Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

_sys_logon_delay

Hi Oracle Security Folks,

Yes indeed, 12c is out. I have been working on 12c for 1.5 years and gave the first external 12c security presentation (of which I am aware) at UKOUG 2012 in Birmingham, so it is good to see that the product has finally been released. I like that the consolidation features are optional now. A lot of the currently unpublished 12c security research will be going into my Apress book Protecting Oracle (12c), due out in November, but I will be able to give some tasters here as we progress..

Firstly, thank you to Dani Schnider of Trivadis for referencing my Database Link Security paper.
Dani’s paper is available at this URL http://www.trivadis.com/uploads/tx_cabagdownloadarea/05-01-2013_Wie_sicher_sind_Database_Links.pdf and here in English translated by Google. Dani describes the idea of limiting a DB link to a specific account and then adding a context variable to legitimate DB Link logins using that account, which can then be used by the receiving database to grant access or not, using a trigger which checks for the correct context variable.

CREATE OR REPLACE TRIGGER dbl_logon_trg
AFTER LOGON ON DATABASE
DECLARE
v_username VARCHAR2(30) := sys_context('USERENV','SESSION_USER');
v_dbl_info VARCHAR2(200) := sys_context('USERENV','DBLINK_INFO');
BEGIN
IF v_username = 'ETL_USER' THEN
IF v_dbl_info IS NULL THEN
write_log('failed: direct login', v_username, v_dbl_info);
raise_application_error(-20101, 'Direct login not allowed.');
ELSIF v_dbl_info NOT LIKE 'SOURCE_GLOBAL_NAME=DWH_PROD, DBLINK_NAME=ETL_DBL%' THEN
write_log('failed: wrong dblink', v_username, v_dbl_info);
raise_application_error(-20102, 'Login from wrong database link not allowed.');
ELSE
write_log('successful login', v_username, v_dbl_info);
END IF;
END IF;
END dbl_logon_trg;

This is good advice but does not attempt to address the wider issue of how to stop incoming links for all accounts. That is more complex needing “Native Intrusion Protection”…more to come on this in the book.

My DB Link paper was also picked up by Oracle.com https://forums.oracle.com/message/10951663, and is nice to see Oracle openly discussing vulnerability. Mr A.C Hobbs would approve.

Gary Myers also kindly added observations regarding the transportation of a database link from one DB to another https://plus.google.com/117671444215575295808/posts/2kt3ztabToy (as discussed on oracle-l). This feature still works in 11.2.0.3 below — though the ciphertext is longer now..

SQL> CREATE DATABASE LINK MYDBLINK
  2  CONNECT TO MYDBLINKACCOUNT IDENTIFIED BY MYDBLINKPASSWORD USING 'MYTARGEDB';

Database link created.

SQL> SELECT DBMS_METADATA.GET_DDL('DB_LINK',a.db_link,a.owner) FROM dba_db_links a;

DBMS_METADATA.GET_DDL('DB_LINK',A.DB_LINK,A.OWNER)
--------------------------------------------------------------------------------

  CREATE DATABASE LINK "MYDBLINK.ENTERPRISE.INTERNAL.CITY.AC.UK"
   CONNECT TO "MYDBLINKACCOUNT" IDENTIFIED BY VALUES '06D52ACA3DE41DDE1DCFEFC51D
08A1B314C470B8A03EE849C86A3DF703E888E2A8D4B7B3882570A15273FA7681B966EE74739907B6
C6A18AEB8CF7EB1871EA2C41D25342F4C0D102DA2BBAFB8F0330756938B26EEFFFAF5FD69E2CED7C
B2DDF34AB17D15D30E1DFE1C464D1F39D8A3A37EF80FFF8F085D6937D7158EFA503621'
   USING 'MYTARGEDB'

SQL> select * from v$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
PL/SQL Release 11.2.0.3.0 - Production
CORE    11.2.0.3.0      Production
TNS for 64-bit Windows: Version 11.2.0.3.0 - Production
NLSRTL Version 11.2.0.3.0 - Production

In my experience having possession of a copy of the ciphertext to create a copy of the link has a much lower impact than gaining the plaintext. Problem is that the plaintext password for low priv dblinks are often the same to the other system accounts.

Of course 11.2.0.3 database links have completely changed how the encryption algorithm works –> it is the same method as 12c. More on this in the book, in November.
May be a good idea to reset those DB Link passwords to unique values. 11.2 and above allows you to alter the password of the dblink directly with this command, another improvement from Oracle.

ALTER DATABASE LINK private_link CONNECT TO hr IDENTIFIED BY hr_new_password;

Database Links are interesting, but in terms of relative risk, the issue of remote SYS brute forcing has caused more concern than any other, partly due to the inability to mitigate. You will probably remember my , SYS connection throttler which was a DIY mitigation to remote brute forcing issue documented in 2007 (Needs FFox)

Well here is some very good news as Oracle have implemented my recommendation, given before and during the Beta, to add a simple hidden parameter to slow down remote SYS brute forcing – and it is set to TRUE by default!

Introducing _sys_logon_delay (beams proudly at new parameter).

This addresses one of the biggest security concerns and I commend Oracle for following my recommendations. The point of this simple delay function is that users will be able to understand it and therefore use it confidently.

while true;do sqlplus -S -L sys/wrongpw@orlin:1521/orcl3 as sysdba;sleep 0;done;

ERROR:
ORA-01017: invalid username/password; logon denied
8< --- Slow steady pace between failed logons thus making remote brute force infeasible.

--can set to 0 to disable, or to higher value to slow down attacker, but needs a restart.
--e.g. alter system set "_sys_logon_delay"=0 scope=spfile;

SQL> select banner from v$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
PL/SQL Release 12.1.0.1.0 - Production
CORE    12.1.0.1.0      Production
TNS for Linux: Version 12.1.0.1.0 - Production
NLSRTL Version 12.1.0.1.0 - Production

Lets have a look and see what the new parameter looks like

SQL> select a.ksppinm name, b.ksppstvl value,b.ksppstdf deflt,
decode (a.ksppity, 1,
'boolean', 2,
'string', 3,
'number', 4,
'file', a.ksppity) type, a.ksppdesc description
from
sys.x$ksppi a,
sys.x$ksppcv b
where   a.indx = b.indx
   and
a.ksppinm ='_sys_logon_delay';  2    3    4    5    6    7    8    9   10   11   12  

NAME
--------------------------------------------------------------------------------
VALUE
--------------------------------------------------------------------------------
DEFLT	  TYPE
--------- ----------------------------------------
DESCRIPTION
--------------------------------------------------------------------------------
_sys_logon_delay
1
TRUE	  number
failed logon delay for sys

It is satisfying to see a large company react positively to customer feedback and to have helped fix this problem. Thanks to everyone involved. There are of course many other problems to solve, as we shall see in due course.

Lastly, courtesy of Oracle/Apress I will be at OOW/JavaOne in September, taking part in a publishing seminar, and looking forward to seeing you there in sunny SF.

Regards,
Paul

One Response to “_sys_logon_delay”

  1. 1
    hugocornwall:

    I had to reload the page to leave a comment…anyways…does this parameter affect all users managed by password file?

Leave a Reply

You must be logged in to post a comment.