Date: Mon, 12 Aug 2002 07:37:11 +0200
From: Gilles Parc <[email protected]>
To: [email protected]Subject: Vulnerability in Oracle
Hi,
There is a security risk with catsnmp catalog (in
$ORACLE_HOME/rdbms/admin)
which is shipped with 8i/9i releases.
--
Details : this file drop and recreate user dbsnmp with default
password
"dbsnmp" and give him some database privileges.
For 8i releases, these privileges are mostly grants on V_$ views
For 9i releases, this user is granted with "SELECT ANY DICTIONARY"
privilege
which is a powerful one (can see any sys objects like link$ which
stores unencrypted passwords)
--
One can argue that the security policy of the site should ensure that
default passwords
must be changed..
But even in this case, I'm sure that over the time many databases will
reverse to the default
password because catproc.sql (which execute automatically catsnmp) is
required by Oracle
when applying patchsets and sometimes individual patches.
_
I asked Oracle one week ago to place an alert on that matter and was
referred by support analyst
to bug #2432163 which is publically visible in their Metalink site.
(i thought naively that all security problems were kept out from
prying eyes...)
They refused to escalate this bug to severity 1 because there is a
workaround (disabling this user).
BUT most oracle dbas don't know about this risky behavior in their
back !!
That's why i revert to buqtraq to place this alert.
Regards
--
Carpe Diem !!
