| VID |
25013 |
| Severity |
30 |
| Port |
1521 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The version of the Oracle TNS (Transparent Network Substrate) Listener appears to be vulnerable to a buffer overflow attack. Oracle 8i Standard and Enterprise Editions Version 8.1.5, 8.1.6, 8.1.7 and previous versions for Windows, Linux, Solaris, AIX, HP-UX and Tru64 Unix are vulnerable.
The Oracle TNS Listener is responsible for establishing and maintaining remote communications with Oracle database services. The TNS Listener daemon runs with "LocalSystem" privileges under Windows NT/2000, and with the privileges of the 'oracle' user under Unix. The Listener is vulnerable to a buffer overflow condition that allows remote execution of arbitrary code on the database server under a security context that grants full control of the database services and, on some platforms, full control of the operating system. Because the buffer overflow occurs prior to any authentication, the listener is vulnerable regardless of any enabled password protection.
The TNS listener's administrative command string includes several arguments such as "SERVICE", "VERSION", "USER" and "ARGUMENTS". Any of these can be overfilled with data to initiate the overflow. Under both Windows and UNIX platforms, an extended argument of several thousand bytes will induce a stack overflow. The overflow can be triggered with a one-packet command conforming to the Net8 protocol. The client will send a Type-1 (NSPTCN) packet containing the proper Net8 headers and malformed command string with embedded arbitrary code ("shellcode").
* Platforms Affected:
Oracle 8i Standard and Enterprise Editions Version 8.1.5, 8.1.6, 8.1.7 and previous versions for Windows, Linux, Solaris, AIX, HP-UX and Tru64 Unix.
* References:
http://www.securityfocus.com/bid/2941
http://www.pgp.com/research/covert/advisories/050.asp |
| Recommendation |
Apply appropriate patch for this vulnerability, as listed in the Oracle FAQ, "Frequently Asked Questions about Listener Security Patches" at the Oracle Technology Network Web site:
http://technet.oracle.com/deploy/security/pdf/patch_avail.html
From this site, you can use the "Patch Availability Matrix" to verify release and patch availability for your platform.
If your patch is not yet available, then as a workaround you can implement the way that run a single patched listener that supports all of the Oracle instances on a system.
To do this create a separate Oracle Home and install a supported Oracle version that is patched for the security issue. You can run the listener from this new home and service instances in non-protected homes. To do this, add the instances and their Oracle Homes to the sid_list section of the new listener.
Example of an 8.1.7.1 listener.ora servicing non-patched Oracle versions on the same system:
LISTENER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = hostname)(PORT = 1521))
)
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = P817)
(ORACLE_HOME = /u01/app/oracle/product/8.1.7.0)
)
(SID_DESC =
(SID_NAME = P816)
(ORACLE_HOME = /u01/app/oracle/product/8.1.6.0)
)
) |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
