Oracle addresses 0-day “TNS Poison”

Update: Edited to reflect that Oracle has released a configuration workaround, not a patch.

This week Oracle released an out-of-band patch for the CVE-2012-1675 vulnerability in the Oracle Database Server V10 and V11, addressing a 0-day vulnerability that was recently published on the full-disclosure mailing list under the name “TNS Poison” by Joxean Koret.

Apparently Joxean discovered the vulnerability in 2008, then sold it to iSightPartners and was under the mistaken impression that the vulnerability was fixed in last month’s CPU, when he released his advisory. More details can be found in a follow-up post on the ful-disclosure list and a video of the vulnerability being exploited can be seen here.

The vulnerability is in the TNS listener part of the Oracle database server and allows an attacker to perform a man-in-the-middle attack by registering an additional database instance in the TNS listener. The listener will then start load-balancing traffic to the new instance.

This allows the attacker to receive the database transactions, record them and forward them to the original database. The attacker can potentially modify the transactions and execute commands on the original database server.

While Oracle recommends installing the patch as soon as possible, we believe that the position of the Oracle databases that need to be patched in your network plays an important role in determining your patch roll-out.

Production Oracle database installations typically do not expose their TNS listener to the Internet or even the enterprise network. A good map of your network environment will be helpful in determining where to act first.

Author: Wolfgang Kandek, CTO, Qualys.