Database Reference
In-Depth Information
Chapter 5
Oracle Vulnerability Scanning
This chapter will overview the vulnerability-scanning industry in terms of how it has developed and the commercial
tools that are used. It will also introduce the tool I have used most, which is Perl based and enables custom
interactions to be automated, such as scanning Database Control webpages to gain the database name, coupled
with traditional TNS listener scanning for weak passwords. Finally, I will review some administrative and ethical
considerations you should take before using the code in practice.
Retrospective
Vulnerability scanning Oracle databases has changed a lot over the past decade or so. From my experience, it started
with localized shell scripts where the concern was for shell compatibility between Unices. The original Bourne shell
commands provided cross-shell compatibility between the newer shells. This evolved into software applications
carrying out remote scanning—notably AppSec Inc and NGSSoftware's SQuirreL tool. The former primarily used the
DB version to report on vulnerabilities of a database. The DB version has the advantage of being achievable pre-
authentication, but also has the disadvantage of inaccuracy due to the patch level of a DB not being reported in the
DB version.
In NGSQuirreL I wrote a number of forensic checksums to identify the state of objects as either being vulnerable
or non-vulnerable, which was more accurate than the DB version and more accurate than patch level due to the
unreliability of Oracle's patching mechanism at the time.
Oracle's patching has improved, and there are fewer software bugs in the core RDBMS. But there are still some
old databases around; for instance, the most up-to-date version of EM12c repository is 11.1, with some on 11.2, but
both have published vulnerabilities. Additionally, human-managed user accounts will have weak passwords and
default accounts tend to reappear, so the role of a security scanner is still important. Large companies like Symantec
sell distributed-host-based agent scanners that are installed and report back daily or weekly on the vulnerability
status of a database estate. I am not sure this will persist as it is a lot of overhead performance installation-wise, and
actually introduces risk by having the agent there. In my view there is still a big role for the unannounced pentest-like
scan to verify the security posture of the database estate.
Tools of the Trade
Imperva makes a standalone scanner called SCUBA that is quite reasonable for a free scanner and is available from
this URL:
