Oracle Adresses 0-day “TNS Poison”

Update Edited to reflect that Oracle has released a configuration workaround, not a patch

This week Oracle released an out-of-band Security alert for the CVE-2012-1675 vulnerability in the Oracle Database Server V10 and V11, addressing a 0-day vulnerability that was recently published on the full-disclosure mailing list under the name "TNS Poison" by Joxean Koret. Apparently Joxean discovered the vulnerability in 2008, then sold it to iSightPartners and was under the mistaken impression that the vulnerability was fixed in last month’s CPU, when he released his advisory. More details can be found in a follow-up post on the ful-disclosure list and a video of the vulnerability being exploited can be seen here

The vulnerability is in the TNS listener part of the Oracle database server and allows an attacker to perform a man-in-the-middle attack by registering an additional database instance in the TNS listener. The listener will then start load-balancing traffic to the new instance. This allows the attacker to receive the database transactions, record them and forward them to the original database. The attacker can potentially modify the transactions and execute commands on the original database server.

While Oracle recommends addressing the vulnerability as soon as possible, we believe that the position of the Oracle databases in your network plays an important role in determining your modification roll-out. Production Oracle database installations typically do not expose their TNS listener to the Internet or even the enterprise network. A good map of your network environment will be helpful in determining where to act first.