Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:42 AM
Connect Directly

Workarounds Abound While Oracle Scrambles To Patch Zero-Day Flaw

How to defend against attacks exploiting new privilege-escalation vulnerability in Oracle 10g, 11g databases

Special to Dark Reading

As the research community reels from the impact of an Oracle privilege escalation zero-day vulnerability publicly disclosed last week by database security expert David Litchfield at Black Hat D.C., database security experts recommend organizations implement workarounds as soon as possible while Oracle scrambles to develop a stable patch for the problem.

The vulnerability, which was disclosed to Oracle 110 days before Litchfield unveiled it, affects Oracle versions 10g and newer -- including 11g -- enabling malicious hackers to escalate account privileges and essentially take over the database and server it rests in.

The focus last week had a lot less to do with the vulnerability itself -- a fairly standard affair as far as database bugs go -- and more with how Litchfield pulled the wraps off of his discovery. Litchfield has had a long up-and-down history with Oracle, and some security experts say he short-changed the company on time to put together a patch before public disclosure in a bid to one-up Oracle before retiring from his database security company to pursue a second career in forensics. "He wanted to give a parting 'gift' to Oracle," says Slavik Markovich, CTO of Sentrigo, of Litchfield's disclosure.

But Litchfield says that's just not true: the real "gift" to Oracle was his conclusion that Oracle security had considerably improved, he says. He gave a nod to Oracle at during the bug disclosure at Black Hat, saying that Oracle's 11g is "vastly superior" security-wise compared to its software two years ago.

Sentrigo's Markovich and others, such as Josh Shaul, vice president of product management for Application Security (AppSec), believe that even though the vulnerability is serious, organizations have a number of ways to mitigate the risk before Oracle releases a patch.

"The good news there is that these vulnerabilities all are in a set of Oracle functions that ship with the database, and Oracle's access control system can eliminate or reduce the risk by preventing users from accessing the vulnerable functions," Shaul says. "There's a great workaround, and it boils down to using the security features that Oracle ships in the database. It becomes in the end a fairly simple configuration and some testing to make sure that by making that configuration change, that everything continues to work."

Litchfield had also demonstrated the workarounds for the bug during his talk at Black Hat.

Sentrigo's Markovich says it is just a matter of revoking privileges to the relevant packages, which had default settings that were left wide open.

"Doing a bit of research, it looks like not a lot of things are actually using these packages, and they don't have any direct dependencies, so it looks like it is possible to just revoke the privileges," Sentrigo's Markovich says. "In that case, you will be protected without breaking anything."

Both Markovich and Shaul say this type of zero-day vulnerability should serve as a wake-up call to organizations to reduce their risks by surveying default settings, such as those highlighted by this disclosure, revoke unnecessary privileges, and uninstall database packages and applications irrelevant to the business. "It's very important to decrease your attack surface by default," Markovich says.

Sentrigo knew about the vulnerability in advance and has already offered customers protection that requires no intervention, he says.

Meanwhile, AppSec announced this week it is offering help to both customers and noncustomers. AppSec's customers received notice on Monday of an update that will detect the vulnerability, and the vendor has offered guidance and scripts to fix the problem automatically using Oracle access controls.

"For folks who aren't our customers, we're offering a free download of our product, and we're offering a document that has very specific and detailed instructions on how to use that download of our product in the same way to identify and contain the issue," Shaul explains.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-24
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the r...
PUBLISHED: 2020-11-24
HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters to test-browser/index.cfm allow directory traversal.
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters passed to system/runners/HTMLRunner.cfm allow an attacker to write an arbitrary CFM file (within the application's context) containing attacker-defined CFML tags, leading to Remote Code Execution.
PUBLISHED: 2020-11-24
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.