Driftnet
Data
Documentation
Pricing
Blog

Memory leak in Oracle Transparent Network Substrate (TNS)

2025-05-19
10 minutes

Summary

We identified an information disclosure vulnerability in the Oracle Transparent Network Substrate (TNS) protocol, which is used for Oracle database communications. Oracle assigned CVE-2025-30733 to the vulnerability, and fixed it in the patch released on April 15, 2025.

The issue can result in potentially sensitive system memory, including environment variables, being exposed to an unauthenticated remote user over the internet. The leaked information appears to be a read of uninitialised memory.

The default configuration of Oracle RDBMS since version 10g limits unauthenticated external access, so we didn’t expect to see widespread exposure of this vulnerability. However, because only minor changes to the default configuration are needed for the issue to become remotely observable, we do see limited numbers of exposed servers.

Background

As part of Driftnet’s internet intelligence data gathering, we develop our own protocol analysers to gain the best possible insight into a company’s external attack surface. When building these analysers, it’s not uncommon to encounter devices behaving in unexpected ways, whether due to nonconformance with specifications, deliberate obfuscation, or anomalies like unexpected data in responses.

A principle we follow when developing our protocol analysers is that we aim to minimise impact on the remote device while gathering enough information to fully identify the remote product and version. For Oracle TNS, we request the database version without authentication — similar to how Oracle’s own lsnrctl (Listener Control Utility) operates when run locally on a database server. The key part of the request is:

(DESCRIPTION=(CONNECT_DATA=(COMMAND=version)))

If the server allows for remote unauthenticated requests (an ill-advised configuration), then the expected output from this command is a list of banners containing information about the running version and operating system. For example:

TNSLSNR for 64-bit Windows: Version 11.1.0.7.0 - Production

Oracle Bequeath NT Protocol Adapter for 64-bit Windows: Version 11.1.0.7.0 - Production

Windows NT Named Pipes NT Protocol Adapter for 64-bit Windows: Version 11.1.0.7.0 - Production

Windows NT TCP/IP NT Protocol Adapter for 64-bit Windows: Version 11.1.0.7.0 - Production

TCPS

One of the things we do to enhance our reporting is to try and obtain SSL/TLS certificates wherever possible. While analysing the response from an Oracle Database server configured with a TCPS listener, we observed unexpected response data, indicating a previously unknown vulnerability.

Specifically, when sending our simple probe to a configured TCPS listener1, we saw that additional data was being returned after the end of the expected banner list. This section of additional data was usually prefixed by “sdp” or “wss”, likely related to the listener’s Session Description Protocol (SDP) and Web Services Security (WSS) features.

The Leaked Data

The leaked information appears to be a read of unzeroed memory, filled with varying amounts of potentially sensitive data depending on how the server had recently used that memory section. For instance, it included information about connected clients as well as host environment variables.

0977 7373 0000 0000 0000 00bc 8106 60fd 7f00 0060 3b0b 565a 0200 00bc 8106 60fd .wss..........`....`;.VZ......`. 7f00 0000 0000 0000 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0000 0001 0000 0000 0000 00c4 8106 60fd 7f00 0060 3b0b 565a 0200 00c4 8106 60fd ..............`....`;.VZ......`. 7f00 0000 0000 0000 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0000 0001 0000 0000 0000 00ec 0e05 60fd 7f00 0060 3b0b 565a 0200 00ec 0e05 60fd ..............`....`;.VZ......`. 7f00 0000 0000 0000 0000 0004 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0000 0001 0000 0000 0000 00b0 8106 60fd 7f00 0060 3b0b 565a 0200 00b0 8106 60fd ..............`....`;.VZ......`. 7f00 0000 0000 0000 0000 0006 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0000 0001 0000 0000 0000 00e4 0e05 60fd 7f00 0060 3b0b 565a 0200 00e4 0e05 60fd ..............`....`;.VZ......`. 7f00 0000 0000 0000 0000 0004 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0000 0001 0000 0000 0000 00b8 8106 60fd 7f00 0060 3b0b 565a 0200 00b8 8106 60fd ..............`....`;.VZ......`. 7f00 0000 0000 0000 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 008c 0000 0000 ................................ 0000 008c 0200 0000 0000 008c 0300 0000 0000 008c 0600 0000 0000 0000 0000 0000 ................................ 0000 0000 0000 0000 0000 0098 3d0b 565a 0200 0070 0682 020c 0000 0063 0154 0054 ............=.VZ...p.......c.T.T 0001 0001 0000 0000 0000 0000 0000 0063 010d 0100 000d 0154 0000 0001 0001 0000 ...............c.......T........ 0101 0100 090e 1812 1c2e 2c00 002e 2c00 002c 0000 0000 0000 0000 0000 0000 0000 ..........,...,..,.............. 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0024 0000 0000 ...........................$.... 0000 0000 0000 2400 0000 0000 0000 0000 002d 0000 0000 0000 0000 0000 0000 0000 ......$..........-.............. 0000 0000 0044 442d 4d4f 4e2d 5252 0000 0000 0000 0000 0000 0000 0000 0000 0000 .....DD-MON-RR.................. 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0048 482e 4d49 2e53 5358 4646 2041 4d00 0000 0000 0000 0000 0000 0000 0000 0000 .HH.MI.SSXFF AM................. 0000 0000 0000 0000 0000 0000 0000 0000 0044 442d 4d4f 4e2d 5252 2048 482e 4d49 .................DD-MON-RR HH.MI 2e53 5358 4646 2041 4d00 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 .SSXFF AM....................... 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0048 482e 4d49 2e53 5358 4646 2041 4d20 545a 5200 0000 0000 0000 0000 0000 0000 .HH.MI.SSXFF AM TZR............. 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0000 0000 0044 442d 4d4f 4e2d 5252 2048 482e 4d49 2e53 5358 4646 2041 4d20 545a .....DD-MON-RR HH.MI.SSXFF AM TZ 5200 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 R............................... 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0000 0000 0000 0000 0000 0000 0000 0000 0000 00a8 3d0b 565a 0200 0000 c0af 5ffd ....................=.VZ......_. 7f00 0000 51f6 545a 0200 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ....Q.TZ........................ 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ................................ 0000 0000 0000 0000 0000 0000 0000 0000 0000 0068 0100 693d f31f 00c0 940b 565a ...................h..i=......VZ 0200 00a0 63f1 555a 0200 0000 0000 0000 0000 0000 0000 0000 0000 0043 3a5c 5769 ....c.UZ...................C:\Wi 6e64 6f00 0000 0045 4d50 3df0 47f5 545a 0200 0000 0000 0000 0000 0065 6d70 0055 ndo....EMP=.G.TZ...........emp.U 5345 5244 4f4d 4149 4e3d 574f 524b 4752 4f55 5000 5553 4552 4e41 4d45 3d46 4944 SERDOMAIN=WORKGROUP.USERNAME=FID 5253 5256 2400 5553 4552 5052 4f46 494c 453d 433a 5c57 696e 646f 7773 5c73 7973 RSRV$.USERPROFILE=C:\Windows\sys 7465 6d33 325c 636f 6e66 6967 5c73 7973 7465 6d70 726f 6669 6c65 0077 696e 6469 tem32\config\systemprofile.windi 723d 433a 5c57 696e 646f 7773 0000 6469 723d 436a 0001 6b29 f31f 0cf0 3e0b 565a r=C:\Windows..dir=Cj..k)....>.VZ 0200 0000 0000 0000 0000 0041 4c4c 5553 4552 5350 524f 4649 4c45 3d43 3a5c 5072 ...........ALLUSERSPROFILE=C:\Pr 6f67 7261 6d44 6174 6100 4150 5044 4154 413d 433a 5c57 696e 646f 7773 5c73 7973 ogramData.APPDATA=C:\Windows\sys 7465 6d33 325c 636f 6e66 6967 5c73 7973 7465 6d70 726f 6669 6c65 5c41 7070 4461 tem32\config\systemprofile\AppDa 7461 5c52 6f61 6d69 6e67 0043 6f6d 6d6f 6e50 726f 6772 616d 4669 6c65 733d 433a ta\Roaming.CommonProgramFiles=C: 5c50 726f 6772 616d 2046 696c 6573 5c43 6f6d 6d6f 6e20 4669 6c65 7300 436f 6d6d \Program Files\Common Files.Comm 6f6e 5072 6f67 7261 6d46 696c 6573 2878 3836 293d 433a 5c50 726f 6772 616d 2046 onProgramFiles(x86)=C:\Program F 696c 6573 2028 7838 3629 5c43 6f6d 6d6f 6e20 4669 6c65 7300 436f 6d6d 6f6e 5072 iles (x86)\Common Files.CommonPr 6f67 7261 6d57 3634 3332 3d43 3a5c 5072 6f67 7261 6d20 4669 6c65 735c 436f 6d6d ogramW6432=C:\Program Files\Comm 6f6e 2046 696c 6573 0043 4f4d 5055 5445 524e 414d 453d 4649 4452 5352 5600 436f on Files.COMPUTERNAME=FIDRSRV.Co 6d53 7065 633d 433a 5c57 696e 646f 7773 5c73 7973 7465 6d33 325c 636d 642e 6578 mSpec=C:\Windows\system32\cmd.ex 6500 4472 6976 6572 4461 7461 3d43 3a5c 5769 6e64 6f77 735c 5379 7374 656d 3332 e.DriverData=C:\Windows\System32 5c44 7269 7665 7273 5c44 7269 7665 7244 6174 6100 4c4f 4341 4c41 5050 4441 5441 \Drivers\DriverData.LOCALAPPDATA 3d43 3a5c 5769 6e64 6f77 735c 7379 7374 656d 3332 5c63 6f6e 6669 675c 7379 7374 =C:\Windows\system32\config\syst 656d 7072 6f66 696c 655c 4170 7044 6174 615c 4c6f 6361 6c00 4e4c 535f 4c41 4e47 emprofile\AppData\Local.NLS_LANG 3d41 4d45 5249 4341 4e5f 414d 4552 4943 412e 434c 384d 5357 494e 3132 3531 004e =AMERICAN_AMERICA.CL8MSWIN1251.N 554d 4245 525f 4f46 5f50 524f 4345 5353 4f52 533d 3234 004f 533d 5769 6e64 6f77 UMBER_OF_PROCESSORS=24.OS=Window 735f 4e54 0050 6174 683d 433a 5c4f 5241 434c 455c 3139 2e33 2e30 5c44 4154 4142 s_NT.Path=C:\ORACLE\19.3.0\DATAB 4153 455c 6269 6e3b 433a 5c4f 5241 434c 455c 3139 2e33 2e30 5c43 4c49 454e 545c ASE\bin;C:\ORACLE\19.3.0\CLIENT\ 6269 6e3b 433a 5c57 696e 646f 7773 5c73 7973 7465 6d33 323b 433a 5c57 696e 646f bin;C:\Windows\system32;C:\Windo 2c2c ,,

.wss..........`....`;.VZ......`. ................................ ..............`....`;.VZ......`. ................................ ..............`....`;.VZ......`. ................................ ..............`....`;.VZ......`. ................................ ..............`....`;.VZ......`. ................................ ..............`....`;.VZ......`. ................................ ................................ ................................ ............=.VZ...p.......c.T.T ...............c.......T........ ..........,...,..,.............. ...........................$.... ......$..........-.............. .....DD-MON-RR.................. ................................ .HH.MI.SSXFF AM................. .................DD-MON-RR HH.MI .SSXFF AM....................... ................................ .HH.MI.SSXFF AM TZR............. ................................ .....DD-MON-RR HH.MI.SSXFF AM TZ R............................... ................................ ....................=.VZ......_. ....Q.TZ........................ ................................ ................................ ...................h..i=......VZ ....c.UZ...................C:\Wi ndo....EMP=.G.TZ...........emp.U SERDOMAIN=WORKGROUP.USERNAME=FID RSRV$.USERPROFILE=C:\Windows\sys tem32\config\systemprofile.windi r=C:\Windows..dir=Cj..k)....>.VZ ...........ALLUSERSPROFILE=C:\Pr ogramData.APPDATA=C:\Windows\sys tem32\config\systemprofile\AppDa ta\Roaming.CommonProgramFiles=C: \Program Files\Common Files.Comm onProgramFiles(x86)=C:\Program F iles (x86)\Common Files.CommonPr ogramW6432=C:\Program Files\Comm on Files.COMPUTERNAME=FIDRSRV.Co mSpec=C:\Windows\system32\cmd.ex e.DriverData=C:\Windows\System32 \Drivers\DriverData.LOCALAPPDATA =C:\Windows\system32\config\syst emprofile\AppData\Local.NLS_LANG =AMERICAN_AMERICA.CL8MSWIN1251.N UMBER_OF_PROCESSORS=24.OS=Window s_NT.Path=C:\ORACLE\19.3.0\DATAB ASE\bin;C:\ORACLE\19.3.0\CLIENT\ bin;C:\Windows\system32;C:\Windo ,,

Example of data leaked from Oracle Database server.

Remote Exposure

As we mentioned earlier, the default Oracle configuration meant that we didn’t expect to see the vulnerability externally. Whether this vulnerability is exposed to an external unauthenticated user depends on the LOCAL_OS_AUTHENTICATION configuration setting. Specifically, if LOCAL_OS_AUTHENTICATION is set to OFF, the listener may be accessible beyond local connections. Organisations are advised to enable this setting where possible.

Exposure Statistics

Despite the default and recommended configuration being secure, to date we’ve observed a limited number of servers (around 40) exhibiting this memory leak vulnerability. We found a global distribution of affected servers with a wide range of reported database versions. Typically these use the default listener port of 1521, and are mainly running Windows — although the operating system used by the server doesn’t impact the vulnerability.

Server Locations

Server locations with vulnerability.

Listener Ports

Observed listener ports with vulnerability.

Operating Systems

Reported operating system of server with vulnerability.

Count of Database Versions

Oracle database server versions with vulnerability.

Oops, We Did It Again

Whilst searching for existing details of this vulnerability we came across an older blog post that appears to describe the same issue. The author of that article believed it had been patched in July 2012 (patchset 13923474), so either that finding was incorrect or this is a regression in later versions of Oracle’s software.

Reporting Timeline

  • 28th February 2025: We reported the issue to Oracle’s security team, who quickly acknowleged receipt.
  • 25th March 2025: Oracle confirmed the issue and let us know that it would be fixed in a future patchset.
  • 28th March 2025: Oracle told us that the patch would be out on April 15. They do not object to publicity after that date.
  • 15th April 2025: Fix released as promised. We chose to wait a month to give people a chance to patch before blogging.
  • 19th May 2025: Blog published.

We think that’s a really pretty decent response by Oracle. The CVSS v3.1 Base Score of 6.5 is a little lower than we might have expected, mostly because of the need for a non-default configuration, but the value of CVSS scores is often debated anyway, so hey.

Final Thoughts

The key takeaway from this vulnerability should be the need for organisations to actively manage — and frankly to minimise — their external attack surfaces. Oracle’s lsnrctl was released around thirty years ago, and yet here we are in 2025 with a previously-undiscovered remote vulnerability. The best way to avoid this kind of issue is simply not to expose the service to the public internet in the first place.

— Driftnet Engineering

Footnotes

  1. We didn’t explore configurations beyond a basic TCPS listener. It is possible other configurations may have equally triggered the additional data to be returned.