Updated Monday, Oct. 31, with a statement from Oracle.
By making their findings public, two researchers hope to pressure Oracle Corp. into fixing flaws in its password-hashing algorithm. The vulnerabilities could be exploited for brute force and dictionary attacks, and they said the database giant has known about it since July.
Until the security holes are fixed, they said there are steps IT administrators can take to protect their databases.
"We reported this to Oracle July 12 and they said they'd review our findings and get back to us," said Joshua Wright, deputy director of training at the Bethesda, Md.-based SANS Institute and a handler for its Internet Storm Center (ISC). "We haven't heard back from them. By releasing details, my hope is that it'll motivate them to come up with a better solution to what's in place now."
The details are outlined in an 11-page report the SANS Institute released Thursday. According to Wright and Carlos Cid, a researcher with the Information Security Group at the Royal Holloway, part of the University of London, there are three problems:
The algorithm converts all the characters in a password to uppercase. Wright said this is damaging because without a mix of upper- and lower-case characters in a password hackers have an easier time launching brute-force attacks. "When someone tries a brute force attack they try every type of password they can come up with," Wright said. "If you don't have to mix upper and lower case characters and you can just use all caps, you can do damage more quickly."
There's not enough salt. The report notes that each password hash is modified by a random string of data known as salt. If it's long enough, salt will block pre-computed dictionary attacks since "it becomes impractical" for the attacker "to compute a large table of hashes corresponding to possible passwords and salt values in advance." But according to Wright, the only salt in Oracle's set-up is the username. "The attacker can pick one user name, pre-compute all the tables and once they're done they can use it on every Oracle database in the world," he said.
Oracle's process of converting plaintext passwords into encrypted passwords is too quick. Since speed is an important ingredient in brute force attacks, Wright said it's better to have a slower conversion. The report adds that, "A slow one-way algorithm will not noticeably increase the cost of one operation… but it should substantially increase the task of mounting an exhaustive search attack."
Wright said the Redwood Shores, Calif.-based database giant developed its password-hashing algorithm in the early 1990s. It was adequate then, he said, but not now.
"In my testing, I'm calculating 850,000 hashes a second," he said. "I can do things much faster now than 10 years ago. With a fast computer and the right program you could do over a million passwords a second. With minimal hardware, an attacker can brute force even the strong Oracle passwords. It's time for them to put something new in place."
Until a fix is available, Wright and Cid said Oracle users can mitigate the problems by enforcing a strong password selection policy and by enforcing the principle of least privilege. Among other things, they recommended administrators:
- Restrict access to password hashes;
- Audit SELECT statements on the DBA_USERS view;
- Encrypt TNS traffic; and
- Enforce a minimum password length.
An Oracle spokeswoman said in an e-mailed statement, "We feel strongly that the issues noted in the [SANS] paper can be addressed through good password policy management, which dramatically reduces the inherent security risks associated with any password-based authentication system; and through use of security features included with the Oracle database, such as facilities to enforce password complexity, account lockout after multiple login failures and password expiration."