A weakness in an Oracle login system—used in the company’s databases which grant access to sensitive information—makes it trivial for attackers to crack user passwords and gain entry without authorization, a researcher has warned.

The issue has been dubbed the “Oracle stealth password cracking vulnerability,” by the researcher who discovered it, and the problem stems from a session key the Oracle Database 11g Releases 1 and 2 sends to users each time they attempt to log in (all according to a report published Thursday by Threatpost). The key leaks information about a cryptographic hash used to obscure the plaintext password. The hash, in turn, can be cracked using off-the-shelf hardware, free software, and a variety of attack methods that have grown increasingly powerful over the past decade. Proof-of-concept code exploiting the weakness can crack an eight-character alphabetic password in about five hours using standard CPUs.

Oracle engineers have corrected the problem in version Oracle Database 12, but they have no plans to fix it in version 11.1, security researcher Esteban Martinez Fayo told Threatpost. Even in version 12, the vulnerability isn’t removed until an administrator changes the configuration of a server to use only the new version of the authentication system. Oracle representatives didn’t respond to an e-mail seeking comment for this story.

Read 3 remaining paragraphs | Comments

via Ars Technica » Technology Lab http://feeds.arstechnica.com/~r/arstechnica/technology-lab/~3/1lnTxyYQanE/