Threat Finder

Threat ID
9
Threat Date
08/06/2007
Threat Name
Database user allows remote authentication
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
High
Database Type
No Application Type
Category
Unsupported
Versions
All versions of Oracle
Summary
The REMOTE_OS_AUTHENT parameter allows the database to trust that the client has properly authenticated the user and is who he or she claims to be. If an attacker can identify a user that is configured to use operating system authentication, the attacker will be able to connect to the account without using providing authentication credentials.
Overview
Oracle provides an option to verify authentication of accounts IDENTIFIED EXTERNALLY at the client. The database is configured to do this by setting the REMOTE_OS_AUTHENT parameter in the init.ora file. This configuration is not secure since an attacker on the network can connect to Oracle claiming to be any account IDENTIFIED EXTERNALLY. If you enable this parameter and an attacker can identify a user that is configured to use operating system authentication, the attacker will be able to connect to the account without providing any authentication credentials.

When an account is created, you choose to authenticate to the account using a password managed by Oracle or by the operating system. If you choose to rely on operating system authentication rather than Oracle authentication, you create the account using the following syntax:
create user [NEWUSER] identified externally

Relying on client-side authentication for Oracle is not secure since client-side security can be easily circumvented.
References
http://download.oracle.com/docs/cd/B14117_01/server.101/b10755/initparams177.htm
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by