Layer Seven Security

Security Researchers Expose a Dangerous Authentication Bypass in Oracle Databases

More than two-thirds of mid to large SAP customers in every industry run their SAP applications with Oracle databases. Oracle’s success is driven by compatibility and performance. Oracle 11.2 is certified for use with Unix, Linux and Windows-based SAP environments and provides features such as self-tuning, sophisticated partitioning and advanced data compression that give Oracle an edge over the competition including, in some cases, SAP’s own databases.

Oracle’s achilles heel is security. Earlier this year, the company released 78 patches to address vulnerabilities across its product range including MySQL and Oracle RDMBS. One in five of the vulnerabilities were classified as critical since they could be exploited remotely against firewalled, internal networks. Last month, Oracle issued a warning related to a major SQL injection vulnerability affecting some versions of its database servers. The CVE-2012-3132 exploit could enable attackers to gain administrative privileges in servers and therefore disclose, modify or remove data managed by such servers.

Oracle suffered another blow last week when researcher Esteban Fayo of AppSec Inc. successfully demonstrated a proof-of-concept attack against an Oracle database at the Ekoparty security conference using a stealth password cracking exploit. The exploit targets the Oracle login system through a cryptographic flaw in the hash used to encrypt passwords that are leaked in session keys generated by the database. The keys are sent to users during every logon attempt. Remote attackers can use an Oracle desktop client to establish a network connection with a database server. Once connected, they can attempt to authenticate against the server using a valid username. The server will return a session key to the attacker before the authentication process is complete. At this point, the attacker will close the connection and attempt to decrypt the hash using brute-force password cracking software. Short, non-complex passwords can be decrypted relatively quickly using a standard CPU. Since the hashes contain a random salt, attackers can’t use rainbow tables. However, they can use methods such as dictionary hybrid attacks for faster decryption. Also, since failed logon attempts are not recorded by the server, attackers can bypass controls that lock accounts after a certain number of failed access attempts.

A strong firewall policy that blocks remote access to databases may provide some defense against external attacks. However, it will not guard against internal threats including remote attackers with access to network resources inside corporate networks through malware or other methods. The vulnerability effects releases 1 and 2 of the Oracle database version 11g. Oracle has released a new authentication protocol for version 11.2. However, the company hasn’t patched the vulnerability in 11.1 nor released any plans to do so. Since older versions are not vulnerable to the exploit, SAP customers working with Oracle 11.1 should consider switching to authentication protocols used in versions such as 10g. Alternatively, they should consider removing 11g hashes. This will prompt the database to use hashes stored for earlier versions. Customers should also enforce requirements for alpha numeric passwords with a minimum of nine characters. Complex passwords are less susceptible to brute force attacks.