New Security Risks Hit Oracle

Oracle's security troubles mount due to a worm and additional unpatched holes.

Enterprise IT managers who are still knee-deep in patches from Oracle Corp.s last quarterly Critical Patch Update have more to worry about after an unknown individual last week posted on a security discussion list source code for a worm that spreads among Oracle databases.

The worm is the first ever developed for an Oracle platform and is considered a low security risk. However, the worm calls attention to loose security practices that are still common on Oracle platforms and comes amid word from one security researcher of more than 250 unpatched holes in the Redwood Shores, Calif., companys Database 10g.

The code for the Voyager Beta worm was released on the Full Disclosure discussion list Oct. 31 by an unknown contributor. The worm appeared in a message with the subject "Trick or treat Larry," an apparent reference to Oracle CEO Larry Ellison.

Voyager Beta does not exploit security vulnerabilities in the Oracle code but capitalizes on insecure configurations, said Alexander Kornbrust, CEO of Red-Database- Security GmbH, in Frankfurt, Germany, and an expert on Oracle security.

Currently, Voyager Beta must be placed on Oracle systems by a database user and manually started. Once launched, the worm scans for other Oracle databases on the same network subnet and then uses a feature called private database links to connect to those databases using a series of default user names and passwords. Voyager Beta creates a blank table, called X, on remote database servers it infects—a harmless act that could be replaced with a more destructive payload, Kornbrust wrote in an analysis.

The security hole does not require a patch from Oracle, but database administrators should change the default password on their Oracle databases if it has not already been changed, Kornbrust said.

Despite an increasing number of warnings about the security of Oracles software, many administrators still leave default configurations in place and dont password-protect key database functions such as the "listener," a component that manages connections to the database and can allow users to take control of the database if it is not properly secured, he said.

Unlike Windows systems, Oracle database servers could have dozens of services and password-protected accounts enabled.

Oracle has been a focus of criticism in recent months, as independent security researchers such as Kornbrust and Next Generation Security Software Ltd.s David Litchfield have complained that the companys database software is riddled with security holes and that Oracle takes too long to issue patches for the problems.

A recent paper released by researchers at The SANS Institute, of Bethesda, Md., revealed weaknesses in the password protection mechanism in Oracles databases. In just the latest example, Kornbrust said he passed details to Oracle last week on more than 250 SQL injection vulnerabilities in the companys 10g Release 1 database server. Kornbrust said he found the SQL injection holes in just 6 hours using automated vulnerability scanning tools to analyze about 9,000 software packages and functions that are part of 10g Release 1.

The holes are new and are not covered by fixes released in the latest Critical Patch Update. Exploit code that Kornbrust developed for some of the holes gives users basic ownership rights to vulnerable Oracle databases, a critical security hole. Up to 30 percent of the new holes may allow database users to elevate their privileges, Kornbrust said.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.