Threat Finder

Threat ID
2
Threat Date
08/06/2007
Threat Name
Easily-guessed password for listener
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
High
Database Type
Oracle
Category
Weak Passwords
Versions
All versions of Oracle
Summary
A strong password must be set on the listener service to prevent remote users from guessing the password. If the password can be guessed, an attacker can use the listener service to write files on the operating system, possibly gaining access as the account that owns oracle.
Overview
The listener password can be easily guessed. If you do not set a strong listener password, an attacker can gain control over the listener service by guessing the password. To guess the password, an attacker can try connecting to the listener thousands of times using the words in a dictionary as the password. If the password is found in a dictionary, the attacker will gain access to the listener service and can
- shut down the listener or
- perform other administrative action on the listener

This attack can be mounted by any remote users that can send packets to the IP address and port of the listener. It can not be mounted by an attacker outside your organization if a firewall is properly protecting the database.

This is a dangerous vulnerability since many database administrators are unaware that the listener service accepts commands from remote sources. This allows anyone on the network to attempt to break into the listener.

Easily-guessed passwords for the listener can be exploited because:
- the listener password does not lockout after a number of failed attempts
- there is no mechanism to ensure a strong password is being used

There are several vulnerabilities already in existence that use the privileges of the listener to perform actions such as:
- create .rhost files or
- to corrupt the Oracle database files
If you do not set a strong password on the listener, an attacker can gain access as the listener and use the vulnerabilities listed above to gain access to the operating system as the owner of the Oracle software.

The listener:
- is a server-side program that manages connecting clients to the database.
- handles the connection request from a client to a database
- first accepts the connection and then negotiates with the database to setup a channel between the two ends
- returns the connection information to the client allowing the client and database to establish a connection

The listener typically runs under the following privileges:
- Using the Oracle software owner account on UNIX
- Using the LocalSystem account on Windows

Because the listener has such a high level of privileges, any actions this process can take should be restricted.
References
http://download.oracle.com/docs/cd/B13789_01/network.101/b10775/listenercfg.htm#i490255
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by