-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                      ESB-2001.265 -- COVERT-2001-03
                   Oracle 8i SQLNet Header Vulnerability
                               29 June 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Oracle 8i Standard Edition
                        Oracle 8i Enterprise Edition
Vendor:                 Oracle
Operating System:       Windows
                        Linux
                        Solaris
                        AIX
                        HP-UX
                        Tru64 Unix
Impact:                 Denial of Service
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________

                       Network Associates, Inc. 
                   COVERT Labs Security Advisory 
                           June 27, 2001 

               Oracle 8i SQLNet Header Vulnerability


                          COVERT-2001-03 

______________________________________________________________________

o Synopsis

A vulnerability in the Oracle implementation of the TNS (Transparent
Network Substrate) over Net8 (SQLNet) protocol allows a remote user
to mount a denial of service attack against any Oracle service that
relies upon the protocol, including the TNS Listener, Oracle Name
Service and Oracle Connections Manager.

This vulnerability has been designated as CVE candidate CAN-2001-498.

RISK FACTOR: MEDIUM
______________________________________________________________________

o Vulnerable Systems 

Oracle 8i Standard and Enterprise Editions Version 8.1.5, 8.1.6,
8.1.7 and all previous versions for Windows, Linux, Solaris, AIX, 
HP-UX and Tru64 Unix.

______________________________________________________________________

o Vulnerability Overview

Oracle 8i database platform relies on multiple services for its
distributed client server computing functionality. Services that 
are dependant upon the TNS include the TNS Listener, Oracle Name 
Service and the Oracle Connections Manager. These servers accept 
client requests and establish TNS data connections between the 
clients and the services. TNS connections allow clients and services 
to communicate over a network via a common API, regardless of the 
network transport protocol used on either end (TCP/IP, IPX, etc). 
Foundation of the TNS is the session layer protocol Net8 (SQLNet).

The services reliant upon the TNS protocol are critical to an 
Oracle database environment. The TNS Listener is responsible for 
maintaining remote communications with Oracle database services, 
the Oracle Names Service implements database names resolution and 
Oracle Connections Manager is responsible for managing connections 
to the database services.  In a default installation, the TNS 
Listener resides on TCP port 1521, Names Service on TCP port 1575 
and Connections Manager on TCP ports 1630 (gateway services) and
1830 (administration services).

A vulnerability exists in the TNS libraries which process Net8 
(SQLNet) packets. This vulnerability will enable an attacker to 
mount a denial of service attack against any of the above services 
by issuing a malformed SQLNet connection request.

______________________________________________________________________

Detailed Information:

A Net8 (SQLNet) connection is made by the client sending an SQLNet 
packet of Type-1 (NSPTCN) to the service, requesting a connection. 
SQLNet packets contain a general header and type specific header 
extensions. A Type-1 packet contains two fields in the type specific 
header extensions that specify the offset and the length of the 
connection data within the packet. These two fields are inadequately 
verified, thus by specifying an offset which points to data beyond 
the length of the packet, a memory read error is triggered, leading 
to service termination.

The vulnerability occurs in an early stage of the packet processing, 
before any authentication or verification of the content takes place.
This allows for unlogable, unauthenticated remote denial of service 
attacks.

______________________________________________________________________

o Resolution 

Oracle has produced a patch under bug number 1656431 which is 
available for download from the Oracle Worldwide Support Services
web site, Metalink (http://metalink.oracle.com) for the platforms
identified in this advisory. The patch is in production for all 
supported releases of the Oracle Database Server.

PGP Security's CyberCop Scanner risk-assessment tool has been 
updated to detect this vulnerability.

______________________________________________________________________

o Credits 

These vulnerabilities were discovered and documented by Nishad Herath
of the COVERT Labs at PGP Security.

______________________________________________________________________

o Contact Information 

For more information about the COVERT Labs at PGP Security, visit our
website at http://www.pgp.com/covert or send e-mail to covert@nai.com

______________________________________________________________________

o Legal Notice 

The information contained within this advisory is Copyright (C) 2001 
Networks Associates Technology Inc. It may be redistributed provided 
that no fee is charged for distribution and that the advisory is not 
modified in any way. 

Network Associates and PGP are registered Trademarks of Network 
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries. All other registered and unregistered 
trademarks in this document are the sole property of their respective
owners. 

______________________________________________________________________

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBOzpLqdwDUegFyneEEQJhRQCfRIhn+n8OwYL3OyxVtZfoc71Ul7UAn1p2
GImc/0PhShPJoBJNpuE82fvB
=ELUp
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOzyr4Sh9+71yA2DNAQGocgP9FHJD1H4FJKVQUHnf51oy/iXLVXG40Hau
Ow+ohgqR8NAGZ5sosE/cvAq18Ior50sDoIeeLRT2raIKN6Qj4F4WqHh0g6Afo31F
dHurQMAMNrg71RlXDUC1t7kziu+mIi1bJM6cfXzM2M6CoKYubH0nNNznHcL1APsc
Nmyco+KJrrU=
=r6Tf
-----END PGP SIGNATURE-----