000016168 - RKM appliance showing Oracle vulnerability after scan

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016168
Applies ToRSA Key Manager Appliance 2.5.0.2
RSA Key Manager Appliance
Oracle Database
IssueRKM appliance showing Oracle vulnerability after scan
CVE-2008-6065 - Oracle db Srvr CREATE ANY DIRECTORY Privilege Escalation Vulnerability
Security is conducting vulnerability scans in their PCI network (for PCI Audit). The 4 RKM appliances all came up with this vulnerability: Oracle Database Server CREATE ANY DIRECTORY Privilege Escalation Vulnerability - CVE-2008-6065 - Risk Medium

Oracle Database Server 10.1, 10.2, and 11g grants directory WRITE permissions for arbitrary pathnames that are aliased in a CREATE OR REPLACE DIRECTORY statement, which allows remote authenticated users with CREATE ANY DIRECTORY privileges to gain SYSDBA privileges by aliasing the pathname of the password directory, and then overwriting the password file through UTL_FILE operations, a related issue to CVE-2006-7141

Ref: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6065
Resolution

Analysis:

 

The following users are created at the time of RKM Appliance initialization process.

 

USER

ROLE

STRMADMIN

DBA

CT_OWNER

DBA

CT_ADMIN

NON-DBA

CT_USER

NON_DBA

LOCAL

NON_DBA

 

STRMADMIN & CT_OWNER has DBA roles and other users are low profiled users.

 

?         Checked against on 2.5.0.x and 2.7.x versions, the above NON_DBA users do not have CREATE ANY DIRECTORY privileges

 

?         DBA and IMP_FULL_DATABASE  role users only have CREATE ANY DIRECTORY privileges.

 

Query to find out which user has CREATE ANY DIRECTORY privileges:

 

SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS where GRANTED_ROLE IN (SELECT ROLE FROM ROLE_SYS_PRIVS WHERE PRIVILEGE = 'CREATE ANY DIRECTORY');

 

 

Result:

 

SQL> SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS where GRANTED_ROLE IN (SELECT ROLE FROM ROLE_SYS_PRIVS WHERE PRIVILEGE = 'CREATE ANY DIRECTORY');

 

GRANTEE                        GRANTED_ROLE

------------------------------ ------------------------------

CT_OWNER                      DBA

SYS                                         IMP_FULL_DATABASE

SYS                                         DBA

SYSMAN                            DBA

STRMADMIN                    DBA

SYSTEM                             DBA

DBA                                       IMP_FULL_DATABASE

 

Conclusion:

 

Based on the above query results, only DBA users have CREATE ANY DIRECTORY privileges.

Notes

KMA-2632

Legacy Article IDa57666

Attachments

    Outcomes