Oracle E-Business Suite FNDFS Vulnerability
The Oracle Applications FNDFS program, used to retrieve report output from the Concurrent Manager server, can be used to remotely retrieve any file from the server without operating system or application authentication. A mandatory patch from Oracle is required to solve this security issue.
Integrigy Security Alert
______________________________________________________________________
Oracle E-Business Suite FNDFS Vulnerability
April 10, 2003
______________________________________________________________________
Summary:
The Oracle Applications FNDFS program, used to retrieve report output from the Concurrent Manager server, can be used to remotely retrieve any file from the server without operating system or application authentication. A mandatory patch from Oracle is required to solve this security issue.
Product: Oracle E-Business Suite
Versions: 10.7, 11.0 and 11.5.1 – 11.5.8
Platforms: All platforms
Risk Level: High
______________________________________________________________________
Description:
There exists a weakness in the communications protocol used by the Oracle Applications FND File Server (FNDFS) program, also referred to as the Report Review Agent (RRA), that may allow an attacker to retrieve any file from Oracle Applications Concurrent Manager servers bypassing operating system, database, and application authentication. The Concurrent Manager server is usually also the database server in most implementations. The FNDFS program is used by the Report Viewer (FNDWRR.exe) and ADI Request Center to retrieve reports and logs from the Concurrent Manager server.
An attacker can exploit this vulnerability to retrieve sensitive data or files containing critical passwords from the server. Any file accessible by the oracle or applmgr accounts can be retrieved. Direct access to the Concurrent Manager server via SQL*Net is required.
Solution:
Oracle has released patches for Oracle Applications 11.0 and 11i to correct this vulnerability. Oracle has implemented a new security layer in the communications protocol used by the FNDFS program.
The following Oracle patches must be applied to all servers --
Version Patch
------- -----
11.0 2782950 (All Releases)
11i 2782945 (11.5.1 – 11.5.8)
Application Desktop Integrator (ADI) users must also apply patch 2778660 to allow ADI clients to connect to the new FNDFS program.
Appropriate testing and backups should be performed before applying any patches.
All firewalls should block or filter the SQL*Net protocol, not permitting any SQL*Net access to the Concurrent Manager or database servers from the Internet or unsecured networks. Please note that the FNDFS program does not run on the standard Oracle SQL*Net port 1521, thus multiple SQL*Net ports must be blocked or filtered.
Security for the FNDFS TNS Listener should be evaluated and include a password on the listener and connection limitations to only allow the application servers access to the listener. Customers running
ADI may not be able to limit access to the listener, since ADI's
Request Center requires direct access to the listener from the client. Additional information on security for Oracle TNS listeners can be found at:
http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf
Additional Information:
http://www.integrigy.com/resources.htm
http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf
For more information or questions regarding this security alert, please contact us at alerts@integrigy.com.
Credit:
This vulnerability was discovered by Stephen Kost of Integrigy Corporation. Integrigy is a member of the Oracle PartnerNetwork.
______________________________________________________________________
About Integrigy Corporation (www.integrigy.com)
Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications.
For more information, visit www.integrigy.com.