- Threat ID
- Threat Date
- Threat Name
- Database user allows remote authentication
- CVE Reference
- CCE Reference
- Database Type
- No Application Type
- All versions of Oracle
- The REMOTE_OS_AUTHENT parameter allows the database to trust that the client has properly authenticated the user and is who he or she claims to be. If an attacker can identify a user that is configured to use operating system authentication, the attacker will be able to connect to the account without using providing authentication credentials.
- Oracle provides an option to verify authentication of accounts IDENTIFIED EXTERNALLY at the client. The database is configured to do this by setting the REMOTE_OS_AUTHENT parameter in the init.ora file. This configuration is not secure since an attacker on the network can connect to Oracle claiming to be any account IDENTIFIED EXTERNALLY. If you enable this parameter and an attacker can identify a user that is configured to use operating system authentication, the attacker will be able to connect to the account without providing any authentication credentials.
When an account is created, you choose to authenticate to the account using a password managed by Oracle or by the operating system. If you choose to rely on operating system authentication rather than Oracle authentication, you create the account using the following syntax:
create user [NEWUSER] identified externally
Relying on client-side authentication for Oracle is not secure since client-side security can be easily circumvented.
Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.