-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0008 Title: Oracle Database Server PITRIG_DROPMETADATA Remote Buffer Overflow Vulnerability Version history: 08.11.2011 Initial publication Summary ======= Oracle is prone to a buffer-overflow discovered in 2007 which remains unpatched [1][2]. An exploit code has become available [3] which raises the criticality of the advisory. CVE-2007-4517 Potential impact ================ Authenticated remote attackers may exploit this vulnerability to execute arbitrary code in the context of the database account because it fails to perform adequate boundary checks on user-supplied data. The attack may also lead to denial of the database services. The attacker needs first to gain access to an authenticated connection (eg, via stolen credentials or session hijacking) and then constructs a malicious payload on the 'XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA' procedure. CVSS Version 2 Scores CVSS2 Base 6.5 CVSS2 Temporal 6.2 CVSS2 Base Vector AV:N/AC:L/Au:S/C:P/I:P/A:P CVSS2 Temporal Vector E:F/RL:U/RC:C Access Vector: Remotely exploitable; Access Complexity: Low; Authentication: One instance of authentication is required; Impact Type: Allows unauthorized disclosure and modification of information and service disruption; Exploitability: Functional exploit code is available; Remediation Level: There is no patch available; Report Confidence: The vulnerability has been acknowledged by the vendor; Vulnerable Systems - - ------------------ Oracle Oracle10g Enterprise Edition 10.2.0 .1 Oracle Oracle10g Enterprise Edition 10.2.0 .2 Oracle Oracle10g Enterprise Edition 10.2.0 .3 Oracle Oracle10g Personal Edition 10.2.0 .1 Oracle Oracle10g Personal Edition 10.2.0 .2 Oracle Oracle10g Personal Edition 10.2.0 .3 Oracle Oracle10g Standard Edition 10.2.0 .1 Oracle Oracle10g Standard Edition 10.2.0 .2 Oracle Oracle10g Standard Edition 10.2.0 .3 What can you do? ================ Solution - -------- No fix is currently available. The vendor is developing a fix to address this problem in a future release. Work-arounds: - ------------ No effective work-arounds have been identified. Meanwhile a fix is available, the following compensating controls can be put in place: Deploy network intrusion detection systems to monitor network traffic for malicious activity. Also monitor network traffic for signs of anomalous or suspicious activity, including requests that include NOP sleds and unexplained incoming and outgoing traffic as these may be indications of exploit attempts or activity that results from successful exploits. Limit privileged access to trusted individuals only, as this can greatly reduce the likelihood of attacks. Implement also network filtering to only allow the required sources to access the database. Implement multiple redundant layers of security. Enable the memory-protection schemes if supported by the operating system/server (such as nonexecutable and randomly mapped memory segments). This may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. What to tell your users? ======================== This vulnerability does not concern the end users. Only the system administrators need to take action. More information ================ [1] http://www.securityfocus.com/bid/26374/info [2] http://www.securityfocus.com/archive/1/4732298A.3@idefense.com [3] http://downloads.securityfocus.com/vulnerabilities/exploits/26374.txt Best regards, - -- CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- iQJXBAEBAgBBBQJOuQi3OhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4O0cA/9GkpNjzcQ 5NMuU8SB/x30F3UHTLT/RzdrFhOqfzTI3MH7fbjzKOeHROwAvMIC9Efs1Uq5tPRM JC9hcIvvI5gEE9qmzWdpJ7SZXUca8AjrCaUFh4+IuvNLZLhdElER2wb1UVYk6bUh 7sabrXyEZPSyQuVj66bgb75BzjFwwNqgq98c+13MhYC04jZt99U9zXywRet5nJC2 jSVPM5QpJ9JMZCOUSg97Xfsu0lgejTmBIl/cqEh8RpqtZbB+lhHxduXltvv2Z+WS SYi2OkKo4Zgo4t+evnsj3kGOcU6fDfHQ4dJInihkMtQtqtmRF2d6VVlvC5VEBopr IUmF00DB98U5G0bmcys7m5D9M7m0gInDRwWh4LQOoOL2OQRV/byi64D+DNL0JoOm ZqA9LrmFCMwrfc0gk3HInQg8Ns3uQuCFBa8bLlUkw+7uXJDezo7/GtDkzJlg/07X OyEBHnhr/VLxCxxPssWhrh+BFNeTSWPlIQSKL5s3VZx2Sg4oOGMr1pPwP6HFizQ7 KJTSxj41LJHMn50palLfYX6W1wteiHxF0wqqaPwdw2SeKcCE+2aAkbmd5ZEy21Bk PyHipRPj/JY6euCLCgrKrk/ZgQ9AIM0RaGz5xMZYcfv0Uc/Ij1otaKZumxsTueSF UqJTuIt4t3MikiIWjcg1Y6xiqMhf9lMKbQM= =DrVh -----END PGP SIGNATURE-----