Skip to content
PASSWORDS UNDER ASSAULT

Oracle Database suffers from “stealth password cracking vulnerability”

Weakness makes it trivial for attackers to crack Oracle Database user passwords.

Dan Goodin | 16

A weakness in an Oracle login system—used in the company's databases which grant access to sensitive information—makes it trivial for attackers to crack user passwords and gain entry without authorization, a researcher has warned.

The issue has been dubbed the "Oracle stealth password cracking vulnerability," by the researcher who discovered it, and the problem stems from a session key the Oracle Database 11g Releases 1 and 2 sends to users each time they attempt to log on, according to a report published Thursday by Threatpost. The key leaks information about a cryptographic hash used to obscure the plaintext password. The hash, in turn, can be cracked using off-the-shelf hardware, free software, and a variety of attack methods that have grown increasingly powerful over the past decade. Proof-of-concept code exploiting the weakness can crack an eight-character alphabetic password in about five hours using standard CPUs.

Ars Video

 

Oracle engineers have corrected the problem in Oracle Database version 12 of the authentication protocol, but they have no plans to fix it in version 11.1, security researcher Esteban Martinez Fayo told Threatpost. Even in version 12, the vulnerability isn't removed until an administrator changes the configuration of a server to use only the new version of the authentication system. Oracle representatives didn't respond to an e-mail seeking comment for this story.

There are no overt signs when an outsider has targeted the weakness, and attackers aren't required to have "man-in-the-middle" control of a network to exploit it. That's because the session key is sent whenever a remote user sends a few network packets or uses standard Oracle desktop software to contact the database server. All an attacker needs is a valid username on the system and a rudimentary background in password cracking.

The best way to prevent attacks that exploit the vulnerability is to install the patch and make the necessary configuration changes. Even those who continue to use vulnerable systems can take precautions that will go a long way. Passwords for all users should be randomly generated and contain a minimum of nine characters, although 13 or even 20 characters is better. The strategy here is to create a passcode that will take months or years to crack using brute-force methods, which systematically guess every possible combination of letters, numbers, and symbols.

More coverage of the Oracle Database weakness from Dark Reading is here.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
16 Comments
Prev story
Next story