Security Experts:

Oracle Authentication Vulnerability Enables Trivial Password Cracking

A security researcher from Application Security, Inc. (AppSec) has discovered a flaw in Oracle’s software that would allow an attacker to crack database passwords with basic brute-force attacks. Details of the attack were discussed on Thursday at the Ekoparty conference in Argentina.

Esteban Martinez Fayó, the researcher who discovered the issues, reported the problems with the authentication protocol to Oracle last year. However, when a new version of the protocol was released by the database giant, version 12, the older versions were left untouched. Thus, customers running version 11.1 or older – even after applying the patch released by Oracle – remain vulnerable.

Oracle Authentication Vulnerability“The Oracle stealth password cracking vulnerability is a critical one. There are many components to affirm this: It is easy to exploit, it doesn’t leave any trace in the database server and it resides in an essential component of the logon protocol,” Martinez Fayó said in an interview with ThreatPost.

“It is very simple to exploit. The attacker just needs to send a few network packets or use a standard Oracle client to get a Session Key and Salt for a particular user. Then, an attack similar to that of cracking SHA-1 password hash can be performed. I developed a proof-of-concept tool that shows that it is possible to crack an 8 characters long lower case alphabetic password in approximately 5 hours using standard CPUs.”

Administrators can protect themselves, he added, by requiring external authentication, or disabling version 11 of the authentication protocol on the server’s config files. It’s important to note, that while mitigations are easily available, if they are not taken, then the issue remains a serious risk to an organizations data.

Anyone with a network connection can pull off this attack, and there is no need for privileges on the network. Additional information will be made available from AppSec in October.

Related: Oracle Steps Up – Delivers Emergency Java Patch to Fix Recent Security Flaws

Related: Many Concerned Over Oracle's Response to Security Vulnerabilities

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.