Oracle Database Vault
Oracle Data Vault is an enhancement to the Oracle database that adds separation of duties. The idea is to be able to have DBAs manage the database without being able to read or write data to tables. Unfortunately Data Vault has several vulnerabilities.
Oracle Database Vault vulnerabilities can be classified into 3 categories:
- Disable – There are several methods of disabling Oracle Data Vault. Some have been described in detail in Black Hat USA 2010 in a session called “Hacking and Protecting Oracle Database Vault” (The videos are available on YouTube).
- Ad-hoc bypass – The ability to run privileged commands that Data Vault should prevent. For example, the ability to modify a user’s password using the SYS account.
- Permanent bypass – The ability to gain permanent access to the tables permanently bypassing the Oracle Data Vault security.
Details of the Problem
Proxy users is a feature in the Oracle database that enables one user to connect as another. For example, assuming BOB has only connect privilege to the Oracle database, and user HR has access to sensitive HR information. The proxy feature allows granting BOB the ability to connect as HR. To allow this proxy access in a regular Oracle database an Oracle DBA will need to issue this SQL:
alter user HR grant connect through BOB;
After granting the proxy access, user BOB can connect as HR. Assuming BOB’s password is SECRET:
This command will connect BOB to the Oracle database as user HR. Once BOB connected as HR, BOB can now do everything the HR user can do. In Oracle Data Vault this new connection will be treated as an HR connection and give it all the permissions and realm access the HR user has.
This still leaves the problem of granting BOB proxy access when Oracle Data Vault is running. The DBMS_SYS_SQL package will allow us to do just that. The following PL/SQL code executed as SYS under Oracle Data Vault will grant BOB proxy access to HR:
declare uid number; curs integer;
select user_id into uid from all_users where username = 'HR';
curs := sys.dbms_sys_sql.open_cursor();
'alter user HR grant connect through BOB', dbms_sql.native, uid);
This security vulnerability in Oracle Data Vault allows SYS to bypass all the Oracle Data Vault security without disabling it. Since Oracle Data Vault comes to prevent privileged users from accessing data, this vulnerability renders Oracle Data Vault useless.
This security vulnerability in Oracle Data Vault is one of many, and the only way to mitigate it along with all other vulnerabilities is by auditing the Oracle database activity. Auditing the Oracle database will alert on any attempt of breaching Data Vault security. In addition to the notification, auditing provides a powerful deterrent against such breaches by internal agents.
Core Audit comes with many out of the box policies, reports, and alerts, that captures various activity profiles in the Oracle database. The above attacks against Oracle Data Vault will be captured by several of them from different angles. The Full Capture technology in Core Audit is the only one capable of capturing activity that execute inside PL/SQL code like the DDLs in this exploit. Core Audit is easy to deploy and configure, and able to perform Full Capture at less than 3% overhead.
Oracle database auditing is vital to closing the security loop in any Oracle database, but it is especially important in environments like Oracle Data Vault that aim to be more secure. Secured environments need Core Audit as it is the only solution that can detect penetration attempts both through known vulnerabilities and ones that have yet to be discovered.
I want to know more about Core Audit!Great! Here are a few options:
I only want more information, not a productNot a problem, here is a list of relevant pages, and we are always available to answer any question