A recently patched Oracle 12 database vulnerability, which exposed a flaw in the authentication process, allowed hackers to link a particular password hash with a session key. Oracle didn't patch the issue in version 11.1, which is the version in use at my organization. How much danger does this pose for enterprises? Do you have any tips for dealing with this vulnerability for version 11.1 users?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
This vulnerability was identified by Application Security Inc.'s TeamSHATTER Researcher Esteban Martinez Fayo. The vulnerability, which exists in the Oracle database authentication protocol, allows an attacker to capture a hashed password so it can be cracked to gain access to the database. Oracle fixed this vulnerability by changing the authentication protocol, but decided to not backport the fix and protocol update to earlier versions. This is fairly common when a fix makes major changes to a protocol, because the fix could break backward compatibility. As mentioned in its patch announcement, Oracle, like any major software vendor, has a technical support lifecycle, where older versions cease to receive support so that they can focus their resources on newer products. Even after applying the update, database administrators (DBAs) still need to change the authentication protocol version in use, because the vulnerable protocol is set as the default.
The first step to protecting the Oracle database authentication process from this vulnerability is to not directly place a database on the internet or allow direct external access to any database, thereby limiting where an attack can originate. DBAs should also stay as close to the most recent database version as possible, because that is where most of the database provider's resources are devoted. There are database firewalls that could protect against attacks trying to lower the protocol to a vulnerable version, but the vulnerability is part of a core component of the authentication protocol, so stopping an attack may be difficult. DBAs could also change the database to use external authentication to prevent the vulnerable protocol from being used. Another option could be for enterprises to require VPN connections to their Oracle databases when client systems are on networks where their network traffic might be captured. The VPN would prevent an attacker from capturing the password hash.
This was first published in February 2013