Threat Finder

Threat ID
8
Threat Date
08/06/2007
Threat Name
Easily-guessed password for internal account
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
High
Database Type
Oracle
Category
Weak Passwords
Versions
Oracle8i and earlier
Summary
If a strong password is not selected for the INTERNAL user, Oracle can be broken into by guessing the password. If an attacker can guess the password for the INTERNAL account, full control of the database can be gained by the attacker.
Overview
The INTERNAL user is a privileged account that can be used to connect to the database to perform administrative tasks or to startup the database. Using the internal account connects you to the database as the user SYS with the privilege SYSDBA. This allows you unlimited access in the database.

The INTERNAL account is usually accessed by connecting to the operating system as a privileged user such as the owner of the Oracle software. The INTERNAL account can also be setup to use a password to allow remote access. This is done by setting the parameter REMOTE_PASSWORD_FILE to SHARED or EXCLUSIVE. To disable the ability to connect to the INTERNAL account using a password, set REMOTE_PASSWORD_FILE to NONE in the init.ora file.

The INTERNAL account no longer exists in version 9i of Oracle.

The Oracle documentation recommends setting REMOTE_LOGIN_PASSWORDFILE file initialization parameter to EXCLUSIVE immediately after creating the password file. For maximum security, you should not create a password file and should set the REMOTE_LOGIN_PASSWORDFILE parameter to NONE.
References
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by