RE: Oracle External Users

["Amichai Shulman" <shulman () imperva com>]

AFAK using OS authentication for remote connection to the database in
Oracle is highly insecure. There is no mechanism to prevent the abuse of
OS authenticated accounts by a remote attacker, if
REMOTE_OS_AUTHENTICATION is set to TRUE. Basically the database server
relies on the username as embedded in the TNS connect message. The
contents of this field can be replaced using simple tools. This issue
has been documented long ago.

There are other mechanisms that allow an Oracle database server to rely
on an external authentication and user management system. Namely, the
Enterprise User account type is used for this purpose.

Amichai Shulman
CTO

Imperva, Inc.
12 Hachilazon St.
Ramat-Gan
Israel

Office:  972-3-6120133 (103)
Mobile: 972-54-5885083 
E-mail: shulman () imperva com

 ................................



InfoWorld product review
gives Imperva the
HIGHEST SCORE
in Application Security
http://imperva.com/go/iw/

 

 

 

 

 

 

 

 

 

 

 



-----Original Message-----
From: Damien Lewis [mailto:dwlewis () comcast net] 
Sent: Monday, December 05, 2005 3:08 AM
To: webappsec () securityfocus com
Subject: Oracle External Users


Hello,

I'm in the process of reviewing a list of users (DBA_USERS table) from
an Oracle Database and have come across several accounts with the
PASSWORD field being "EXTERNAL".  It is my understanding that these
accounts are authenticated by the operating system, but how exactly do
you go about authenticating using this account (i.e. could I conect via
SQL Plus or an ODBC connection) and is there any other control(s) within
Oracle that would prevent any user from creating a user id that matches
the account name in DBA_USERS table on another computer and logging in
as that user to the Oracle database?

Thanks

D