Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.


Oracle exec hits out at 'patch' mentality

Oracle exec hits out at 'patch' mentality - By Colin Barker and Jonathan Bennett

"Oracle's security chief says the software industry is so riddled with buggy product makers that "you wouldn't get on a plane built by software developers."

Chief Security Officer Mary Ann Davidson has hit out at an industry in which "most software people are not trained to think in terms of safety, security and reliability." Instead, they are wedded to a culture of "patch, patch, patch," at a cost to businesses of $59 billion, she said."


Project Lockdown

I just saw on OTN that Arup Nanda's paper on how to secure an Oracle database has finally been put up. Arup gave me a heads up on this paper a few months ago as he asked if he could use my default password list. Thanks for the mention in your paper Arup.

This is an excellent paper, truly very very well written. I am a fan of Arups HIPAA book because of its very easy reading style. he has not lost any of the style here. This paper is called "Project Lockdown - A phased approach to securing your database infrastructure" and is a 4 part paper on securing an Oracle database. The paper is phased into 4 sections, what you can do in one day, what you can do in a week, what you can do in a month and finally what you can do in a quarter.

Excellent paper, well worth reading, well done Arup!!!

Exploiting and protecting Oracle

I wrote a 60 or so page paper called Exploiting and protecting Oracle around 5 years ago when I worked for Pentest Ltd. I have had a link to this paper on my Oracle Security white papers page for a long time, someone told me via email today that the link was broken. I have fixed the link to point at the original paper. This paper is dated a little but it still contains some good stuff related to Oracle security and some ideas of where to investigate if you want to research the subject. I was chatting to Alex when we got together in the states a couple of months ago and I had a chnace to go and find something in this paper to show the source of an idea. have a read!


Tripwire Partners with Oracle® to Enable Enhanced Security and Increased Compliance

Tripwire Partners with Oracle® to Enable Enhanced Security and Increased Compliance

"Tripwire Announces Support for Oracle Database Vault

Portland, OR - April 26th, 2006 - Tripwire, Inc.® today announced Tripwire Enterprise will support Oracle® Database Vault to help customers assure security, decrease insider threats and meet today’s stringent regulatory compliance requirements. Together, Tripwire Enterprise and Oracle Database Vault will provide companies complementary controls to help demonstrate to auditors that their change auditing environment is under lock and key."

Pete Finnigan blog back on orablogs

I just noticed that my blog has re-appeared in orablogs after being missing for around a month. This was due to my site moving to a new IP Address and I guess orablogs resolving the IP address each time it starts its scanner and the fact that Brian has not restarted it for a while meant that he was still pinging my old IP Address. Thanks for resolving the issue Brian!



Security Patch website

When Greg emailed me the pdf about the patch survey he also mentioned a website that his company sponsor called Security Patch.org. This site does not have a fantastic amount of content but it does include a very good set of pages that link to individual advisories for security bugs in Oracle, Microsoft, Apache, Linux and Sun. The Oracle page is of course of the most interest to us here. The Oracle patch page details all of the CVE references for bugs fixed in oracle CPU's and previous alerts. There is obviously not a complete cross reference against every bug fixed in each CPU and alert as Oracle never reveals this level of detail but the list is a good starting point. If you follow each CVE link you will find a page for each that often includes links to many other sources of information for each bug. Some link eventually to pages that include example exploits.

The Patch Impasse: Front line perspectives from enterprise IT

I was emailed a very interesting paper by Greg Ness of Bluelane the other day titled "The Patch Impasse: Front line perspectives from enterprise IT" and Greg has kindly allowed me to post it here in my blog. There are also similar papers available on the Blue Lane website.

This paper describes a survey of organisations during 2006 to understand the issues facing managers around the problems of whether to patch or not to patch. The paper starts with a profile of the respondents of the survey, it then goes on to talk about the demands of patching, the top concerns relating to patching, organisation concern about un-patched servers, records on patches for audits, downtime of critical servers when patching, high availability of business applications that rely on servers. The conclusion, I will leave you to read but I guess its obvious anyway.

This is an interesting paper for me as it shows what customers of packaged software solutions that do provide security patches think about the issues of patching.

An excellent post by Lucas about object chnages and RSS feeds

This is like heaven for me, a post about my favourite subjects together. I obviously mean Oracle security in the sense of object changes and I also mean the discussion of RSS feeds. I am also interested by website development and RSS, XML-RPC amongst othre things. I have just last week set up a perl script to automatically ping weblog directories from Greymatter.

Lucas has posted a very interesting paper on the Amis blog titled "Publishing Data Manipulation as an RSS Feed - using Oracle MOD_PLSQL and Flashback" that describes how the Oracle HTTP server, mod_plsql and PL/SQL can be used to generate an RSS feed of changes that have occured in the database.

This is quite an interesting idea and one that sounds quite useful to get the data where it is needed quickly. Having alerts sent straight to a newsreader is a good idea in principle. There are issues of course such as the need to have a HTTP server in the database and the security of the feed itself in terms of data leakage and also potential for alteration.

I talked about a similar subject when i worked at Pentest, that is the useof timestamps to detect changes in database structure. The paper was called "Have your objects been tampered with?"


Site was down due to power failure at the ISP

I noticed that my site went down this morning around 11 am. This is easy to see for me as i have my own site as the default page in IE on all the computers I use. The ISP has let me know that there was a major power failure at the data center. The site came back up around 3 GMT.

OraSRP open source SQL Trace profile tool

I saw a post today titled "Re: Event 10046 trace report makers" in my Oracle security forum, on the Oracle internals board. This was an interesting thread posted originally by Marcel-Jan about an open source Oracle profile tool that can be used to profile 10046 trace files. Someone then posted that the author Egor Starostin had closed the page and the source and tool were no longer available. His page says "Due to personal obligations, OraSRP project is closed.". Marcel-Jan has today posted a further note that he has found a free Linux version of oraSRP including source code at a page titled "SQL Trace Access and Analysis". The tool is written in Python and a binary version is also available.

The zip of the python source code is Egor's code but the Windows version is not available just the Linux one. I am not a python programmer but i guess it would not be too difficult to get it running on Windows as well as Linux, some python programmers will no doubt email me and tell me I am wrong!

This looks like a fine body of code and a useful tool, I will have a play when i get some free time...

David Litchfield has a new blog

I just got an email from David Litchfield to let me know about a new blog he has created. David had a blog a few months ago but it looks like he has started again with a new blog titled "David Litchfield's Weblog". There is one post on there so far about Oracle and the common criteria and David's comments on how Oracle 8.1.7 could possibly be compliant; its worth a read!

Oracle Internals: A good post by Doug about DUDE

I was browsing orablogs (my RSS feed is not being picked up anymore on there?) and saw Doug's post titled "DUDE, Where's My Data?" and went for a read as I immediately recognised the name DUDE, as being Kurt Van Meerbeeck's Java based DUL type tool. I have spoken of this tool previously here in the past and I have also had dicussions with Kurt over his tool in the past when he was developing it and had the privilege of testing an early version. Kurt is a great guy, very clever. Doug's post is interesting as it gives some backgound to DUDE and also shows a nice demo of it running.

An Oracle security blog from Oracle

I was made aware of a new Oracle security blog some time back in an email from Duncan and also seeing the blog announced by Justin on orablogs but have not had time to comment on it yet. This is a new Oracle security blog from within Oracle itself. The blog is called "The Oracle Global Product Security Blog". So far there have been just two posts, one from Darius Wiles announcing the April CPU and also telling who he is and the first post by John Heimann who manages Oracles security program management team. So far its mostly corporate stuff, dont expect news of bugs or vulnerabilities (I guess!) but its probably worth watching. I have added the feed to my Oracle blogs aggregator - Beware that the first visit to this page (if you are unlucky to be the first), takes around 30 seconds, after that the caching jumps in. It has to read all of the feeds first..:-(

Customers Wait for Oracle Security Patches

Customers Wait for Oracle Security Patches - By Ryan Naraine

"Just call it Oracle's May critical patch update.

Three weeks after the database server vendor announced the release of its April 2006 CPU, customers are still waiting for the several important fixes."


As i said yesterday, I talked about this very issue in this blog in a post titled "What is amazing is that a lot of CPU patches are not available until May!!" on the 18th of April, it seems like the news guys have just caught on to this issue!

Interesting thoughts on the Andrew Max blog about the recent 0-day view issue

I saw this post on the Andrew Max blog the other day and made a note to talk about it here. In his original post titled "Yet another security alert". This is a good summary of the recent 0-day exploit found, or rather exposed by Oracle with code relating to views. I won't elaborate too much!

The second post is quite an interesting read and is titled "Too late" and is where Andrew discusses his thoughts about his previous post and also the decision to remove it and to then put it back again!. What I find interesting is the speed of the internet in disseminating information, not just about security bugs and spreading it to the world. He originally quoted Alex's page on the same bug, Alex then updated his page with info from Andrew, Andrew removed his post and then decided he should put it back. Once security bugs get out there it is very difficult to remove them or the information spread by them. The only cure is a patch from Oracle, for which we all have to wait until the next CPU, or could it be longer if you do not happen to be on one of the core platforms where the patches are actually released on the CPU day!.

Oracle keeps many users waiting on April patches

Oracle keeps many users waiting on April patches - by Robert McMillan

"MAY 02, 2006 (IDG NEWS SERVICE) - Testing problems are forcing some Oracle Corp. users to wait a little longer than usual for the company's latest round of security patches, the first of which were released last month."

This is an interesting article but I did point some of this issue out in my blog on April 18th in a post titled "What is amazing is that a lot of CPU patches are not available until May!!".

Researcher: Oracle Needs To Patch 44 More Bugs

Researcher: Oracle Needs To Patch 44 More Bugs - By Gregg Keizer

"The bugs range in age from 12 days to two-and-a-half years, says a German security researcher, adding that Oracle plans to fix them, but won't say when.

A German security researcher said this weekend that Oracle products, particularly its flagship database, are vulnerable to 44 bugs, the oldest reported to the Redwood Shores, Calif. developer two-and-a-half years ago, the newest submitted 12 days ago."

Patched Oracle database 'still vulnerable'

Patched Oracle database 'still vulnerable' - Dawn Kawamoto

"The latest update for Oracle 10g Release 2 does not plug a hole that allows published attack code to run, according to a security researcher

Oracle's latest update fails to tackle a database flaw that has already been exploited, a security researcher has warned."


This report seems to suggests that simply revoking public execute privileges from the vulnerable package will suffice until a patch is available. This will not suffice if the package is avaialble via any other route. This could be because another user or role has execute privileges granted on the package or even if there are no execute privileges granted against the package it can still be vulnerable if it is called from another peice of PL/SQL from the same schema and the arguments are passed into the vulnerable package from the caller.

If access to another user who has the ability to grant the execute privileges back again could also prove to be an issue. If the dictionary accessibility parameter is incorrectly set a user with the EXECUTE ANY PROCEDURE privilege could also execute the package. If access to certain other SYS owned packages are available that allow code to be run as SYS then the exploit could also be used again.

The possibilities are very numerous for exploiting the issue and simply revoking PUBLIC execute privileges is often not enough to protect against vulnerabilities.

The only safe solution is to lobby Oracle to supply a fix.

Patched Oracle database 'still vulnerable'

Patched Oracle database 'still vulnerable' - Dawn Kawamoto

"The latest update for Oracle 10g Release 2 does not plug a hole that allows published attack code to run, according to a security researcher

Oracle's latest update fails to tackle a database flaw that has already been exploited, a security researcher has warned."


This report seems to suggests that simply revoking public execute privileges from the vulnerable package will suffice until a patch is available. This will not suffice if the package is avaialble via any other route. This could be because another user or role has execute privileges granted on the package or even if there are no execute privileges granted against the package it can still be vulnerable if it is called from another peice of PL/SQL from the same schema and the arguments are passed into the vulnerable package from the caller.

If access to another user who has the ability to grant the execute privileges back again could also prove to be an issue. If the dictionary accessibility parameter is incorrectly set a user with the EXECUTE ANY PROCEDURE privilege could also execute the package. If access to certain other SYS owned packages are available that allow code to be run as SYS then the exploit could also be used again.

The possibilities are very numerous for exploiting the issue and simply revoking PUBLIC execute privileges is often not enough to protect against vulnerabilities.

The only safe solution is to lobby Oracle to supply a fix.