|
Vulnerability Oracle Listener Affected Oracle Description Following is based on a Internet Security Systems Security Advisory. Internet Security Systems (ISS) X-Force has identified four Denial of Service attacks against the Oracle listener service: 1. Offset_to_data value too large 2. Requester_version value incorrect 3. Maximum Transport Data size too small 4. Fragmentation attack These vulnerabilities allow an unauthenticated user to prevent other users from connecting to the database. As a result, the Oracle database becomes inaccessible. 1. Offset_to_data value too large ================================= When connecting to an Oracle database, a connection is first made to the listener process. This initial packet contains command data, such as the instance to connect to and the client information. This packet also contains a header with a field indicating the offset to the Oracle command data. If this offset is set to an arbitrarily large value that the listener does not expect, then the listener will crash. This vulnerability exists on Oracle 7.3 and 8i (not 8.0) installations of Unix, but does not affect Oracle versions running on Windows NT/2000. 2. Requester_version value incorrect ==================================== When connecting to an Oracle database, a connection is first made to the listener process. This initial packet contains command data, such as the instance to connect to and the client information. This packet also contains a header with a field indicating the version of the client drivers and the offset to the Oracle command data. If the version of the driver does not match to the appropriate offset to the command data, the listener will crash. This vulnerability exists on Oracle 8.0 and later installations for all platforms. 3. Maximum Transport Data Size too small ======================================== When connecting to an Oracle database, a connection is first made to the listener process. This initial packet contains command data, such as the instance to connect to and the client information. This packet also contains a header with a field indicating the maximum transport data size of the client’s network. If the maximum transport data size is set to 0, the listener will crash. This vulnerability exists on Oracle8i on Sun Solaris. 4. Fragmentation Attack ======================= In addition to TCP/IP fragmentation, Oracle allows commands to be fragmented at the application layer. This fragmentation allows commands to be sent in two or more different packets. If the first packet of a fragmented command is repeatedly sent and not followed up with the remainder of the command, the listener hangs waiting for the completion of these commands. This vulnerability exists on all versions of the listener. Solution Oracle has fixed this security vulnerabilities in Oracle9i. Oracle is in the process of backporting the fix to supported Oracle 8i Releases 8.1.7 and 8.1.6 on all Unix platforms. Please check Metalink periodically for patch availability if the patch for your platform is not yet available. Oracle recommends using Oracle Advanced Security (an option to the Enterprise Edition of the Oracle Database Server) to encrypt network traffic and avoid packet capture and replay attacks. Oracle Advanced Security also provides checksumming that verifies the data integrity of network packets.