Oracle
Advanced Security.
Additional Information:
ISS Database Scanner scans Oracle, Microsoft SQL Server, and Sybase
Adaptive Server for potential security vulnerabilities and provides the
ability to assess and reduce misconfigurations in Oracle installations.
ISS Consulting also provides a variety of database security offerings
including development of security policy, security assessments, and
penetration testing.
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues. These are candidates for inclusion in
the CVE list (<http://cve.mitre.org>), which standardizes names for
security problems:
CAN-2001-0515 Offset_to_data value too large
CAN-2001-0516 Requester_version value incorrect
CAN-2001-0517 Maximum Transport Data size too small
CAN-2001-0518 Fragmentation attack
______
About Internet Security Systems (ISS)
Internet Security Systems is the leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 8,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks and the top 10 U.S.
telecommunications companies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.
Copyright (c) 2001 Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.
|
