Researcher Warns of Oracle Database Security Flaw


Application Security, Inc. (AppSec) researcher Esteban Martinez Fayo recently demonstrated a significant Oracle database security flaw at the ekoparty Security Conference.

"The vulnerability ... is caused by a problem with the way the authentication protocol protects session keys when users try to log in," writes Threatpost's Dennis Fisher. "The first step in the authentication process when a client contacts the database server is for the server to send a session key back to the client, along with a salt. The vulnerability enables an attacker to link a specific session key with a specific password hash."

"Although Oracle closed the hole with the patch set, which introduced the new version 12 of the protocol in mid-2011, Fayo said that there has been no fix for versions 11.1 and 11.2 of the database because the update was never included in any of Oracle's regular 'critical patch updates,'" The H Security reports. "The researcher explained that unless administrators activate the new protocol manually, the database will continue to use the vulnerable version 11.2 protocol."

"That leaves those database users at risk of what Martinez Fayo says is a fairly simple -- yet potentially devastating -- attack against the so-called stealth password cracking vulnerability," writes Dark Reading's Kelly Jackson Higgins.

"There are no overt signs when an outsider has targeted the weakness, and attackers aren't required to have 'man-in-the-middle' control of a network to exploit it," writes Ars Technica's Dan Goodin. "That's because the session key is sent whenever a remote user sends a few network packets or uses standard Oracle desktop software to contact the database server. All an attacker needs is a valid username on the system and a rudimentary background in password cracking."

"In lieu of a fix from Oracle, Fayo recommends several work-arounds," writes The Register's Neil McAllister. "One is to wrap database connections in some additional form of authentication, such as SSL or directory services. Another is to disable version 11.1 of the authentication protocol altogether and use an earlier version, such as 10g, which isn't vulnerable."

"This isn't the first time that security flaws have been found on Oracle databases," notes CNET News' Dara Kerr. "In January, the company squashed 78 software bugs in a major patch that stemmed from a flaw that allowed hackers into its databases remotely. And, just last month, new vulnerabilities that can be exploited to run arbitrary code were discovered in Oracle's latest Java 7 update."