Esteban Martinez Fayo: Oracle Stealth Password Cracking Vulnerability

Yesterday Esteban Martinez Fayo, a security reseacher at AppSec Inc. showed how Oracle’s databases could be hacked via brute forcing, using only the database name and a username. I think this is especially poor timing for Oracle considering the recent hoo-ha over vulnerabilities discovered in Java.

“It’s pretty simple. The attacker just needs to know a valid username in the database, and the database name. That’s it,”
Dark Reading

Esteban demonstrated his claim at a security conference in Argentina. He said that with a special tool he could hack easy passwords and access data in a matter of hours –

“The vulnerability exists in Oracle Database 11g Releases 1 and 2 and is caused by a problem with the way the authentication protocol protects session keys when users try to log in.”

Fayo says that he and his team first notified Oracle of this problem back in May 2010 and that they were later fixed in 2011. The problem now is that versions 11.1 and 11.2 are not fixed and are therefore at risk to this type of attack. This isn’t the first time that hackers have been able to get into Oracle databases remotely – over 70 bugs had to be patched back in January.

Fortunately there is a solution, albeit not an ideal one. Fayo suggests,

“Disable the protocol in Version 11.1 and start using older versions like Version 10g. It is vital for organizations that deploy Oracle databases affected by these vulnerabilities to administer strong workarounds to prevent an attack.”

Will your business be impacted by this vulnerability?

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind