At
last week’s BlackHat D.C., David Litchfield revealed 0-day
vulnerabilities in Aurora, the Java implementation built into Oracle.
- DBMS_JAVA
- DBMS_JAVA_TEST
- DBMS_JVM_EXP_PERMS
allow
an attacker to escalate their privileges to sysdba and take complete control of
the database. It was successfully demonstrated how a low privileged user can
grant themselves sysdba privileges, access on every file on the Oracle host
server and execute those files, including a shell. It was also shown how to
load binary code into the Oracle process and execute it. Finally a way to
bypass Oracle Label Security was demonstrated.
There
is currently no fix available from Oracle, however Oracle’s access control
features allow for a workaround. By default EXECUTE is granted to PUBLIC for
the above mentioned packages.
In
order to protect against these current threats, database administrators should
revoke execution privileges on these packages from PUBLIC and any other user
that does not require them. The AppDetective and DbProtect ‘Object privilege
granted to PUBLIC’ Oracle Vulnerability Assessment checks can be used to
help find and remediate these privileges.
Application
Security has also made available for download a custom policy and check to
specifically find these privileges and learn if your Oracle databases are
vulnerable. With Application Security, Inc.’s User Rights Review (URR) platform,
customers will also be able to determine which users can exploit the
vulnerability as well as an explanation of how to fix the vulnerability.
Team SHATTER also suggests adhering to the following general security considerations to minimize the risk of new attacks like this:
- Always stay up-to-date on the latest security patches
- Minimize the attack surface by only installing and enabling functionality that is required for the business task
- Remove all unused default components, accounts and databases
- Assign only minimal privileges required
- Assign privileges through roles, not directly to users
Related links:
SHATTER Security Bulletin
Until Oracle develops a patch for the DBMS_Java and DBMS_JVM_EXP_PERMS vulnerability, we took your advice and revoked execute from public in our dev and test databases, only to find out that our exports were failing. We then granted execute on these packages to the export user and all exports are again successful. It would have been really great if you had listed what Oracle utilities might fail when the execute privilege is revoked from public.
Thanks for keeping us informed about Oracle security vulnerabilities.
Posted by: Patricia Ashe | February 16, 2010 at 04:52 PM