Vulnerability

    Oracle

Affected

    Oracle 8i (Standard and Enterprise) 8.1.5, 8.1.6, 8.1.7 and previous

Description

    Following  is   based  on   a  COVERT   Labs  Security    Advisory
    COVERT-2001-03.  A vulnerability  in the Oracle implementation  of
    the  TNS  (Transparent  Network  Substrate)  over  Net8   (SQLNet)
    protocol allows a remote user to mount a denial of service  attack
    against  any  Oracle  service  that  relies  upon  the   protocol,
    including  the  TNS  Listener,  Oracle  Name  Service  and  Oracle
    Connections Manager.

    Oracle 8i database  platform relies on  multiple services for  its
    distributed client server computing functionality.  Services  that
    are dependant upon the TNS  include the TNS Listener, Oracle  Name
    Service and the Oracle Connections Manager.  These servers  accept
    client requests  and establish  TNS data  connections between  the
    clients  and  the  services.   TNS  connections  allow clients and
    services  to  communicate  over  a  network  via  a  common   API,
    regardless of the  network transport protocol  used on either  end
    (TCP/IP, IPX, etc).   Foundation of the  TNS is the  session layer
    protocol Net8 (SQLNet).

    The services  reliant upon  the TNS  protocol are  critical to  an
    Oracle database environment.  The TNS Listener is responsible  for
    maintaining remote communications  with Oracle database  services,
    the Oracle Names Service implements database names resolution  and
    Oracle Connections Manager is responsible for managing connections
    to the  database services.   In a  default installation,  the  TNS
    Listener resides on TCP port 1521, Names Service on TCP port  1575
    and Connections Manager on  TCP ports 1630 (gateway  services) and
    1830 (administration services).

    A vulnerability  exists in  the TNS  libraries which  process Net8
    (SQLNet) packets.  This  vulnerability will enable an  attacker to
    mount a denial of service attack against any of the above services
    by issuing a malformed SQLNet connection request.

    A Net8 (SQLNet) connection is made by the client sending an SQLNet
    packet of Type-1 (NSPTCN) to the service, requesting a connection.
    SQLNet packets contain a  general header and type  specific header
    extensions.   A  Type-1  packet  contains  two  fields in the type
    specific header extensions that specify the offset and the  length
    of the connection  data within the  packet.  These  two fields are
    inadequately verified, thus by  specifying an offset which  points
    to data beyond the  length of the packet,  a memory read error  is
    triggered, leading to service termination.

    The  vulnerability  occurs  in  an  early  stage  of  the   packet
    processing,  before  any  authentication  or  verification  of the
    content takes place.   This allows for unlogable,  unauthenticated
    remote denial of service attacks.

    These  vulnerabilities  were  discovered  and documented by Nishad
    Herath of the COVERT Labs at PGP Security.

Solution

    Oracle has  produced a  patch under  bug number  1656431 which  is
    available for download from the Oracle Worldwide Support  Services
    web site for the platforms identified.  The patch is in production
    for all supported releases of the Oracle Database Server.