Update Protection against Oracle TimesTen evtdump Remote Format String Vulnerability

Vulnerability
Protection

Check Point Reference:	CPAI-2009-021
Date Published:
Severity:
Last Updated:
Source:	Secunia Advisory: SA33525
Industry Reference(s):	CVE-2008-5440
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 VSX NGX R65 InterSpect NGX IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Oracle TimesTen In-Memory Database 7.0.5.0.0
Vulnerability Description A format string error vulnerability was reported in Oracle TimesTen In-memory Database. Oracle TimesTen In-Memory Database is a product for real-time data management and is used for performance-critical functions in environments like real-time enterprises, telecom, capital markets and defense. The flaw is due to an input error when processing HTTP requests sent to a vulnerable installation of Oracle TimeTen. Remote authenticated attackers can exploit this vulnerability by sending specially crafted messages to the affected interface. Successful exploitation can lead to arbitrary code execution.

Update/Patch Available Apply patches: Oracle Critical Patch Update Advisory
Vulnerability Details The specific flaw resides in the evtdump CGI module, a module used for writing to an internal log file. The parameter 'msg' does not properly sanitize format string tokens, potentially leading to execution of arbitrary code.

Protection Overview

By enabling this protection, SmartDefense will detect and block attempts exploit the format string vulnerability in Oracle's evtdump CGI.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Database Protections > Oracle > Oracle TimesTen In-Memory Database evtdump CGI Module Format String.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Oracle Protection Violation
Attack Information: Oracle TimesTen in-memory database evtdump CGI module format string

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Database Protections > Oracle.
2. Select the following protection:

Oracle TimesTen In-Memory Database evtdump CGI Module Format String

3. Install security policy on all modules.

VPN-1 VSX NGX R65

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > Database Protections > Oracle.
3. Select the following protection:

Oracle TimesTen In-Memory Database evtdump CGI Module Format String

4. Install policy on all modules.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW2, and select the CGI Attacks protection group
3. Click Oracle TimesTen In-Memory Database CGI Format String Overflow (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

Please note that the WWW2 package must also be configured to monitor HTTP traffic on port 17000.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: WWW/CGI Attacks Protection Group
Description: Oracle TimesTen In-Memory Database CGI Format String Overflow

Legal Notice for Threat Center Advisories