David Litchfield's Weblog

Home
Archives

May 2006
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
28293031   

Valid XHTML 1.0!

Powered By Greymatter

Home » Archives » May 2006 » Oracle and the Common Criteria

[Previous entry: "Blogging"] [Next entry: "Shooting to high?"]

05/11/2006: "Oracle and the Common Criteria"


Recently, I've been looking at the Common Criteria and wondering how Oracle 8.1.7 could've been rated at EAL4 given that there's a pre-authentication buffer overflow when a long username is supplied. Successful exploitation of this overflow defeats every security mechanism tested during the evaluation. It's not just the username overflow, though. What about all the PL/SQL injection flaws that allow a PUBLIC user to get SYS privs? A castle is no castle if the walls are made of sponge.

I know I'm not the first to complain about the CC but this has to be one its most spectacular failures.

Given what we know now there's no way, in my opinion, that it should've been passed. If there's not already, then there should be a path to revocation of accreditation.