Feeds

Critical flaw exposes Oracle database passwords

Vuln leaves barn door open to brute-force attacks

Internet Security Threat Report 2014

A security researcher says some versions of the Oracle database contain a vulnerability so serious that anyone with access to the server over a network can crack database passwords using a basic brute-force attack, given nothing more than the name of the database and a valid username.

"This is a critical issue because it's very easy to exploit, and it doesn't require any privileges," AppSec's Esteban Martinez Fayó said in an interview with Dark Reading.

According to a report issued on Thursday by Kaspersky Labs' Threatpost, the vulnerability stems from a fundamental flaw in the logon authentication protocol used by Oracle Database 11g Releases 1 and 2.

Normally, Oracle databases maintain connections with clients by issuing each a unique value known as a Session Key. But affected versions of Oracle 11g send the Session Key before the user is fully authenticated. As a result, an attacker can send a username, receive a Session Key, then hang up the connection and use the Session Key to guess the user's password.

"The attacker can perform a brute force attack on the Session Key by trying millions of passwords per second until the correct one is found," Fayó said, adding, "This is very similar to a SHA-1 password hash cracking."

According to Fayó, he and his team first alerted Oracle to the bug in May 2010. It was fixed in mid-2011, he says, but the patch was not included in a Critical Patch Update, and it only solved the problem by issuing a new, incompatible version of the authentication protocol, version 12.

Even when the patch is applied to a database, it will still use version 11.1 of the protocol by default. To get up and running with version 12, database servers and clients must both be patched, which means a large number of organizations are still using version 11.1 – and are therefore still vulnerable.

According to Fayó, Oracle currently has no plans to patch version 11.1 of the protocol to fix the flaw, and they aren't doing much to help customers migrate to version 12, either.

"The only comment from them was a paragraph about a new protocol fixing some security issues," he said. "They haven't said anything that made people aware to update the database and all of the database clients."

Mind you, brute-force attacks are not the easiest way to crack a password, since they essentially involve exhausting every possible combination of characters until the right combination is found. And Fayó says advanced cracking techniques, such as rainbow tables, can't be used to exploit this vulnerability, because of the way Oracle's cryptography is designed.

Still, he says, GPU acceleration and hybrid dictionary attacks can speed up the process of guessing passwords considerably, and Fayó has developed a proof-of-concept attack that can crack eight-character Oracle passwords in around five hours using standard CPUs.

In lieu of a fix from Oracle, Fayó recommends several work-arounds. One is to wrap database connections in some additional form of authentication, such as SSL or directory services. Another is to disable version 11.1 of the authentication protocol altogether and use an earlier version, such as 10g, which isn't vulnerable. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.