Oracle has released a patch for a vulnerability (CVE-2012-3132) disclosed by David Litchfield from Accuvant Labs during the Black Hat security conference last month. The vulnerability, which is SQL Injection at its core, allows an attacker to gain high-level privileges, and take complete control over the server.
“It’s a privilege escalation vulnerability that gives an attacker SYSDBA privileges,” explained Alex Rothacker, Director of Security Research at Application Security, Inc. “In order to perform the exploit, one needs to have CREATE TABLE and CREATE PROCEDURE privileges as well as EXECUTE privileges on DBMS_STATS package.”
“In a properly configured system, most users should not have above privileges, but application developers and some others typically do have these privileges” Rothacker added. “In addition, many common software packages don’t implement proper separation of duties and grant the app account excessive privileges which can be used to exploit this vulnerability.”
The fix has been released for Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3. However, customers using 11.2.0.2 and 11.2.0.3 do not need to worry as long as they have the Critical Patch Update issued in July installed.
Otherwise, this is something Oracle wants all customers to pay attention to.
“Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component,” the company’s advisory states.
“This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain ‘SYS’ privileges and impact the confidentiality, integrity and availability of un-patched systems.”
Additional details from Oracle are available here.