Security >> Vulnerabilities (2005) >> 20050527-A

Issue: Oracle port 1521/tcp Attack
Risk: Serious risk, exposure seldom required.
Date: 05-Jul-2005/25-Aug-2005

Recent Attacks & Attackers data shows that attackers are scanning for port 1521/tcp -- a service which was not blocked at the campus boundary. We assume the scans are malicious and our best guess is the attackers are trying to find vulnerable Oracle servers or perhaps to conduct dictionary attacks against well known accounts within an Oracle database. See the SANS Top 20 Internet Security Vulnerabilities and especially the U9) Databases risks.

We are aware of a very few Oracle servers on campus (most are for enterprise systems managed by IST where the consequences of a compromise are severe) and only a very few require any off-campus access. Within IST our practice has been, where possible, to limit off campus access to systems offering Oracle services (thereby reducing the risk of compromise).

We are aware of compromises during the Ernst & Young penetration tests of 2002 involving poor passwords on systems that expose this service to the world. We are aware of some systems that have not limited off campus access to the service and we are very concerned that Oracle servers may not be at current patch level and may well be vulnerable to other attacks.

Given that there is a very limited requirement to expose the service to the world and the attackers are showing a keen interest in finding these servers we've implemented an alarm to notify attackers (so the attacker's ISP can invoke their acceptable use agreement) and we've initiated discussions to block this service at the campus boundary.

A consensus has been found that we ought to implement a strong firewall that blocks all services with exceptions for only those services that are required (see the work of the Firewall Working Group). Work is underway to find the appropriate technologies.

See Also

• Our Blocked and Reduced Priority Protocols -- the campus firewall blacklist.
• The SANS Top 20 Internet Security Vulnerabilities.
• US-CERT Technical Alert TA05-117A-Oracle Products Contain Multiple Vulnerabilities, 27-Apr-2005.
• The Oracle Security Technology Center.
• Our Vulnerability Note Oracle XDB FTP Service , 05-Jul-2005.

Postscript

A proposal to block this port and others was circulated to CSAG and other interested groups on July 27/2005. The proposal was discussed and approved at the CSAG meeting of August 3/2005.

Firewall block was implemented on 25-Aug-2005 with a very few exceptions. Automated alarms to abuse@attacking-site were disabled at the same time -- we're still under attack but most attacks are turned away at the campus gateway.

---

Finally, if you have any questions/concerns or need help please let us know.

Information Systems & Technology
University of Waterloo
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4567 x37070

Contact Us | Give Us Feedback | Privacy Statement