I'm using Oracle DB 11g-R2 on CentOS 6.4, and unfortunately there is a terrible issue freaking me out.
Anyone can login using SQL*PLUS, with any username, and any wrong passphrase.
Consider somebody logging in using SYS AS SYSDBA
with a wrong passphrase, and get all database and tables he wants. Isn't it bad?
I know you may say that when somebody gets in physically, they can circumvent the rest, yes indeed. But anyone who knows this problem, doesn't need to get in physically, they will be only in need of the IP address and the name of your DB to login remotely or use a script to do what they need by SQL*PLUS.
Fortunately, anyone logging in with wrong passphrase for three times, will be locked for the next time. But what is the benefit? Personally as an attacker, I only need one time to be in someone's database to get the all things I need.
Does anybody know how can I fix this and why is this happening?
Best Answer
This is expected behavior as you are logging the Oracle Database from the OS user which belongs to
DBA
OS group.Let's see which OS user group does the
Joe
belong.Here, the OS User
Joe
doesn't belong toDBA
OS user group, he can not login to the database with wrong password.No, this is not correct this can be controlled by
remote_os_authent
initialization parameter :Setting this parameter to
FALSE
can prevent such situation.You can use
alter user username account unlock
command asSYSDBA
.