6681189 2001-06-27 16:06 -0700 /140 rader/ COVERT Labs <covert@nai.com> Sänt av: joel@lysator.liu.se Importerad: 2001-06-28 19:20 av Brevbäraren Extern mottagare: 'bugtraq@securityfocus.com' <bugtraq@securityfocus.com> Mottagare: Bugtraq (import) <17662> Ärende: [COVERT-2001-03] Oracle 8i SQLNet Header Vulnerability ------------------------------------------------------------ From: COVERT Labs <covert@nai.com> To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com> Message-ID: <01C0FF23.1A2F0040@SLIPPERY1> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________ Network Associates, Inc. COVERT Labs Security Advisory June 27, 2001 Oracle 8i SQLNet Header Vulnerability COVERT-2001-03 ______________________________________________________________________ o Synopsis A vulnerability in the Oracle implementation of the TNS (Transparent Network Substrate) over Net8 (SQLNet) protocol allows a remote user to mount a denial of service attack against any Oracle service that relies upon the protocol, including the TNS Listener, Oracle Name Service and Oracle Connections Manager. This vulnerability has been designated as CVE candidate CAN-2001-498. RISK FACTOR: MEDIUM ______________________________________________________________________ o Vulnerable Systems Oracle 8i Standard and Enterprise Editions Version 8.1.5, 8.1.6, 8.1.7 and all previous versions for Windows, Linux, Solaris, AIX, HP-UX and Tru64 Unix. ______________________________________________________________________ o Vulnerability Overview Oracle 8i database platform relies on multiple services for its distributed client server computing functionality. Services that are dependant upon the TNS include the TNS Listener, Oracle Name Service and the Oracle Connections Manager. These servers accept client requests and establish TNS data connections between the clients and the services. TNS connections allow clients and services to communicate over a network via a common API, regardless of the network transport protocol used on either end (TCP/IP, IPX, etc). Foundation of the TNS is the session layer protocol Net8 (SQLNet). The services reliant upon the TNS protocol are critical to an Oracle database environment. The TNS Listener is responsible for maintaining remote communications with Oracle database services, the Oracle Names Service implements database names resolution and Oracle Connections Manager is responsible for managing connections to the database services. In a default installation, the TNS Listener resides on TCP port 1521, Names Service on TCP port 1575 and Connections Manager on TCP ports 1630 (gateway services) and 1830 (administration services). A vulnerability exists in the TNS libraries which process Net8 (SQLNet) packets. This vulnerability will enable an attacker to mount a denial of service attack against any of the above services by issuing a malformed SQLNet connection request. ______________________________________________________________________ Detailed Information: A Net8 (SQLNet) connection is made by the client sending an SQLNet packet of Type-1 (NSPTCN) to the service, requesting a connection. SQLNet packets contain a general header and type specific header extensions. A Type-1 packet contains two fields in the type specific header extensions that specify the offset and the length of the connection data within the packet. These two fields are inadequately verified, thus by specifying an offset which points to data beyond the length of the packet, a memory read error is triggered, leading to service termination. The vulnerability occurs in an early stage of the packet processing, before any authentication or verification of the content takes place. This allows for unlogable, unauthenticated remote denial of service attacks. ______________________________________________________________________ o Resolution Oracle has produced a patch under bug number 1656431 which is available for download from the Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com) for the platforms identified in this advisory. The patch is in production for all supported releases of the Oracle Database Server. PGP Security's CyberCop Scanner risk-assessment tool has been updated to detect this vulnerability. ______________________________________________________________________ o Credits These vulnerabilities were discovered and documented by Nishad Herath of the COVERT Labs at PGP Security. ______________________________________________________________________ o Contact Information For more information about the COVERT Labs at PGP Security, visit our website at http://www.pgp.com/covert or send e-mail to covert@nai.com ______________________________________________________________________ o Legal Notice The information contained within this advisory is Copyright (C) 2001 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBOzpLqdwDUegFyneEEQJhRQCfRIhn+n8OwYL3OyxVtZfoc71Ul7UAn1p2 GImc/0PhShPJoBJNpuE82fvB =ELUp -----END PGP SIGNATURE----- (6681189) /COVERT Labs <covert@nai.com>/------------