Threat Finder

Threat ID
1
Threat Date
08/06/2007
Threat Name
Listener password not enabled
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
High
Database Type
Oracle
Category
Weak Passwords
Versions
All versions of Oracle
Summary
A strong password must be set on the LISTENER service to prevent unauthorized remote users from causing denial of service and potentially gaining access to the database server.
Overview
The LISTENER is one of the most important part of the whole Oracle architecture. It
- is a server-side program that manages connecting clients to the database.
- handles the connection request from a client to a database
- first accepts the connection and then negotiates with the database to setup a channel between the two ends
- returns the connection information to the client allowing the client and database to establish a connection

If it is not properly protected then anyone can easily gain control over it and
- shut it down blocking all remote users from accessing the database
- gain control of the underlying operating system by exploiting certain flaws (depending on the version)
- perform other administrative actions on the listener
- corrupt Oracle database files by setting them as log files

The LISTENER can be protected by using 'Password' authentication or 'Local OS Authentication' or both, depending on the version of the Oracle database. In Oracle8i up to Oracle 9iR2, only the 'Password' authentication option is supported. By default, it is turned off, leaving it open for anyone to control it. It is very important that the database administrator specifically enables the 'Password' authentication immediately after installing the database. The check is designed to detect if the LISTENER is using 'Password' authentication or not.

In Oracle 10gR1 and above, both 'Password' authentication and 'Local OS Authentication' are supported. By default, only 'Local OS Authentication' is enabled, which blocks all remote administrative commands to be issued. Only locally authenticated operating system users are allowed to issue such commands. Since, 'Local OS Authentication' protects the LISTENER by default, the check is designed to skip if it finds it enabled. 'Password' authentication can be enabled to allow for remote administration. A strong password should be chosen for 'Password' authentication.
References
http://www.integrigy.com/security-resources/whitepapers/Integrigy_Oracle_Listener_TNS_Security.pdf
http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html
VMSKey
V0002608
STIGID
DO3630

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by