Researchers are reporting an Oracle authentication flaw that allows outside attackers and internal users the ability to brut-force crack passwords. Emerged over at Dark Reading, it is reported that the flaw would be demonstrated today at the Ekoparty security conference in Buenos Aires.
Martinez Fayo and his team first reported the bugs to Oracle in May 2010. Oracle fixed it in mid-2011 via the 18.104.22.168 patch set, issuing a new version of the protocol. “But they never fixed the current version, so the current 11.1 and 11.2 versions are still vulnerable,” Martinez Fayo says, and Oracle has no plans to fix the flaws for version 11.1.
The problems start when the Salt is returned during the authentication process, where it can then be brute-force cracked. It apparently has been fixed in some versions of the database, but not all. Regarding the attack Fayo states:
“fairly simple — yet potentially devastating — attack against the so-called stealth password cracking vulnerability. “It’s pretty simple. The attacker just needs to know a valid username in the database, and the database name. That’s it,”
The process doesn’t even require man-in-the-middle methodology, and requires no privileges. Anyone with a connection to the database can execute the attack. Recommendations right now revolve utilizing workarounds:
There are workarounds: “Disable the protocol in Version 11.1 and start using older versions like Version 10g, which [contains an older protocol that] is not vulnerable,” AppSec’s Martinez Fayo says.
Other options: employing external authentication via SSL or directory services, for example; resetting the SEC_CASE_SENSITIVE_LOGON initialization parameter to FALSE; and removing 11g hashes so the database will default to 10g hashes.
Needless to say, with such an easily exploitable flaw and a very wide base of deployment, this is a very serious and dangerous vulnerability. In addition to being relatively easy to exploit, it executes within the logon protocol, and leaves no trace or evidence behind.