• Oracle9i Release 2
• Oracle9i Release 1
• Oracle8i 8.1X all releases

This vulnerability note is in modification to the vulnerability note CIVN- 2003-04 issued by CERT-In earlier.

Impact

This flaw in an organization's database server could allow an attacker to load any operating system library and execute any code against the system. The main concern with this type of an attack is that a malicious user could gain a higher level of privilege on the server.

The Oracle Security Alert 57 has now given this vulnerability a High security threat level. According to Oracle Security Alert 57".these potential vulnerabilities can be exploited in some cases without a username and password. Therefore, Oracle strongly recommends that this patch be applied as soon as possible."

According to NGSSoftware Security Advisory , Extproc is vulnerable to a classic stack based buffer overflow attack remotely by an attacker. No user ID or password is necessary.

1. Remove EXTPROC functionality if not needed by editing
   $ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA located in a Unix directory structure and its equivalent directory in Windows
   & $ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA located in a Unix directory structure and its equivalent directory in Windows
2. The following entries should be removed from each of the configuration files, depending upon the OS and the release of the Oracle Database server installed:
   * icache_extproc, or
   * PLSExtproc, or
   * extproc
3. If the PL/SQL EXTPROC functionality is required, the following steps must be taken in order to protect against the potential security vulnerability identified above.
   
   a Create two Oracle Net Listeners, one for the Oracle database and one for PL/SQL EXTPROC. No EXTPROC specific entries in the configuration files of the Oracle Listener for the database should be specified.
   
   b Configure the Oracle Listener for PL/SQL EXTPROC with an IPC protocol address only. If TCP connectivity is required, configure a TCP protocol address, but use a port other than the one the Oracle Listener for the database is using.
   
   c Ensure that the Oracle Listener created for PL/SQL EXTPROC runs as an unprivileged OS user e.g. "nobody" on Unix . On Windows platforms, run the Oracle Net Listener process as an unprivileged user and not as the Windows LOCAL SYSTEM user.
4. Restrict access to Oracle Server Processes to trusted IPs only by setting the following parameters in $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA
   $ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle8i & prior to enable the valid node checking feature:
   
   tcp.validnode_checking = YES
   tcp.invited_nodes = {list of allowed IP addresses}
   tcp.excluded_nodes = {list of blocked IP addresses}
5. The permissions for $ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA should be set at 640.
6. The password for any user account capable of adding packages or libraries and access system privileges should be different from the default and in line with the password policy of the organization.
   

Apply the appropriate patch available at http://metalink.oracle.com .
Check http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf for finding the appropriate patch number for relevant application.

Appropriate testing and backups should be performed before applying any of these patches.