TUCoPS :: Oracle :: va1598.htm

Oracle DBMS – Proxy Authentication Vulnerability
CVE-2008-2625: Oracle DBMS – Proxy Authentication Vulnerability
CVE-2008-2625: Oracle DBMS – Proxy Authentication Vulnerability



Oracle is a widely-deployed Database Management System (DBMS) that supports a variety of applications. Many multi-tier applications are designed to use proxy authentication, restricting a middle tier to establish the database connection on behalf of the users. The standard authentication mechanism requires the client, the middle tier in this case, to provide valid credentials in order to authenticate and connect to the DBMS. User sessions are then created through the proxy connection. Oracle TNS protocol messages are used for session setup, authentication and data transfer. =0D
=0D
=0D
Scope=0D
=0D
Imperva=92s Application Defense Center (ADC) conducts extensive research on enterprise applications and databases. During its research, the team has identified a vulnerability in Oracle=92s proxy authentication and access control mechanism. =0D
=0D
=0D
Findings=0D
=0D
While proxy authentication is enabled for a user account through a proxy account, it is possible to create a separate connection using the original user account without authenticating the connection. =0D
=0D
=0D
Details=0D
=0D
Oracle supports a proxy authentication mode which a user establishes a session through a proxy and the proxy establishes a session on the user=92s behalf to the database. These sessions are created using the Oracle TNS protocol level messages and do not require additional authentication. This scenario is recommended by Oracle for multi-tier environments. =0D
=0D
While the user sessions are open through the proxy connection, an attacker can create a new connection to the database impersonating the original user without supplying a password. The attacker executes the attack by opening a TNS connection to the database server and sending a manipulated authentication message with the login mode flags set to proxy login and the session ID and serial number of the original session opened through the proxy account. =0D
=0D
=0D
Vulnerability ID=0D
=0D
Proposed CVE Candidate (as of October 14, 2008): CVE-2008-2625 =0D
=0D
=0D
Tested Versions=0D
=0D
Vulnerable=0D
Oracle 8i (8.1.7.x.x)=0D
Oracle 9i (9.2.0.7)=0D
Oracle 10g Release 1 (10.1.0.4.2)=0D
Oracle 10g Release 2 (10.2.0.1.0) =0D
=0D
=0D
Vendor=92s Status=0D
=0D
Vendor notified on December 13, 2005. Patch released by vendor on October 14, 2008. =0D
=0D
=0D
Workaround=0D
=0D
=0D
Always require password authentication, even for proxy connections=0D
Alternatively, disable proxy authentication mode and enforce this policy by configuring the SecureSphere Database Security Gateway to alert when users are granted proxy access=0D
The SecureSphere Database Security Gateway can also enforce all proxy account connections to the database originate from the proxy server IP address=0D
=0D
=0D
Discovered by:=0D
=0D
Amichai Shulman - Imperva Co-Founder, CTO and Head of Imperva=92s Application Defense Center (ADC). =0D
=0D
Disclaimer=0D
The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user=92s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.=0D
=0D
Copyright =A9 2007 Imperva, Inc.=0D
Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, adc@imperva.com for permission. 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH