Simply Security - News, Views, and Opinions from Trend Micro

Posted on May 31st, 2012 in Internet Safety, Vulnerabilities by Simply Security | Be the first to comment | Tags: Internet Safety, Vulnerabilities

An independent researcher came across a potential hole in an Oracle security suite in 2008 and reported it to the company for a quick fix. Now four years later, the same researcher may have forced the issue by accident.

An independent researcher came across a potential hole in an Oracle security suite in 2008 and reported it to the company for a quick fix. Now four years later, the same researcher may have forced the issue by accident.

Joxean Koret, an accredited software security researcher, found the Oracle Database Server had a security gap allowing hackers to potentially enter a connection between individual users and the host server without either party knowing. This allowing the hacker to feed malicious code into the stream, effecting both the user and the server itself, thereby spreading to more users quickly. This bug exists within the Transport Network Substrate (TNS) Listener, which allows users to remotely register databases and clients without an authentication process.

The problem was, Koret thought Oracle had corrected the problem in its most recent patch, and so he released all the information behind potential threats and hacks to show what good work the company had done in finally taking action after four years to fix the programming gap. Now that information on the TNS LIstener Poison Attack is public, database users have to treat this as a zero-day scenario and can't count on data protection. Some security researchers are calling this a full-level 10 CVSS security risk.

Webinars have been set up to educate users on what to expect from the potential hack and how they can take steps to protect themselves. Led by Josh Saul, chief technology officer for AppSecInc, these classes focus on getting database workarounds and monitoring environments for potential threats or unauthorized access. He also recommends performing a full system scan to find the location of the TNS Listener weakness so it can be patched easily once the fix is available.

Koret also suggested several workarounds for those affected by his unintentional leak, though he said it might be somewhat difficult to implement. One could either disable registration for the TNS listener manually, but it might require some patch from the company that isn't forthcoming.

"To apply this workaround with … environments, one needs to implement load balancing at the client side," Koret told PCWorld. He said clients would then need to manually enter a complete node list and change filename configurations to ensure data protection.

The company is still working out a patch for the TNS Listener and has given clients access to the security level necessary to isolate the weakness. There is no set release date for an individual patch yet, but it claims the threat to user data security and server security weren't as great as others were reporting. There is also the possibility that there will be no TNS patch released independently, encouraging workarounds and hinting that there may be no other help until the regular software update is released.

Alex Rothacker of TeamSHATTER, a security research team, says the issue isn't when the update will happen but why it took four years. He said in an interview with SearchSecurity that while new versions of the server security software would carry remedied codes and the TNS bug would no longer exist, it was more irresponsible that Oracle didn't take action earlier if it knew the problem was there. Rothacker believes Koret didn't act out of malice but that he probably assumed that, after four years, the software would have been fixed already, and no harm would come from educating the internet.