Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 2811 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[7.501] ORACLE auth_sesskey buffer overflow attempt

naughtyrob
Dear all,

today I experienced a dramatic behavior of IPS in Astaro starting from 1:34pm UTC. 

From that moment on, all the connection coming from my web servers to my oracle cluster had been blocked by IPS with the following reason "ORACLE auth_sesskey buffer overflow attempt".

My web servers are all running linux and oracle client 11.1. Windows machines where not impacted except one which is running Windows XP and oracle client 10.2.

Other machines running Oracle SQL Developer and 

Here below you can find an extraction from the log.

2009:11:25-13:34:10 dcfw-ast01-2 snort[26549]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="ORACLE auth_sesskey buffer overflow attempt" group="232" srcip="xx.xx.20.25" dstip="xx.xx.10.130" proto="6" srcport="53977" dstport="1521" sid="16309" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

This behavior is scary and happened all of a sudden. Systems are running since 20 months with same IPS config on Astaro. No updates on servers or Astaro were done in the past 10 days.

To understand what happened I checked on up2date log and found this:

2009:11:25-13:33:27 dcfw-ast01-2 audld[25550]: id="3707" severity="info" sys="system" sub="up2date" name="Successfully synchronized fileset" status="success" action="download" package="ips"
2009:11:25-13:33:27 dcfw-ast01-2 auisys[26423]: Starting Up2Date Package Installer (Version 1.65)
2009:11:25-13:33:28 dcfw-ast01-2 auisys[26423]: Searching for available up2date packages for type 'mpfc'
2009:11:25-13:33:28 dcfw-ast01-2 auisys[26423]: id="371D" severity="info" sys="system" sub="up2date" name="No up2date packages available for installation" status="failed" action="preinst_check" package="mpfc"
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Searching for available up2date packages for type 'ips'
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Installing up2date package file '/var/up2date//ips/u2d-ips-7.158.tgz.gpg'
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Verifying up2date package signature
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Unpacking installation instructions
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Unpacking up2date package container
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Running pre-installation checks
2009:11:25-13:33:34 dcfw-ast01-2 auisys[26423]: Starting up2date package installation
2009:11:25-13:33:52 dcfw-ast01-2 auisys[26423]: id="371Z" severity="info" sys="system" sub="up2date" name="Successfully installed Up2Date package" status="success" action="install" package_version="7.158" package="ips"
2009:11:25-13:33:52 dcfw-ast01-2 auisys[26423]: New Pattern Up2Dates installed

Might this update be the reason for this horrible behavior?

What am I supposed to do to restore IPS, wait for the next patter update?

Please help.

Roberto


This thread was automatically locked due to age.
Parents
  • 0
    Bruce, thanks for clarifying that the removal from the list should be temporary, just long enough to delete it and put it back in.

    Are you saying that you wouldn't make an exception for traffic sourced from "xx.xx.20.25"?  It looked to me like he might be better off leaving the rule active: Oracle Network Authentication CVE-2009-1979 Remote Buffer Overflow Vulnerability.

    Your thoughts?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    The rule obviously detects legitimate traffic; the rule should be modified or removed.  Putting in an exception would disable all rules for that IP... a worse solution, IMHO.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to BAlfson
    The rule obviously detects legitimate traffic; the rule should be modified or removed.  Putting in an exception would disable all rules for that IP... a worse solution, IMHO.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data
Cookie Information Banner