More than 40 flaws have been identified in Oracle Corp.'s Metalink Knowledge Base used for customer service. Surprisingly,...
it may affect other vendors as well.
Red Database Security GmbH warned earlier this week that using a method similar to "Google hacking" in which you input a particular search term like "security bug," could be used to search Metalink for customer reports and other sensitive information about any flaws an attacker specifies.
For example, the group entered the term "hacker" and got the result "DBMS_SYS_SQL.Parse_as_user Has a Security Concern." The researchers noted that this entry explains how to become DBA via the package dbms_sys_sql and added: "Wow, this package also contains exploit code."
"While this event is Oracle specific, it also is very likely the same issues exist within other support databases from IBM, Sybase and others," said an Application Security Inc. spokesperson. "The Metalink searches also revealed customer names, configurations, vulnerabilities and passwords."
The flaws' discoverer, Alexander Kornbrust, said he stopped counting at 42 flaws and then reported the issue to Oracle. He added that a fix isn't provided for these flaws in Oracle's latest patch.
"I found all these bugs during an extensive research in Oracle's bug database," Kornbrust said in an e-mail interview. "Most of these bugs allow denial-of-service attacks, e.g. a normal database user submits a SQL statement and the CPU uses 100% forever. Some bugs allow SQL injection or information disclosure." Kornbrust plans to publish his research paper on Metalink hacking and some of the advisories on his Web site next week.
Kornbrust offered several tips for Metalink users:
- Customers should use, if possible, a freemail account in forum entries.
- Anonymize configuration files before posting on Metalink.
- Remove passwords before posting content on Metalink.
- If you report a bug to Oracle consider whether the bug is security relevant. Escalate this issue if necessary. Even if this costs additional time it makes Oracle more secure in the long run.
Metalink is a robust support resource, and with Gartner Group reporting Oracle owns one-third of the database market, the potential damage could be significant. "With that many Oracle databases installed, it raises concerns for the Global 2000 as well as government and educational institutions," New York-based Application Security's spokesperson said.
"This discovery adds another way software vulnerabilities can be discovered -- specifically, vendor supplied/supported forums," Ted Julian, vice president of strategy for Application Security, said in an e-mail. "It highlights the need for enterprises to proactively harden their databases against attack and reminds us that this is a never-ending process, not just a one time activity."
Oracle offered this comment: "Security is a matter we take seriously at Oracle and while we stand firmly behind the inherent security of our products and processes, we are always working to do better. Metalink is a confidential, valuable and extensive information resource for Oracle support customers. Customers can post questions and comments to the MetaLink forums. Identifying information that is inappropriately available on MetaLink is an ongoing activity as information is constantly being added and updated."