<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16705" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=944523606-19102008>
<H2 class=subtitle>Oracle DBMS – Proxy Authentication Vulnerability</H2>
<P>
<H2 class=subtitle2>Background</H2><BR>Oracle is a widely-deployed Database
Management System (DBMS) that supports a variety of applications. Many
multi-tier applications are designed to use proxy authentication, restricting a
middle tier to establish the database connection on behalf of the users. The
standard authentication mechanism requires the client, the middle tier in this
case, to provide valid credentials in order to authenticate and connect to the
DBMS. User sessions are then created through the proxy connection. Oracle TNS
protocol messages are used for session setup, authentication and data transfer.
<P></P>
<P>
<H2 class=subtitle2>Scope</H2><BR>Imperva’s Application Defense Center (ADC)
conducts extensive research on enterprise applications and databases. During its
research, the team has identified a vulnerability in Oracle’s proxy
authentication and access control mechanism.
<P></P>
<P>
<H2 class=subtitle2>Findings</H2><BR>While proxy authentication is enabled for a
user account through a proxy account, it is possible to create a separate
connection using the original user account without authenticating the
connection.
<P></P>
<P>
<H2 class=subtitle2>Details</H2><BR>Oracle supports a proxy authentication mode
which a user establishes a session through a proxy and the proxy establishes a
session on the user’s behalf to the database. These sessions are created using
the Oracle TNS protocol level messages and do not require additional
authentication. This scenario is recommended by Oracle for multi-tier
environments. <BR><BR>While the user sessions are open through the proxy
connection, an attacker can create a new connection to the database
impersonating the original user without supplying a password. The attacker
executes the attack by opening a TNS connection to the database server and
sending a manipulated authentication message with the login mode flags set to
proxy login and the session ID and serial number of the original session opened
through the proxy account.
<P></P>
<P>
<H2 class=subtitle2>Vulnerability ID</H2><BR>Proposed CVE Candidate (as of
October 14, 2008): CVE-2008-2625
<P></P>
<P>
<H2 class=subtitle2>Tested Versions</H2><BR><B>Vulnerable</B><BR>Oracle 8i
(8.1.7.x.x)<BR>Oracle 9i (9.2.0.7)<BR>Oracle 10g Release 1
(10.1.0.4.2)<BR>Oracle 10g Release 2 (10.2.0.1.0)
<P></P>
<P>
<H2 class=subtitle2>Vendor’s Status</H2><BR>Vendor notified on December 13,
2005. Patch released by vendor on October 14, 2008.
<P></P>
<P>
<H2 class=subtitle2>Workaround</H2><BR>
<UL>
<LI>Always require password authentication, even for proxy connections
<LI>Alternatively, disable proxy authentication mode and enforce this policy
by configuring the SecureSphere Database Security Gateway to alert when users
are granted proxy access
<LI>The SecureSphere Database Security Gateway can also enforce all proxy
account connections to the database originate from the proxy server IP
address</LI></UL>
<P></P>
<P>
<H2 class=subtitle2>Discovered by:</H2><BR>Amichai Shulman - Imperva Co-Founder,
CTO and Head of Imperva’s Application Defense Center (ADC).
<P></P>
<H2 class=subtitle2>Disclaimer</H2>
<P>The information within this advisory is subject to change without notice. Use
of this information constitutes acceptance for use in an AS IS condition. Any
use of this information is at the user’s own risk. There are no warranties,
implied or expressed, with regard to this information. In no event shall the
author be liable for any direct or indirect damages whatsoever arising out of or
in connection with the use or spread of this information.</P>Copyright © 2007
Imperva, Inc.<BR>Redistribution of this alert electronically is allowed as long
as it is not edited in any way. To reprint this alert, in whole or in part, in
any medium other than electronic medium, <A
href="mailto:adc@imperva.com">adc@imperva.com</A> for permission.
</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><STRONG><FONT face=Arial color=#0000ff size=2>Amichai
Shulman</FONT></STRONG></DIV>
<DIV dir=ltr align=left><STRONG><FONT face=Arial color=#0000ff
size=2>CTO</FONT></STRONG></DIV>
<DIV dir=ltr align=left><SPAN
style="FONT-SIZE: 8.5pt; COLOR: #2f506d; FONT-FAMILY: Verdana"></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN
style="FONT-SIZE: 8.5pt; COLOR: #2f506d; FONT-FAMILY: Verdana">125 Menachem
Begin St.<BR>Tel Aviv 67010<BR>Israel<?xml:namespace prefix = o ns =
"urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></DIV>
<DIV dir=ltr align=left>
<P><SPAN style="FONT-SIZE: 8.5pt; COLOR: #2f506d; FONT-FAMILY: Verdana">(972)
3-6840103 Office<BR>(972) 54-5885083 Mobile<BR>(972) 3-6840200 Fax<BR><A
title=mailto:shulman@imperva.com
href="mailto:shulman@imperva.com">shulman@imperva.com</A><o:p></o:p></SPAN></P><SPAN
style="FONT-SIZE: 6.5pt; COLOR: #2f506d; FONT-FAMILY: Verdana; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: HE">Download
Scuba by Imperva<BR>FREE Database Assessment Scanner<BR><A
title=http://www.imperva.com/scubam
href="blocked::http://www.imperva.com/scubam">www.imperva.com/scuba</A></SPAN></DIV>
<DIV> </DIV></BODY></HTML>