The DBMS must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.

From Oracle Database 12c Security Technical Implementation Guide

Part of SRG-APP-000156-DB-000111

Associated with: CCI-000774

SV-76203r3_rule The DBMS must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.

Vulnerability discussion

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security), and time synchronous or challenge-response one-time authenticators.Replay attacks, if successfully used against a database account, could result in unfettered access to the database settings and data. A successful replay attack against a privileged database account could result in a complete compromise of the database.Oracle Database enables you to encrypt data that is sent over a network. There is no distinction between privileged and non-privileged accounts.Encryption of network data provides data privacy so that unauthorized parties are not able to view plaintext data as it passes over the network. Oracle Database also provides protection against two forms of active attacks.Data modification attack: An unauthorized party intercepting data in transit, altering it, and retransmitting it is a data modification attack. For example, intercepting a $100 bank deposit, changing the amount to $10,000, and retransmitting the higher amount is a data modification attack.Replay attack: Repetitively retransmitting an entire set of valid data is a replay attack, such as intercepting a $100 bank withdrawal and retransmitting it ten times, thereby receiving $1,000.AES and Triple-DES operate in outer Cipher Block Chaining (CBC) mode.The DES algorithm uses a 56-bit key length.

Check content

Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether organization-defined replay-resistant authentication mechanisms for network access to privileged accounts exist. If these mechanisms do not exist, this is a finding. To check that network encryption is enabled and using site-specified encryption procedures, look in SQLNET.ORA, located at $ORACLE_HOME/network/admin/sqlnet.ora. (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.) If encryption is set, entries like the following will be present: SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384)SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)SQLNET.CRYPTO_CHECKSUM_SERVER = required SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384) SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256) SQLNET.CRYPTO_CHECKSUM_CLIENT = requested (The values assigned to the parameters may be different, the combination of parameters may be different, and not all of the example parameters will necessarily exist in the file.)

Fix text

Configure DBMS, OS and/or enterprise-level authentication/access mechanism to utilize replay-resistant authentication mechanisms such as nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security), and time synchronous or challenge-response one-time authenticators. If appropriate, apply Oracle Data Network Encryption to protect against replay mechanisms.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer