Workarounds Abound While Oracle Scrambles To Patch Zero-Day Flaw
How to defend against attacks exploiting new privilege-escalation vulnerability in Oracle 10g, 11g databases
February 10, 2010
Special to Dark Reading
As the research community reels from the impact of an Oracle privilege escalation zero-day vulnerability publicly disclosed last week by database security expert David Litchfield at Black Hat D.C., database security experts recommend organizations implement workarounds as soon as possible while Oracle scrambles to develop a stable patch for the problem.
The vulnerability, which was disclosed to Oracle 110 days before Litchfield unveiled it, affects Oracle versions 10g and newer -- including 11g -- enabling malicious hackers to escalate account privileges and essentially take over the database and server it rests in.
The focus last week had a lot less to do with the vulnerability itself -- a fairly standard affair as far as database bugs go -- and more with how Litchfield pulled the wraps off of his discovery. Litchfield has had a long up-and-down history with Oracle, and some security experts say he short-changed the company on time to put together a patch before public disclosure in a bid to one-up Oracle before retiring from his database security company to pursue a second career in forensics. "He wanted to give a parting 'gift' to Oracle," says Slavik Markovich, CTO of Sentrigo, of Litchfield's disclosure.
But Litchfield says that's just not true: the real "gift" to Oracle was his conclusion that Oracle security had considerably improved, he says. He gave a nod to Oracle at during the bug disclosure at Black Hat, saying that Oracle's 11g is "vastly superior" security-wise compared to its software two years ago.
Sentrigo's Markovich and others, such as Josh Shaul, vice president of product management for Application Security (AppSec), believe that even though the vulnerability is serious, organizations have a number of ways to mitigate the risk before Oracle releases a patch.
"The good news there is that these vulnerabilities all are in a set of Oracle functions that ship with the database, and Oracle's access control system can eliminate or reduce the risk by preventing users from accessing the vulnerable functions," Shaul says. "There's a great workaround, and it boils down to using the security features that Oracle ships in the database. It becomes in the end a fairly simple configuration and some testing to make sure that by making that configuration change, that everything continues to work."
Litchfield had also demonstrated the workarounds for the bug during his talk at Black Hat.
Sentrigo's Markovich says it is just a matter of revoking privileges to the relevant packages, which had default settings that were left wide open.
"Doing a bit of research, it looks like not a lot of things are actually using these packages, and they don't have any direct dependencies, so it looks like it is possible to just revoke the privileges," Sentrigo's Markovich says. "In that case, you will be protected without breaking anything."
Both Markovich and Shaul say this type of zero-day vulnerability should serve as a wake-up call to organizations to reduce their risks by surveying default settings, such as those highlighted by this disclosure, revoke unnecessary privileges, and uninstall database packages and applications irrelevant to the business. "It's very important to decrease your attack surface by default," Markovich says.
Sentrigo knew about the vulnerability in advance and has already offered customers protection that requires no intervention, he says.
Meanwhile, AppSec announced this week it is offering help to both customers and noncustomers. AppSec's customers received notice on Monday of an update that will detect the vulnerability, and the vendor has offered guidance and scripts to fix the problem automatically using Oracle access controls.
"For folks who aren't our customers, we're offering a free download of our product, and we're offering a document that has very specific and detailed instructions on how to use that download of our product in the same way to identify and contain the issue," Shaul explains.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like