Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers

From: ak () red-database-security com
Date: 7 Oct 2005 20:13:13 -0000
Hello 

I agree with David's and Cesar's opinion. 
 
Here are 3 examples how Oracle is dealing with security:
+++
 
Last week (28-sep-2005) I've got an email from Oracle secalert (secalert_us () oracle com, signed with the Oracle PGP 
key). They asked me to remove my already published Oracle security advisories from my webpage 
(http://www.red-database-security.com/advisory/published_alerts.html ) to "protect Oracle's confidential information". 

I declined their request.

Removing already published content from the internet is (nearly) impossible and a waste of time. It's better to use 
this time to make the products more secure or the patches more stable.

+++

786 days ago I reported a remote exploitable bug (via a simple URL) in Oracle Reports server. An attacker could abuse 
this bug to destroy an entire Oracle Application Server by overwriting files. This bug is still unfixed (786 days 
later). 

I hope Oracle will fix this bug in the next CPU in october. In the meantime you could use a workaround developed by 
Dirk Nachbar (http://www.trivadis.com/Images/OASSecurityHoleE_11092005_tcm17-14060.pdf)

According to Oracle "its policy is to fix vulnerabilities in order of severity, starting with high-priority issues" 
(see article from 20-july-2005 
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,103350,00.html). If a remote exploitable bug 
can wait more then 2 years what other bugs have a higher priority? 


I know that fixing a security bug costs time and money. Large organisation, multiple platforms, different versions, 
backports, ... 
I don't expect a patch within a few (30) days. But 786 days? 
As recommended by David all customers should talk with Oracle sales, Oracle support, ...

There are still some other open security bugs from 2003. See
http://www.red-database-security.com/advisory/upcoming_alerts.html


+++
It seems that the Q/A of the Oracle security patches is non existing:

The latest July CPU 2005 for the Oracle database was modified several times. Oracle is still using the same patch 
number. No additional version information/sub-version was provided:

Re-Upload Dates:
 14-july-05, 18-jul-05, 20-jul-05, 27-jul-05, 01-aug-05, 09-aug-05, 26-aug-06, 29-aug-05

Some of the reasons for re-upload the patches are: 
CDC.jar was missing, a wrong version of modplsql.so was included, catpatch.sql did not update the registry entry, the 
fix for a non security-bug was missing (Mixing security and non-security bugs is a strange behaviour), ...

All this information is available on Oracle Metalink:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=311062.1



Regards

Alexander Kornbrust

----
Red-Database-Security GmbH 
http://www.red-database-security.com
 

-----Ursprüngliche Nachricht-----
Von: Cesar [mailto:cesarc56 () yahoo com] 
Gesendet: Donnerstag, 6. Oktober 2005 20:42
An: David Litchfield; bugtraq () securityfocus com; ntbugtraq () listserv ntbugtraq com
Betreff: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their 
customers

I support David 100% and I would like to add a few comments (I can't avoid doing this :)):

I remember reading an article where Larry Ellison said that Oracle database server were used by FBI, CIA, USSR 
goverment, etc. he referenced that as saying our software is the most secure, top goverment agencies from the most 
powerful nations use it. If you hear or read that it sounds great and if you were looking for a database server at that 
moment maybe you would run to buy Oracle software, the same when you hear and read Oracle Unbreakable everywhere. What 
Larry Ellison says it is very easy to say but it is also very difficult to prove. It seems that this kind of statements 
have been useful for Oracle since the company continues doing the same, "just talking".
I can say that we at Argeniss break Oracle database server all the time, we are tired of breaking Oracle, it's so easy, 
Oracle software is full of security vulnerabilities and this is nothing new, most security researchers know about this 
and also the bad guys who are actively exploiting the vulnerabilities. But I can say this and I can also prove it, we 
have found more than a hundred vulnerabilities and we can show them to people. I wonder if Larry Ellison can prove all 
the statements he says or Oracle people say.

What I  have seen is Oracle doesn't care much about security, it's just a PR issue for Oracle. When you report a 
vulnerability to Oracle you get an answer saying we will take a look at this, then months or sometimes years after the 
initial vulnerability report they release (or not) a patch , that sometimes doesn't work, but what is amazing is that 
they just fix the bugs you reported they don't audit similar bugs to fix all at once, I can't understand this, we are 
working for free for them and they are not doing any effort.
Basically when Oracle security problems arise, Mary Ann Davison and Oracle PR team try to deviate attention and blame 
anyone without focusing on the real problem: "Oracle insecurity". Oracle security has not improved over the last years, 
everytime there are more and more holes, also security patches are having holes, QA seems that it is not being done at 
all!. But everytime you hear Oracle people, they will say "Oracle Unbreakable",  "An oracle d/b has not been broken 
into in 15 years...", "We have 14 security certifications", "Security researchers are evil", "some people complain it's 
too secure - literally cannot break into it..."
etc. but you never will
hear and also see something like: "We are working hard on improving security because we are doing this and this", "We 
are fixing all the bugs",  "We want to work with security resarchers", "We stopped development to fix the security 
bugs"...  etc.
I think that Oracle will start to suffer more and more because security problems, Oracle reminds me Microsoft some 
years ago, when MS had a lot of security issues that were reflected on sales, until Oracle doesn't see side effect on 
sales or customers start to pressure, everything will be the same.

I'm seriously thinking to release some Oracle remote 0day next time I hear Larry o Mary saying bullshit to shut their 
mouths.


Related info:
http://www.crn.com/sections/security/security.jhtml?articleId=171000880
http://www.eweek.com/article2/0,1895,1860184,00.asp
http://www.argeniss.com/research/SQL-Oracle.zip
http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILVuln.txt


Regards.

Cesar Cerrudo.
CEO & Founder.
Argeniss - Information Security
http://www.argeniss.com



--- David Litchfield <davidl () ngssoftware com> wrote:


Dear security community and Oracle users, Many of my customers run 
Oracle. Much of the U.K.
Critical National
Infrastructure relies on Oracle; indeed this is true for many other 
countries as well. I know that there's a lot of private information 
about me stored in Oracle databases out there. I have good reason, 
like most of us, to be concerned about Oracle security; I want Oracle 
to be secure because, in a very real way, it helps maintain my own 
personal security. As such, I am writing this open letter

Extract from interview between Mary Ann Davidson and IDG


http://www.infoworld.com/article/05/05/24/HNoraclesecurityhed_1.html


IDGNS: "What other advice do you have for customers on security?"

Davidson: "Push your vendor to tell you how they build their software 
and ask them if they train people on secure coding practices. "

Now some context has been put in place I can continue.

On the 31st of August 2004, Oracle released a security update (Alert 
68


[http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf])

to
address a large number of major security flaws in their database 
server product. The patches had been a long time in coming


[http://www.eweek.com/article2/0,1759,1637213,00.asp]

and we fully expected
that these patches would actually fix the problems but, unfortunately 
this is not the case. To date, these flaws are still not fixed and are 
still fully exploitable. I reported this to Oracle a long time ago.

The real problem with this is not that the flaws Alert 68 supposedly 
fixed are still exploitable, but rather the approach Oracle took in 
attempting to fix these issues. One would expect that, given the 
length of time they took to deliver, these security "fixes" would be 
well considered and robust; fixes that actually resolve the security 
holes. The truth of the matter though is that this is not the case.

Some of Oracle's "fixes" simply attempt to stop the example exploits I 
sent them for reprodcution purposes. In other words the actual flaw 
was not addressed and with a slight modification to the exploit it 
works again. This shows a slapdash approach with no real consideration 
for fixing the actual problem itself.

As an example of this, Alert 68 attempts to fix some security holes in 
some triggers; the flaws could allow a low privileged user to gain SYS 
privileges
- in other words gain full control of the database server. The example 
exploit I sent to Oracle contained a space in it.
Oracle's fix was to ignore
the user's request if the input had a space. What Oracle somehow 
failed to see or grasp was that no space is needed in the exploit. 
This fix suggests no more than a few minutes of thought was given to 
the matter. Why did it take 8 months for this? Further, how on earth 
did this get through QA? More, why are we still waiting for a proper 
fix for this?

Here is another class of thoughtless "fix"
implemented by Oracle in Alert
68. Some Oracle PL/SQL procedures take an arbitrary SQL statement as a 
parameter which is then executed. This can present a security risk. 
Rather than securing these procedures properly Oracle chose a security 
through obscurity mechanism. To be able to send the SQL query and have 
it executed one needs to know a passphrase. This passphrase is 
hardcoded in the procedure and can be extracted with ease. So all an 
attacker needs to do now is send the passphrase and their arbitrary 
SQL will still be executed.

In other cases Oracle have simply dropped the old procedures and added 
new ones - with the same vulnerable code!

I ask again, why does it take two years to write fixes like this? 
Perhaps the fixes take this long because Oracle pore through their 
code looking for similar flaws? Does the evidence bear this out. No - 
it doesn't. In those cases where a flaw was fixed properly, we find 
the same flaw a few lines further down in the code. The DRILOAD 
package "fixed" in Alert 68 is an example of this; and this is not an 
isolated case.
This is systemic. Code
for objects in the SYS, MDSYS, CTXSYS and WKSYS schemas all have flaws 
within close range of "fixed" problems. These should have been spotted 
and fixed at the time.

I reported these broken fixes to Oracle in February 2005. It is now 
October
2005 and there is still no word of when the "real"
fixes are going to be
delivered. In all of this time Oracle database servers have been easy 
to crack - a fact Oracle are surely aware of.

What about the patches since Alert 68 - the quarterly Critical Patch 
Updates? Unfortunately it is the same story. Bugs that should have 
been spotted left in the code, brand new bugs being introduced and old 
ones reappearing.

This is simply NOT GOOD ENOUGH. As I stated at the beginning of this 
letter, I'm concerned about Oracle security because it impinges upon 
me and my own personal security.

What is apparent is that Oracle has no decent bug 
discovery/fix/response process; no QA, no understanding of the 
threats; no proactive program of finding and fixing flaws. Is anyone 
in control over at Oracle HQ?

A good CSO needs to more than just a mouthpiece.
They need to be able to
deliver and execute an effective security strategy that actually deals 
with problems rather than sweeping them under the carpet or waste time 
by blaming others for their own failings. Oracle's CSO has had five 
years to make improvements to the security of their products and their 
security response but in this time I have seen none. It is my belief 
that the CSO has categorically failed. Oracle security has stagnated 
under her leadership and it's time for change.

I urge Oracle customers to get on the phone, send a email, demand a 
better security response; demand to see an improvement in quality. 
It's important that Oracle get it right. Our national security depends 
on it; our companies depend on it; and we all, as individuals depend 
on it.

Cheers,
David Litchfield







        
                
______________________________________________________
Yahoo! for Good
Donate to the Hurricane Katrina relief effort. 
http://store.yahoo.com/redcross-donate3/
Previous By Date Next
Previous By Thread Next

Current thread: