Database Reference
In-Depth Information
Chapter 9
Design Flaws, Fixed and
Remaining in 12C
Chapter 8 detailed the major security improvements delivered with the general release of 12c. Chapter 10 will
detail some specific security issues remaining in 12c. But before that, it is important to understand the conceptual
vulnerabilities in Oracle's design, as that understanding informs the individual security issues soon to be discussed.
Some of these design flaws have been fixed and some have not. Let's start with a fixed flaw.
Remote SYS Brute-Force Attacks
The first and most major design flaw to be fixed in 12c is the ability for SYS to be brute forced remotely due to the lack
of failed connection throttling delay. Prior to 12c, there was no delay after a failed SYS login, and therefore an attacker
could brute force their way into the database by making many guesses remotely in quick succession. This risk affected
all users whose credentials were managed by the password file. Illogically, all the other accounts that were lower
privileged had a throttling delay after failed logins, and were thus safe from this threat.
In 12c a new parameter requested by myself, named _sys_logon_delay , introduces a one-second delay before
the same client can have a subsequent SYS authentication request honored. This simple parameter, which is on
by default, makes brute force attacks of SYS all but impossible. As an interesting historical observation, I originally
requested this improvement while working as a researcher for NGSSoftware in 2007 after writing this paper:
http://web.archive.org/web/20070206153311/http://www.ngssoftware.com/research/papers/
oraclepasswords.pdf
In order to get the improvement finalized I had to wait and make the same request five years later while leading
DB security for an investment bank. The lesson to learn from this is that the way to get improvments made to the DB is
to request them through a large, well-funded customer!
The following example demonstrates the effect of the _sys_logon_delay parameter. The example uses a bash
while loop to repeatedly attempt to login as the SYS user, thus modeling a brute-force attack.
while true;do sqlplus -S -L sys/wrongpw@orlin:1521/orcl3 as sysdba;sleep 0;done;
ERROR:
ORA-01017: invalid username/password; logon denied
8< --- Slow steady pace between repeated failed logons thus making remote brute force infeasible.
You can't see the effect from the delay in print, but try the example on your own system and you will see the
one-second delay and its effect on the loop's execution speed. A brute-force, dictionary-based attempt is not really
feasible when it takes one second per try.
 
Previous Page
Next Page
Protecting Oracle Database 12c
Search WWH ::




Custom Search
Home