The Inquirer-Home

Security flaw is found in older version of Oracle databases

Exposes customer passwords
Fri Sep 21 2012, 16:25
Oracle logo

A CRITICAL SECURITY FLAW that exposes customer passwords to hackers has been found in an older version of enterpirse vendor Oracle's database software.

Discovered by security researcher Esteban Martinez Fayo, the vulnerability means that hackers can crack simple passwords stored on the database in as little as five hours.

Kaspersky researcher David Emm told The INQUIRER that in order to get the passwords, criminals would need to mount a brute force attack.

"Data sent by the server during the login authentication process, i.e., the session key and the salt, is enough to allow an attacker to use a brute-force attack by trying lots of passwords until the correct one is found," he said.

"This tactic is used to obtain a valid password and get access to the database."

Oracle reportedly fixed the bug in version 12 of the authentication protocol, but currently has no plans to apply the fix to its still widely used version 11.1 protocol.

Emm warned that without the patch hackers will continue to target companies that are still using the database software that has the vulnerability.

"Cybercriminals use vulnerabilities of all kinds to get access to corporate systems, especially in applications that are widely-used. So it's vital that administrators take steps to reduce their exposure to attacks," he said.

"In this case, it means using the version of the authentication protocol provided by Oracle to fix the problem and making the necessary configuration changes to only allow new versions of this protocol."

Emm offered the advice that system administrators should enforce the use of strong passwords using alphanumeric plus special characters, so that even on vulnerable systems it will take an attacker a long time to crack a password. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?