Wednesday, April 18, 2007

Triage For Oracle Critical Patch Updates

tri•age (from


1.    the process of sorting victims, as of a battle or disaster, to determine medical priority in order to increase the number of survivors.

2.     the determination of priorities for action in an emergency.

As always, our focus at Threat Center is on remotely exploitable vulnerabilities. Our interest in privilege escalations and local attacks takes a back seat to vulnerabilities where an anonymous attacker could compromise your business.

Yesterday was Oracle's quarterly "Critical Patch Update" or CPU. This round they released 36 new security issues across the following products:
  • Oracle Database

  • Oracle Secure Enterprise Search

  • Oracle Application Server

  • Oracle Collaboration Suite

  • Oracle E-Business Suite

  • Oracle Enterprise Manager

  • Oracle PeopleSoft Enterprise

In other words, just about every Oracle product is affected. The Suites listed above include numerous programs such as the Oracle Portal, Oracle Streams, Oracle iSupport, Oracle iStore, Oracle Applications Manager, Oracle Agent, and more. For details on all of the patches, view Oracle's security advisory. For a quick triage of the updates, read on below.

Oracle Database

DB01 Core RDBMS Authentication Bypass on Windows
This flaw was reported to Oracle in 2002. Exploiting this flaw is trivial and can be done remotely by an unauthenticated attacker... but you probably aren't affected.

This flaw is specific to Oracle databases running on Windows machines that have "Simple File Sharing" enabled. Simple File Sharing allows a user to share files with anyone without the hassle of managing usernames and passwords. All users are authenticated as Guest regardless of the username or password they provide. If Oracle is configured to use OS-based authentication on a machine with Simple File Sharing enabled, then every attempt to authenticate against the database as any user will be successful. Hopefully if you're running Oracle Database on a Windows machine you aren't also doing any kind of file sharing, and especially not the free-for-all file sharing that is "Simple File Sharing."

David Litchfield has a paper with the full details.

DB05 Authentication Component Logon Trigger Bypass
This is a flaw that requires login credentials and usually wouldn't merit a mention, but it could allow users to bypass logon triggers. These are frequently used to control access by time of day, IP, and other factors or to add extra audit trails, etc. Many of the fixed flaws in this batch that do require a user to first log in may be more dangerous if the user first takes advantage of this logon trigger bypass flaw.

Oracle Enterprise Manager

EM01 Oracle Agent Authentication Bypass

A person can connect to the Oracle Agent and shut it down without authentication.

Oracle Application Server

AS04 and AS05 Oracle Portal Component Flaws
Two flaws in Oracle Portal can be remotely exploited over HTTP to gain access to the system. Authentication is not required and one of them is rated as easy to exploit. This involves some kind of parameter tampering, but we don't have more details at this time.

Oracle E-Business Suite

APSS02 Oracle iProcurement and APPS03 Oracle Report Manager
The vulnerable pages for both of these components are blocked by default by the URL firewall and are therefore not of high concern.

APPS05 and APPS06 Oracle iStore Parameter Tampering Issues
While these two bugs both require authenticated users, an anonymous user can self-register and get an account that way. Once they have an account, the attacker can get unauthorized access to information such as order information for other users. It isn't clear, but this may include access to credit card data. Because of this possibility, and the fact that Oracle says the exploit is of low complexity, we're rating this as a serious vulnerability. If you use the Oracle iStore, upgrade your software right away.

And that's it for the vulnerabilities that look serious to us. For the less serious vulnerabilities where authenticated users are able to gain elevated privileges, there are some exploits in the wild, so if you have strict trust settings, you will want to get going on installing these patches.

Of course we recommend installing all of the patches as soon as possible. If you need time to test the patches before installing, then start with the ones listed above.

Note from the sponsor: Many of the flaws that are fixed in this month's Oracle CPU center around SQL Injection and Cross Site Scripting. eSoft's Intrusion Prevention Softpak provides generic protection for many of these types of attacks. To prevent these types of attacks in the future, refer to eSoft's newest whitepaper, 10 Tips to Better Security.

No comments: