Threat Finder

Threat ID
5
Threat Date
08/06/2007
Threat Name
Easily-guessed database username
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
Informational
Database Type
Oracle
Category
Other
Versions
All versions of Oracle
Summary
A database username has been discovered. By modifying the login sequence, an attacker can detect whether an account name exists or not. This allows the attacker to collect a list of valid users by trying a list of common usernames.
Overview
While Oracle does not provide a built-in mechanism for allowing unauthenticated users to enumerate the list of database users, an attacker can generate a list of valid database users by trying a list of names from a dictionary.

While a list of users does not by itself result in a vulnerability, an attacker can use a list of database accounts to mount other attacks. Most sophisticated attackers will start an attack by collecting this type of information.

This check attempts to collect a list of live account names from the database. The collected list of usernames is then used by other checks.

This check determines live account names by trying to login using each word from a specified dictionary file. The default file used is "large-familynames.txt" found in the AppDetective installation directory.

Note that this check can take a while to run if the number of words being tried is excessively large. Depending on the speed of the connection, the number of usernames that can be attempted ranges from several a second to one every several seconds.
References
http://www.oracle.com/pls/db92/db92.drilldown?remark=&word=create+user&expand_all=1
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by