Security Best Practice: Protect Yourself against Multiple Oracle Database Vulnerabilities
| Check Point Reference: | SBP-2007-11 | |
| Date Published: | ||
| Severity: | ||
| Source: | Secunia Advisory: SA27526 Secunia Advisory: SA27251 |
|
| Industry Reference(s): | CVE-2007-4517 CVE-2007-5511 CVE-2006-3702 CVE-2006-2505 CVE-2004-1774 CVE-2002-0571 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Oracle Database 10.2.0.2 Oracle Database 10.1.0.5 Oracle Database 9.2.0.7 Oracle Database 9.0.1.5 Oracle Database 8.1.7.4 Oracle Oracle9i Database Server Oracle Database Server 10g Release 1 (versions 10.1.0.5 and prior) Oracle Database Server 10g Release 2 Oracle Database 10g prior to 10.1.0.2 Patch 2 | ||
| Vulnerability Description Oracle Database Server is an enterprise-level relational database application suite. Multiple vulnerabilities were reported in Oracle Database Server which can be exploited to cause buffer overflow, execute arbitrary code, gain local user privileges and compromise an affected system. |
||
|
Update/Patch Available Update your product or apply patches: Oracle |
|
|
Vulnerability Details Block PITRIG_DROPMETADATA Vulnerability - A buffer overflow vulnerability exists in Oracle Database. The vulnerability is due to a boundary error in the Oracle Database Server that fails to properly validate arguments supplied to the procedure PITRIG_DROPMETADATA. A remote attacker may exploit this issue to execute arbitrary code on the affected server or compromise the vulnerable system. Block FINDRICSET SQL Injection - An SQL injection vulnerability exists in Oracle Database. The vulnerability is due to an error in the Oracle Database Server that fails to properly sanitize user supplied arguments of the SYS.LT.FINDRICSET function. A remote attacker can exploit this issue by embedding malicious SQL code as part of the vulnerable parameter. Successful exploitation of this vulnerability may allow the attacker to execute arbitrary code on the affected server or compromise the vulnerable system. Block Vulnerable Oracle Functions - Multiple vulnerabilities exist in Oracle Database. The vulnerabilities are due to insufficient validation of vulnerable oracle functions. These issues may be exploited by remote attackers to cause a denial of service condition, conduct SQL injection attacks or execute arbitrary commands on the affected server. Block Multiple Buffer Overflow Vulnerabilities - Multiple vulnerabilities exist in Oracle Database. The vulnerabilities are due to buffer overflow errors that occur as a result of insufficient validation of vulnerable oracle functions and flaws in various Oracle components. These issues may be exploited by remote attackers to cause a denial of service condition, conduct SQL injection attacks or execute arbitrary commands on the affected server. |
Protection Overview
By enabling this protection, SmartDefense will detect and block the vulnerable Oracle Database commands and functions.
In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Database Protections > Oracle.
2. Select the following protections:
Block PITRIG_DROPMETADATA Vulnerability
Block FINDRICSET SQL Injection
Block Vulnerable Oracle Functions
Block Multiple Buffer Overflow Vulnerabilities
3. In the configuration pane, under Settings > Mode, check Active.
4. In the configuration pane choose the Oracle TNS listener port (the default port is 1521). The Oracle TNS listener is responsible for handling connections between Oracle clients and the Oracle server over the net. It is listening on TCP port 1521 unless configured differently by the Oracle Database Administrator.
5. By enabling the "Inspect iSQL Plus traffic" protection, SmartDefense will detect and block the access to the vulnerable procedures PITRIG_DROPMETADATA and FINDRICSET over iSQL Plus traffic (port 5560).
6. By enabling the "Inspect SMB traffic" protection, SmartDefense will detect and block the access to the vulnerable procedures PITRIG_DROPMETADATA and FINDRICSET over the SMB protocol (ports 139 and 445).
7. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
When the "Block PITRIG_DROPMETADATA" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
Suspicious PITRIG_DROPMETADATA detected on TNS traffic
Suspicious PITRIG_DROPMETADATA detected on iSQL traffic
Suspicious PITRIG_DROPMETADATA detected on SMB traffic
When the "Block FINDRICSET SQL Injection" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
Suspicious FINDRICSET detected on TNS traffic
Suspicious FINDRICSET detected on iSQL traffic
Suspicious FINDRICSET detected on SMB traffic
When the "Block Buffer Overflow" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
SDO_CODE_SIZE function buffer overflow detected
Create database function buffer overflow detected
When the "Block Vulnerable Oracle Functions" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
Suspicious get_domain_index_metadata request detected
Suspicious get_domain_index_tables request detected
Suspicious get_v2_domain_index_tables request detected
Suspicious parse_as_user request detected
Suspicious validate_stmt request detected
Suspicious sys.dbms_metadata request detected
Suspicious activate_subscription request detected
Suspicious sys.dba_users request detected
Suspicious DBMS_SQL.PARSE request detected
Suspicious sys.kupw request detected
VPN-1 NGX R61 & R60
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Database Protections > Oracle.
2. Select the following protections:
Block PITRIG_DROPMETADATA Vulnerability
Block FINDRICSET SQL Injection
Block Vulnerable Oracle Functions
Block Multiple Buffer Overflow Vulnerabilities
3. In the configuration pane choose the Oracle TNS listener port (the default port is 1521). The Oracle TNS listener is responsible for handling connections between Oracle clients and the Oracle server over the net. It is listening on TCP port 1521 unless configured differently by the Oracle Database Administrator.
4. By enabling the "Inspect iSQL Plus traffic" protection, SmartDefense will detect and block the access to the vulnerable procedures PITRIG_DROPMETADATA and FINDRICSET over iSQL Plus traffic (port 5560).
5. By enabling the "Inspect SMB traffic" protection, SmartDefense will detect and block the access to the vulnerable procedures PITRIG_DROPMETADATA and FINDRICSET over the SMB protocol (ports 139 and 445).
6. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
When the "Block PITRIG_DROPMETADATA" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
Suspicious PITRIG_DROPMETADATA detected on TNS traffic
Suspicious PITRIG_DROPMETADATA detected on iSQL traffic
Suspicious PITRIG_DROPMETADATA detected on SMB traffic
When the "Block FINDRICSET SQL Injection" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
Suspicious FINDRICSET detected on TNS traffic
Suspicious FINDRICSET detected on iSQL traffic
Suspicious FINDRICSET detected on SMB traffic
When the "Block Buffer Overflow" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
SDO_CODE_SIZE function buffer overflow detected
Create database function buffer overflow detected
When the "Block Vulnerable Oracle Functions" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
Suspicious get_domain_index_metadata request detected
Suspicious get_domain_index_tables request detected
Suspicious get_v2_domain_index_tables request detected
Suspicious parse_as_user request detected
Suspicious validate_stmt request detected
Suspicious sys.dbms_metadata request detected
Suspicious activate_subscription request detected
Suspicious sys.dba_users request detected
Suspicious DBMS_SQL.PARSE request detected
Suspicious sys.kupw request detected
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Database Protections > Oracle.
2. Select the following protections:
Block PITRIG_DROPMETADATA Vulnerability
Block FINDRICSET SQL Injection
Block Vulnerable Oracle Functions
Block Multiple Buffer Overflow Vulnerabilities
3. In the configuration pane choose the Oracle TNS listener port (the default port is 1521). The Oracle TNS listener is responsible for handling connections between Oracle clients and the Oracle server over the net. It is listening on TCP port 1521 unless configured differently by the Oracle Database Administrator.
4. By enabling the "Inspect iSQL Plus traffic" protection, SmartDefense will detect and block the access to the vulnerable procedures PITRIG_DROPMETADATA and FINDRICSET over iSQL Plus traffic (port 5560).
5. By enabling the "Inspect SMB traffic" protection, SmartDefense will detect and block the access to the vulnerable procedures PITRIG_DROPMETADATA and FINDRICSET over the SMB protocol (ports 139 and 445).
6. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules #99951, #99950, #99889 and #99910 for Suspicious FINDRICSET, Suspicious PITRIG_DROPMETADATA , Vulnerable Oracle Functions and for Multiple Buffer Overflow Vulnerabilities accordingly.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Database Protections > Oracle.
2. Select the following protections:
Block PITRIG_DROPMETADATA Vulnerability
Block FINDRICSET SQL Injection
Block Vulnerable Oracle Functions
Block Multiple Buffer Overflow Vulnerabilities
3. In the configuration pane choose the Oracle TNS listener port (the default port is 1521). The Oracle TNS listener is responsible for handling connections between Oracle clients and the Oracle server over the net. It is listening on TCP port 1521 unless configured differently by the Oracle Data Base Administrator.
4. By enabling the "Inspect iSQL Plus traffic" protection, SmartDefense will detect and block the access to the vulnerable procedures PITRIG_DROPMETADATA and FINDRICSET over iSQL Plus traffic (port 5560).
5. By enabling the "Inspect SMB traffic" protection, SmartDefense will detect and block the access to the vulnerable procedures PITRIG_DROPMETADATA and FINDRICSET over the SMB protocol (ports 139 and 445).
6. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules #99951, #99950, #99889 and #99910 for Suspicious FINDRICSET, Suspicious PITRIG_DROPMETADATA , Vulnerable Oracle Functions and for Multiple Buffer Overflow Vulnerabilities accordingly.
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > Database Protections > Oracle.
3. Select the following protections:
Block PITRIG_DROPMETADATA Vulnerability
Block FINDRICSET SQL Injection
Block Vulnerable Oracle Functions
Block Multiple Buffer Overflow Vulnerabilities
4. In the configuration pane choose the Oracle TNS listener port (the default port is 1521). The Oracle TNS listener is responsible for handling connections between Oracle clients and the Oracle server over the net. It is listening on TCP port 1521 unless configured differently by the Oracle Data Base Administrator.
5. By enabling the "Inspect iSQL Plus traffic" protection, SmartDefense will detect and block the access to the vulnerable procedures PITRIG_DROPMETADATA and FINDRICSET over iSQL Plus traffic (port 5560).
6. By enabling the "Inspect SMB traffic" protection, SmartDefense will detect and block the access to the vulnerable procedures PITRIG_DROPMETADATA and FINDRICSET over the SMB protocol (ports 139 and 445).
7. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
When the "Block PITRIG_DROPMETADATA" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
Suspicious PITRIG_DROPMETADATA detected on TNS traffic
Suspicious PITRIG_DROPMETADATA detected on iSQL traffic
Suspicious PITRIG_DROPMETADATA detected on SMB traffic
When the "Block FINDRICSET SQL Injection" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
Suspicious FINDRICSET detected on TNS traffic
Suspicious FINDRICSET detected on iSQL traffic
Suspicious FINDRICSET detected on SMB traffic
When the "Block Buffer Overflow" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
SDO_CODE_SIZE function buffer overflow detected
Create database function buffer overflow detected
When the "Block Vulnerable Oracle Functions" protection is enabled:
Attack Name: Oracle Protection Violation
Attack Information:
Suspicious get_domain_index_metadata request detected
Suspicious get_domain_index_tables request detected
Suspicious get_v2_domain_index_tables request detected
Suspicious parse_as_user request detected
Suspicious validate_stmt request detected
Suspicious sys.dbms_metadata request detected
Suspicious activate_subscription request detected
Suspicious sys.dba_users request detected
Suspicious DBMS_SQL.PARSE request detected
Suspicious sys.kupw request detected