Oracle Security Weaknesses

Oracle Security Weaknesses
Once reasonable security measures have been put in place, it is best to focus on reinforcing of the weakest points. The obvious question is what are the natural strengths and weaknesses of Oracle security. While certain aspects of the security are solid, others can be easily exploited.
We took the liberty of performing an analysis of the various security aspects of the Oracle database, and pointed out the attack vectors that are exploitable in our experience.

Network - Potentially Strong

Network security refers to the safety of passwords and data exchanged between the Oracle database and external sources.
In the Oracle database’ default network protocol, data is not encrypted but password authentication is safe. Implement Oracle Advanced Security allows for encryption of data as well.

Storage & Backup - Potentially Strong

Storage and backup security refers to the safety of data if the files or backup tapes are stolen.
By default, Oracle has no storage encryption. However, implementing Oracle Advanced Security allows for encryption of all the storage and the backups.
This encryption adds complexity, along with natural problems of storing the password that opens the database. However, these problems can be mitigated.

Authentication - Weak

Authentication refers to the ability to know who is connected to the database.
Oracle’s default user and passwords are relatively secure, and implementing Oracle Advanced Security allows for multi-factor authentication as well.
The underlying authentication problem is that accounts like the application accounts are vulnerable by definition. They are vulnerable because they do not represent a single user and therefore the identity of the client cannot be established. Multi-factor authentication cannot be performed on such accounts for obvious reasons.
This authentication issue and related subjects are discussed further in the Security Scope.

Authorization - Weak

Authorization refers to the ability of controlling who can do what once authenticated
Oracle contains many facilities and grant (and revoke) access from users that have been authenticated. However, it has two major problems with regard to authorization:
  • Many bugs and other vulnerabilities make it possible for any authenticated user to obtain privileged access (SYS). The DBMS_SYS_SQL vulnerability used in the Data Vault page is one example of many.
  • DBAs and the SYS user have unlimited access that cannot be controlled. Implementing Oracle Data Vault attempts to reduce this problem, but contains vulnerabilities of its own. See Oracle Database Vault

Server Security - Weak

Server security refers to the vulnerability of the database if someone gains access to the Oracle server.
There are multiple attack vectors from within the Oracle server:
  • Privileged SYS as SYSDBA connections can be made from the Oracle Unix account. While a password can be put on these connections, that password can also be reset or disabled.
  • Datafiles can be copied or mined for data. Oracle Advanced Security can encrypt those, but the key to that encryption is usually accessible on the Oracle server.
  • Redolog files and archive files contain data changes. These can be copied or mined for data.
  • Database processes can be manipulated to grant access and expose data. While this attack vector requires significant expertise, how-to manuals exist on the internet.

Past the Perimeter - Game Over

Generally, Oracle security is good as long as you don’t cross the perimeter. The insides of the perimeter includes the Oracle database server, all the Oracle accounts, and the application. The application is included since we rely on it to perform authentication and authorization for the end users.
Once the perimeter is breached – it’s game over:
  • Logging into the database – once authenticated, gaining full access is easy
  • Logging into database server – once logged into the database server, gaining access to the database itself is easy.
  • Manipulating the application – using various bugs and vulnerabilities in the application (e.g. using SQL injection), allows compromising of the data in the database (and sometimes the database security as well).

Between Technology and Practice

In Oracle’s defense, many of the weaknesses discussed are not technological. With the exception of the many bugs that can grant unlimited access to any authenticated user, the rest of the issues are mostly due to practical problems in the way databases are used.
The only mitigation for these problems is database auditing:
  • Authentication breaches – intelligent and declarative auditing can detect unusual connections made to the database
  • Authorization breaches – intelligent auditing can detect various attacks including Zero Day attacks
  • SQL injection – intelligent auditing can detect unusual SQLs in the database
  • Server breach – while database auditing cannot detect a breach of the server, it will detect it if the breached ended in a connection to the database

What's next?

I want to know more about Core Audit!
Great! Here are a few options:
  • Read more about Core Audit features, reports, etc.
  • Try our Online Demo and play with Core Audit right now
  • Ask for a Personal Demo from one of our experts and get all your questions answered
  • Download a Free Trial and experience Core Audit on your systems
I only want more information, not a product
Not a problem, here is a list of relevant pages, and we are always available to answer any question
  • Intelligent Auditing – Read
  • Rationalizing Oracle database auditing – Read
  • Oracle security checklist – Read
  • Large security scope in Oracle databases – Read
  • How to prevent a database breach – Read
  • Oracle database security – Read