Find Oracle Database Servers with CVE-2018-3110 Vulnerability
Oracle recently disclosed a severe vulnerability (CVE Score: 9.9) in Oracle Database. The vulnerability affects 188.8.131.52 and 184.108.40.206 and enables an attacker who can start a session (i.e., successfully authenticate) to fully compromise the Oracle server and further gain access to an OS shell. To protect from compromise, Oracle recommends that all users update to 220.127.116.11 July 2018 CPU.
Below, we show how you can search for vulnerable servers that are public facing on the Internet.
This particular flaw is significant in that it allows for remote exploitation of the vulnerability, though Oracle adds an important distinction: Remote exploitation is only possible if the attacker successfully authenticates with the database server using valid credentials.
NIST’s National Vulnerability Database comments on the CVE:
Supported versions that are affected are 18.104.22.168, 22.214.171.124, 126.96.36.199 and 18. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM. CVSS 3.0 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
How to find Oracle Database servers affected by CVE-2018-3110
Using Censys, perform a search for hosts running the affected server versions:
1521.oracle.banner.nsn_service_versions.Authentication: 188.8.131.52* OR 1521.oracle.banner.nsn_service_versions.Authentication: 184.108.40.206* OR 1521.oracle.banner.nsn_service_versions.Authentication: 220.127.116.11* OR 1521.oracle.banner.nsn_service_versions.Authentication: 18*
Add ranges of IP addresses that belong to your organization to filter the results. For example:
…) AND 18.104.22.168/8
Patching your Oracle Database servers
Let’s say you found a few affected database servers within the Censys data you pulled in from that search. Now it’s time to patch by following the instructions provided by Oracle for CVE-2018-3110.
Censys helps you get visibility into servers with vulnerabilities so that you can be proactive in your information security efforts. We recommend scanning daily and subscribing to vulnerability lists that share updates about affected versions of products. Then you can use Censys to find your organization’s vulnerable servers that are accessible from the Internet.
Send us a tweet if you have any feedback. We’d love to hear from you.