Oracle DB Security Issue: Anyone can login using SQL*PLUS, with any username, and any wrong passphrase

authenticationoracleoracle-11g-r2Securitysqlplus

I'm using Oracle DB 11g-R2 on CentOS 6.4, and unfortunately there is a terrible issue freaking me out.

Anyone can login using SQL*PLUS, with any username, and any wrong passphrase.

Consider somebody logging in using SYS AS SYSDBA with a wrong passphrase, and get all database and tables he wants. Isn't it bad?

I know you may say that when somebody gets in physically, they can circumvent the rest, yes indeed. But anyone who knows this problem, doesn't need to get in physically, they will be only in need of the IP address and the name of your DB to login remotely or use a script to do what they need by SQL*PLUS.

Fortunately, anyone logging in with wrong passphrase for three times, will be locked for the next time. But what is the benefit? Personally as an attacker, I only need one time to be in someone's database to get the all things I need.

Does anybody know how can I fix this and why is this happening?

Best Answer

The OSDBA group (typically, dba)

You must create this group the first time you install Oracle Database software on the system. This group identifies operating system user accounts that have database administrative privileges (the SYSDBA privilege).

This is expected behavior as you are logging the Oracle Database from the OS user which belongs to DBA OS group.

[oracle@localhost Desktop]$ sqlplus sys/abc as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on Tue Nov 15 11:23:20 2016

Copyright (c) 1982, 2011, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options


[oracle@localhost Desktop]$ groups
oinstall dba

[oracle@localhost Desktop]$ su joe

[joe@localhost oracle]$ sqlplus sys/abc as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on Tue Nov 15 11:26:56 2016

Copyright (c) 1982, 2011, Oracle.  All rights reserved.

ERROR:
ORA-01031: insufficient privileges

Let's see which OS user group does the Joe belong.

[joe@localhost oracle]$ groups
joe

Here, the OS User Joe doesn't belong to DBA OS user group, he can not login to the database with wrong password.

But anyone who knows this problem, doesn't need to get in physically, they will be only in need of the IP address and the name of your DB to login remotely or use a script to do what they need by sqlplus.

No, this is not correct this can be controlled by remote_os_authent initialization parameter :

SQL> show parameter remote_os_authent

NAME                     TYPE    VALUE
------------------------------------ ----------- ------------------------------
remote_os_authent            boolean     FALSE

Setting this parameter to FALSE can prevent such situation.

How I should unlock a user which got locked after three wrong attempts?

You can use alter user username account unlock command as SYSDBA.

Best Answer

The OSDBA group (typically, dba)

Related Solutions

Cannot login to Oracle11g with System username

How to set Password for sqlplus /as sysdba

Related Question