Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-52265 | O112-C2-013600 | SV-66481r1_rule | Medium |
Description |
---|
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security), and time synchronous or challenge-response one-time authenticators. Replay attacks, if successfully used against a database account, could result in unfettered access to the database settings and data. A successful replay attack against a privileged database account could result in a complete compromise of the database. |
STIG | Date |
---|---|
Oracle Database 11.2g Security Technical Implementation Guide | 2015-03-26 |
Check Text ( C-54321r1_chk ) |
---|
Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether organization-defined replay-resistant authentication mechanisms for network access to privileged accounts exist. If these mechanisms do not exist, this is a finding. (Oracle Advanced Security Option (ASO) may be helpful in meeting this requirement. Notes on ASO Data Integrity follow.) Oracle Advanced Security comes into play on every connection when it is enabled. There is no distinction between privileged and non-privileged accounts. Encryption of network data provides data privacy so that unauthorized parties are not able to view plaintext data as it passes over the network. Oracle Advanced Security also provides protection against two forms of active attack Data modification attack An unauthorized party intercepting data in transit, altering it, and retransmitting it is a data modification attack. For example, intercepting a $100 bank deposit, changing the amount to $10,000, and retransmitting the higher amount is a data modification attack. Replay attack Repetitively retransmitting an entire set of valid data is a replay attack, such as intercepting a $100 bank withdrawal and retransmitting it ten times, thereby receiving $1,000. With Oracle Advanced Security we use Cipher Block Chaining (CBC). Cipher Block Chaining Is an encryption method that protects against block replay attacks by making the encryption of a cipher block dependent on all blocks that precede it; it is designed to make unauthorized decryption incrementally more difficult. Oracle Advanced Security employs outer cipher block chaining because it is more secure than inner cipher block chaining, with no material performance penalty. If the $ORACLE_HOME/network/admin/sqlnet.ora contains the following entries you are protected as ASO is installed. The following entries in the sqlnet.ora will be generated when ASO is installed. Oracle Advanced Security Network Data Integrity - #ASO Checksum sqlnet.crypto_checksum_server=requested sqlnet.crypto_checksum_client=requested sqlnet.crypto_checksum_types_server = (MD5) sqlnet.crypto_checksum_types_client = (MD5) |
Fix Text (F-57081r1_fix) |
---|
Configure DBMS, OS and/or enterprise-level authentication/access mechanism to utilize replay-resistant authentication mechanisms such as nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security), and time synchronous or challenge-response one-time authenticators. If appropriate, install Oracle Advanced Security Option to protect against replay mechanisms. |