COMMAND

    Oracle Listener

SYSTEMS AFFECTED

    Oracle

PROBLEM

    Following  is  based  on  a  Internet  Security  Systems  Security
    Advisory.  Internet Security Systems (ISS) X-Force has  identified
    four  Denial  of  Service  attacks  against  the  Oracle  listener
    service:

        1. Offset_to_data value too large
        2. Requester_version value incorrect
        3. Maximum Transport Data size too small
        4. Fragmentation attack

    These  vulnerabilities  allow  an  unauthenticated user to prevent
    other users  from connecting  to the  database.   As a result, the
    Oracle database becomes inaccessible.

    1. Offset_to_data value too large
    =================================
    When connecting to an Oracle database, a connection is first  made
    to the  listener process.   This initial  packet contains  command
    data,  such  as  the  instance  to  connect  to  and  the   client
    information.   This packet  also contains  a header  with a  field
    indicating the offset to the  Oracle command data. If this  offset
    is set to  an arbitrarily large  value that the  listener does not
    expect, then the listener will crash.

    This  vulnerability  exists  on  Oracle  7.3  and  8i  (not   8.0)
    installations of Unix, but does not affect Oracle versions running
    on Windows NT/2000.

    2. Requester_version value incorrect
    ====================================
    When connecting to an Oracle database, a connection is first  made
    to  the  listener  process.  This  initial packet contains command
    data,  such  as  the  instance  to  connect  to  and  the   client
    information.   This packet  also contains  a header  with a  field
    indicating the  version of  the client  drivers and  the offset to
    the Oracle command data.   If the version of  the driver does  not
    match to the appropriate offset to the command data, the  listener
    will crash.

    This vulnerability  exists on  Oracle 8.0  and later installations
    for all platforms.

    3. Maximum Transport Data Size too small
    ========================================
    When connecting to an Oracle database, a connection is first  made
    to the  listener process.   This initial  packet contains  command
    data,  such  as  the  instance  to  connect  to  and  the   client
    information.   This packet  also contains  a header  with a  field
    indicating  the  maximum  transport  data  size  of  the  client’s
    network.   If the  maximum transport  data size  is set  to 0, the
    listener will crash.

    This vulnerability exists on Oracle8i on Sun Solaris.

    4. Fragmentation Attack
    =======================
    In addition to TCP/IP fragmentation, Oracle allows commands to  be
    fragmented at  the application  layer.   This fragmentation allows
    commands to  be sent  in two  or more  different packets.   If the
    first packet of  a fragmented command  is repeatedly sent  and not
    followed up with the remainder of the command, the listener  hangs
    waiting for the completion of these commands.

    This vulnerability exists on all versions of the listener.

SOLUTION

    Oracle  has  fixed  this  security  vulnerabilities  in  Oracle9i.
    Oracle  is  in  the  process  of  backporting the fix to supported
    Oracle 8i Releases 8.1.7 and 8.1.6 on all Unix platforms.   Please
    check Metalink  periodically for  patch availability  if the patch
    for your platform is not  yet available.  Oracle recommends  using
    Oracle Advanced Security (an  option to the Enterprise  Edition of
    the Oracle Database Server)  to encrypt network traffic  and avoid
    packet capture and replay attacks.  Oracle Advanced Security  also
    provides checksumming that verifies the data integrity of  network
    packets.