Date: Thu, 26 Apr 2012 09:13:25 +0200
From: Joxean Koret <joxeankoret@...oo.es>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Oracle TNS Poison vulnerability is actually a 0day with no patch
 available

Hi all,

Short history:

The remote pre-authenticated vulnerability with CVSS2 10 I published
some days ago [1], the vulnerability I called Oracle TNS Poison
(reported to vendor in 2008), is a 0day affecting all database versions
from 8i to 11g R2. There is no patch at all for this vulnerability and
Oracle refuses to write a patch for *ANY* existing versions, even for
Oracle 11g R2. So, yes, ALL versions are vulnerable and will remain
vulnerable.

As I published many workarounds for this vulnerability I believe it's
better to make this information public so Oracle database's customers
can protect themselves.

Long history: 

Some days ago, after the release of Oracle Critical Patch Update April
2012, a friend of mine told me that Oracle gave me credit in the
"Security-In-Depth" program for a vulnerability they fixed. After this,
I asked both Oracle and iSightPartners (the company I sold the
vulnerability in 2008) for information about the vulnerability they
fixed in this CPU. Oracle told us that the vulnerability with tracking
id #13793589 (the TNS poison vulnerability) was the one fixed.

As the vulnerability was fixed, there was no reason not to publish
information about it any more and I decided to publish an advisory, a
document explaining the vulnerability and a proof of concept. So far, so
good.

However, I was suspicious about an statement Oracle people wrote me in
an e-mail as, in their words, the vulnerability "was fixed in future
releases of the product". Eeeeh... "was" and "in the future"? As it
makes no sense, I sent Oracle an e-mail asking for details about the
fix:

On 4/19/2012 12:53 PM, Joxean Koret wrote:
(...)
> How can customers with current versions installed fix this
> vulnerability? Do they have to wait until the next version? Just out
> of curiosity.

And Oracle answered me with excuses ("excusatio non petita, accusatio
manifesta"):

> We had to make the hard choice of fixing it in the release and not in
> the CPU because:
> 
>   * The fix is very complex and it is extremely risky to backport.
>   * This fix is in a sensitive part of our code where
>     regressions are a concern.
>   * Customers have requested that Oracle not include such
>     security fixes into Critical Patch Updates that increases the
>     chance of regressions.

As they refused to answer it clearly, I asked them once again in a more
simple way about the "fix" for the vulnerability: 

On 4/23/2012 9:20 AM, Joxean Koret wrote:
(..)
> Just a final question: Does it mean that all current versions are
> vulnerable and the vulnerability will only be fixed in next products
> like, say, 11g R3 or 12g?

And Oracle, believing I'm stupid or something like this, answered me the
following:

> To protect the interest of our customers, we do not provide these
> level of details (like versions affected) for the issues that are
> addressed as in-depth. The future releases will have the fix.

So, as previously stated, this is a 0day vulnerability with no patch,
Oracle refuses to patch the vulnerability in *any* existing version and
Oracle refuses to give details about which versions will have the fix.
But they say the vulnerability is fixed. Cool.

Oracle security people: For the next time, don't say that a
vulnerability is fixed in a Critical Patch Update if the patch is not
published. Your customers are not interested if the vulnerability is
fixed in your development version, they only care about the
vulnerability being fixed in the versions they are using in production
systems.

PS: I must admit that being Oracle, that confusion doesn't surprises me
at all.

[1] http://seclists.org/fulldisclosure/2012/Apr/204

Regards,
Joxean Koret


Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists