Oracle Corp. has issued a security advisory addressing a serious vulnerability in its database server that a prominent researcher disclosed at the 2012 Black Hat Briefings.
Technical details of this vulnerability have been very widely disclosed and one can easily find sample exploit code over the Internet.
Eric Maurice, director of software security assurance, Oracle Corp.
The database giant said the privilege escalation vulnerability (CVE 2012-3132) can be exploited remotely to gain system privileges. The user would have to use credentials to pull off a successful SQL injection attack. Oracle is urging users to deploy the patch as soon as possible. The component that would be targeted in an attack is included in the Oracle Fusion Middleware, Oracle Enterprise Manager and Oracle E-Business Suite.
"The attacker needs to have credentials and specific privileges, including the 'Create Table' privilege, in order to create the exploit conditions," wrote Eric Maurice, director of software security assurance at Oracle. "Oracle recommends that organizations apply this Security Alert as soon as possible because the technical details of this vulnerability have been very widely disclosed and one can easily find sample exploit code over the Internet."
The issue affects Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 188.8.131.52, 184.108.40.206 and 220.127.116.11. The July 2012 Critical Patch Update addressed the issue for users of versions 18.104.22.168 and 22.214.171.124.
David Litchfield, one of the industry's top database security consultants, demonstrated several proof-of-concept attacks targeting indexing flaws in the Oracle database management server at Black Hat. He showed how to create a condition to elevate his privileges to the database administrator (DBA) level. System privileges enable the attacker to manipulate database indexing records or to change and delete tables remotely via SQL injection.
David Litchfield at Black Hat 2012
Black Hat 2012: Researcher slams Oracle database indexing: At Black Hat 2012, longtime Oracle thorn David Litchfield presents working exploits targeting Oracle database indexing vulnerabilities.
Litchfield also demonstrated attacks using vulnerabilities that were reported and patched as long as two years ago. The expert said the flaws are still useful because many organizations fail to deploy them in a timely manner or fail to test and deploy patches altogether.
Older versions of Oracle DBMS are also vulnerable, but won't likely receive an update, said Alex Rothacker, director of security research at New York City-based database security vendor Application Security Inc. In a blog entry providing analysis of the vulnerability, Rothacker said that system privileges are typically granted to DBAs, application developers and others.
"In order to perform the exploit, one needs to have CREATE TABLE and CREATE PROCEDURE privileges as well as EXECUTE privileges on the DBMS_STATS package," Rothacker wrote. "Many common software packages don't implement proper separation of duties and grant the app account excessive privileges which can be used to exploit this vulnerability."