Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Listener password management features"] [Next entry: "A new Oracle security checklist paper from Oracle"]

How many Oracle databases are exposed to the net?

I saw this evening that Ivan had made an interesting post to my Oracle Security Forum titled "How many Oracle databases are exposed to the net?". in this post Ivan talks about David looking at the number of Oracle databases exposed to the Internet. He goes on to talk about some simple research he has done using google hacking techniques. He also surmises how scary it is that there are indeed numbers of Oracle databases exposed to the net, quite a number do not have listener passwords set and they can easily be found by google hacking and also potential victims of worms or scripts.

The recent example worm code released exposes this issue as being current. David also talked in his blog about a worm that could use an extproc exploit. I talked about in the same thread above or rather mused, how many Oracle databases are exposed to the net (vulnerable or not) and how does that compare to the number of SQL Server databases, the software we all know that has been victim to a worm. I for one would be interested to know how the figures or comparisons stack up.

As I have said before here, the arrival of XE (Oracle Express) will inevitably mean that more, many more Oracle databases will get installed on PC's, laptops and servers that are not destined to be production databases. People like free software and will download it and try it. Dare I compare Oracle to MS Access? - Well in this context yes. People who do not know the power of Oracle will download it or get it on a magazine CD or from a friend or as part of some product, real or sample. Some people will use it with HTMLDB, or Excel or Word or some other GUI tools to store their contract lists or club membersí details or whatever. It will happen.

It is not just the threat of a worm that worries me, its the complexity of Oracle when it comes to securing it and the problem that will appear of so many databases simply not hardened and also simply made insecure through no fault of the owner. Oracle can be configured, parameters and RBAC and many other things, in so many ways that it is so easy to make it insecure and hackable. Oracle has problems with lots of bugs still to be fixed as we have seen over the recent times. Even, just recently Alex reported some 270 new security bugs to Oracle.

It is good that Oracle has decided to release upgrades with security bug fixes for XE but we need more. We need a way to prevent (too strong?) users of, particularly XE, from installing insecure copies of Oracle and also from easily making it insecure. If we assume that the problems will arise mostly from those users who simply insert the CD and install and then use Oracle like MS Access or use it as part of some application where they do not really understand that they have installed Oracle then what we need is a secure install option. Come on Oracle, lets have a secured installation option - (how about a secure wizard option?).

  • set all parameters that could cause insecurities to safe values

  • force all installed users passwords to be set - and not to any dictionary word

  • install profiles by default to enforce password complexity

  • close all un-needed ports - if they are needed then open manually - e.g. iSQL*Plus

  • force a listener password to be set - again force complexity and also non-dictionary

  • get rid of 99% of the PUBLIC privileges that are granted by default

  • many more....

I hope that these items listed above give a small taster of what I mean by this. I think because Oracle has so many configuration complexities in terms of parameters and privileges and features we sorely need a secure configuration wizard for Oracle - especially now XE is here - or even a forced secure configuration for those people who do not have any idea of how secure it is (or not). Any thoughts on this let me know on my Oracle security forum, and let Oracle know of course!