A new Buffer Overflow vulnerability has recently come to light that affects the Progress DataDirect Connect for ODBC (Open Data Base Connectivity) and could potentially lead to significant security risks.
In Progress DataDirect Connect for ODBC, specifically versions before 08.02.2770 for Oracle, this vulnerability arises when an overly large value for certain options of a connection string overruns the buffer allocated to process the string value. This overrun allows an attacker to execute code of their choice on an affected host by copying carefully selected data that will be executed as code.
What is CVE-2023-34364?
The In Progress DataDirect ODBC Oracle Wire Protocol driver prior to version 08.02.2770 (B1532, U1315) is susceptible to a security issue. Specifically, if a certain option within a connection string is assigned an excessively large value, it can exceed the allocated buffer size, enabling an attacker to inject and execute their own code on a targeted system.
Additionally, in versions preceding 08.02.2770 (B1532, U1315), when utilizing Oracle Advanced Security (OAS) encryption, there is a fallback mechanism in place if an error occurs during encryption object initialization. This fallback mechanism employs an insecure random number generator to generate the private key, making it possible for a knowledgeable attacker to predict the generated output.
Does CVE-2023-34364 affect me?
CVE-2023-34364 affects the software “Progress DataDirect Connect for ODBC” before version 08.02.2770 for Oracle. Since the exploitation of CVE-2023-34364 could potentially lead to the decryption of communication between the driver and the database server, it is also crucial to acknowledge that all previous versions of the product are affected by these vulnerabilities as well.
Has CVE-2023-34364 been actively exploited in the wild?
The technical details of this vulnerability are currently unknown and an exploit is not yet available. However, while there are no current known exploits, this does not guarantee safety, and it is always recommended to apply patches as soon as possible.
How to fix CVE-2023-34364
Upgrading to version 08.02.2770 eliminates this vulnerability – to propperly address the vulnerability, it is recommended to upgrade to the following version of the Data Source Connector: Oracle Wire Protocol:
Windows 32-bit: ivora28.dll
Windows 64-bit: ddora28.dll
Unix 32-bit: ivora28.so
Unix 64-bit: ddora28.so
Library Version: 08.02.2770 (B1532, U1315)
For customers who have an active maintenance agreement, the upgrade can be obtained by logging into the Progress Community at https://community.progress.com/s/ and accessing the “Product Downloads” section.
Customers who are not currently under a maintenance agreement should consider renewing their agreement or contacting their Progress account representative for further assistance.
To determine the current version of your DataDirect ODBC driver, please refer to the instructions on “How to identify a Progress DataDirect for ODBC driver version from an existing installation?”.
For detailed guidance on upgrading your installation, you should consult the “Progress DataDirect for ODBC release download and install instructions.”
Also important to note is that using SSL/TLS encryption eliminates this vulnerability.
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Can you trust ChatGPT’s package recommendations?
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- OWASP Top 10 vulnerabilities 2022: what we learned
- How to fix CVE-2023-25610 in FortiOS
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.