Hi all, Short history: The remote pre-authenticated vulnerability with CVSS2 10 I published some days ago [1], the vulnerability I called Oracle TNS Poison (reported to vendor in 2008), is a 0day affecting all database versions from 8i to 11g R2. There is no patch at all for this vulnerability and Oracle refuses to write a patch for *ANY* existing versions, even for Oracle 11g R2. So, yes, ALL versions are vulnerable and will remain vulnerable. As I published many workarounds for this vulnerability I believe it's better to make this information public so Oracle database's customers can protect themselves. Long history: Some days ago, after the release of Oracle Critical Patch Update April 2012, a friend of mine told me that Oracle gave me credit in the "Security-In-Depth" program for a vulnerability they fixed. After this, I asked both Oracle and iSightPartners (the company I sold the vulnerability in 2008) for information about the vulnerability they fixed in this CPU. Oracle told us that the vulnerability with tracking id #13793589 (the TNS poison vulnerability) was the one fixed. As the vulnerability was fixed, there was no reason not to publish information about it any more and I decided to publish an advisory, a document explaining the vulnerability and a proof of concept. So far, so good. However, I was suspicious about an statement Oracle people wrote me in an e-mail as, in their words, the vulnerability "was fixed in future releases of the product". Eeeeh... "was" and "in the future"? As it makes no sense, I sent Oracle an e-mail asking for details about the fix: On 4/19/2012 12:53 PM, Joxean Koret wrote: (...) > How can customers with current versions installed fix this > vulnerability? Do they have to wait until the next version? Just out > of curiosity. And Oracle answered me with excuses ("excusatio non petita, accusatio manifesta"): > We had to make the hard choice of fixing it in the release and not in > the CPU because: > > * The fix is very complex and it is extremely risky to backport. > * This fix is in a sensitive part of our code where > regressions are a concern. > * Customers have requested that Oracle not include such > security fixes into Critical Patch Updates that increases the > chance of regressions. As they refused to answer it clearly, I asked them once again in a more simple way about the "fix" for the vulnerability: On 4/23/2012 9:20 AM, Joxean Koret wrote: (..) > Just a final question: Does it mean that all current versions are > vulnerable and the vulnerability will only be fixed in next products > like, say, 11g R3 or 12g? And Oracle, believing I'm stupid or something like this, answered me the following: > To protect the interest of our customers, we do not provide these > level of details (like versions affected) for the issues that are > addressed as in-depth. The future releases will have the fix. So, as previously stated, this is a 0day vulnerability with no patch, Oracle refuses to patch the vulnerability in *any* existing version and Oracle refuses to give details about which versions will have the fix. But they say the vulnerability is fixed. Cool. Oracle security people: For the next time, don't say that a vulnerability is fixed in a Critical Patch Update if the patch is not published. Your customers are not interested if the vulnerability is fixed in your development version, they only care about the vulnerability being fixed in the versions they are using in production systems. PS: I must admit that being Oracle, that confusion doesn't surprises me at all. [1] http://seclists.org/fulldisclosure/2012/Apr/204 Regards, Joxean Koret
Attachment:
signature.asc
Description: This is a digitally signed message part