Some troubles — especially those happening only sporadically — are not so easy to shoot and call for a deeper understanding of the matter. In the following real-world example this means: SQL*Net Tracing and some knowledge about the inner workings of the server’s operating system, particularly random number generation.
This case was suited well to demonstrate an approach to trouble-shoot connections to Oracle databases.
Recently, I bought the Hypersecu HyperFIDO K5 Key to help me secure access to several websites and services with U2F (“Universal Two-Factor Authorization”).
This works fine and easy on Windows, but with Linux things get a little complicated: The key isn’t accessible to all users by default. This has to be activated using udev rules, which is widely documented on the web, but very often erroneous or outdated. Here’s what I found:
Oracle’s “Security Alert Advisory for CVE-2012-3132” issued a warning about an attack vector that once again was discovered by security expert David Litchfield. The vulnerability allows to execute SQL code with SYS privileges by using object names containing quotation marks, if the attacker
- has authorized access to the database,
- has CREATE TABLE and CREATE PROCEDURE privileges and
- is allowed to execute DBMS_STATS.
A fix for this issue was published in July 2012 but there’s also Oracle’s advisory on how to cope with the threat without patching the RDBMS. This recommendation, however, has implications when such a database is recovered or cloned: