- Threat ID
- Threat Date
- Threat Name
- Easily-guessed password for internal account
- CVE Reference
- CCE Reference
- Database Type
- Weak Passwords
- Oracle8i and earlier
- If a strong password is not selected for the INTERNAL user, Oracle can be broken into by guessing the password. If an attacker can guess the password for the INTERNAL account, full control of the database can be gained by the attacker.
- The INTERNAL user is a privileged account that can be used to connect to the database to perform administrative tasks or to startup the database. Using the internal account connects you to the database as the user SYS with the privilege SYSDBA. This allows you unlimited access in the database.
The INTERNAL account is usually accessed by connecting to the operating system as a privileged user such as the owner of the Oracle software. The INTERNAL account can also be setup to use a password to allow remote access. This is done by setting the parameter REMOTE_PASSWORD_FILE to SHARED or EXCLUSIVE. To disable the ability to connect to the INTERNAL account using a password, set REMOTE_PASSWORD_FILE to NONE in the init.ora file.
The INTERNAL account no longer exists in version 9i of Oracle.
The Oracle documentation recommends setting REMOTE_LOGIN_PASSWORDFILE file initialization parameter to EXCLUSIVE immediately after creating the password file. For maximum security, you should not create a password file and should set the REMOTE_LOGIN_PASSWORDFILE parameter to NONE.
Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.