A security researcher from Application Security, Inc. (AppSec) has discovered a flaw in Oracle’s software that would allow an attacker to crack database passwords with basic brute-force attacks. Details of the attack were discussed on Thursday at the Ekoparty conference in Argentina.
Esteban Martinez Fayó, the researcher who discovered the issues, reported the problems with the authentication protocol to Oracle last year. However, when a new version of the protocol was released by the database giant, version 12, the older versions were left untouched. Thus, customers running version 11.1 or older – even after applying the patch released by Oracle – remain vulnerable.
“It is very simple to exploit. The attacker just needs to send a few network packets or use a standard Oracle client to get a Session Key and Salt for a particular user. Then, an attack similar to that of cracking SHA-1 password hash can be performed. I developed a proof-of-concept tool that shows that it is possible to crack an 8 characters long lower case alphabetic password in approximately 5 hours using standard CPUs.”
Administrators can protect themselves, he added, by requiring external authentication, or disabling version 11 of the authentication protocol on the server’s config files. It’s important to note, that while mitigations are easily available, if they are not taken, then the issue remains a serious risk to an organizations data.
Anyone with a network connection can pull off this attack, and there is no need for privileges on the network. Additional information will be made available from AppSec in October.
Related: Oracle Steps Up – Delivers Emergency Java Patch to Fix Recent Security Flaws
Related: Many Concerned Over Oracle’s Response to Security Vulnerabilities