Spoofing Oracle Session Information

Oracle Database session information includes database user name, operating system user name, host, terminal, IP address, module, program, timestamps, session ID, and other details. These values are critical to auditing and identifying the actual end-user. Many of the database session values can be “spoofed” by an attacker either to mask their true identity or to circumvent security and auditing measures.  It should come as no shock to anyone that many of these values can be spoofed since this fact has been widely discussed for years.

Even though experienced database administrators know about the ability to spoof these session values, Integrigy security consultants consistently find programs and applications relying on “spoofable” session information within database logon triggers and in database auditing. With the emphasis on auditing in recent years due to legislative requirements, we are actually seeing this issue much more often now than three years ago. This is an auditing implementation issue found especially in large complex ERP or CRM implementations where auditing has been configured to satisfy Sarbanes-Oxley (SOX), HIPAA, Payment Card Industry Data Security Standard (PCI DSS), or other legislative and regulatory requirements. Due to the complexity of an application and large transaction volume, often some level of filtering must be enabled to sift through the enormous amount of audit data generated. In many cases, the filtering is applied to differentiate between normal transaction processing and anomalous transactions by either an attacker or a privileged user (i.e., Super User or DBA) when auditing has been enabled due to SOX requirements.

To address this issue we have published a new whitepaper which is a comprehensive examination of the key database session elements and the ability to spoof these values – there is neither new information nor new security vulnerabilities discussed in this paper. Much of the information has been previously discussed to some extent in Oracle-related security mailing lists and other forums. The goal of the paper is to build awareness of this issue since Integrigy consultants performing security assessments consistently see absolute reliance on “spoofable” values in auditing and security solutions.

The paper looks at four common stores and uses of database session information related to security and auditing: (1) V$SESSION view, (2) SYS_CONTEXT function, (3) Database Session Auditing, and (4) Fine Grained Auditing (FGA). The V$SESSION view contains one row per current database session. The SYS_CONTEXT function returns information regarding the current database session and is often used with database logon triggers. Database session auditing (AUDIT SESSION;) records all database logons and logoffs. Fine Grained Auditing is used to audit SQL statements executed for specific database objects and can be configured based on columns or other criteria.

Whitepaper: Spoofing Oracle Session Information