Oracle's security practices have come under a fresh attack from two security researchers who claim the database maker's products have serious password-protection weaknesses.
Joshua Wright of the SANS Institute and Dr Carlos Cid of the Information Security Group at the Royal Holloway, University of London, have published a paper outlining problems with Oracle's password system that they say make it "straightforward" to recover users' passwords. Wright gave a presentation on the matter at the SANS Network Security conference in Los Angeles earlier this week, SANS said.
The problem centres on the hashing algorithm Oracle uses to protect passwords, which the researchers said is "weak" and subject to several attacks. If an attacker were able to gain password hash information from a compromised system, the weakness could allow access to password-protected information, said Cid and Wright.
Possible ways of exploiting the weakness include traffic sniffing or SQL injection, they said.
"The current mechanism presents a number of weaknesses, making it straightforward for an attacker with limited resources to recover a user's plaintext password from the hashed value," Cid and Wright wrote in the paper. Even strong passwords could be vulnerable to this type of attack, they said.
Password recovery wouldn't need complex or even custom-made software, but could be carried out with simple, off-the-shelf components, they said. "By exploiting these weaknesses, an adversary with limited resources can mount an attack that would reveal the plaintext password from the password hash for a known user," Cid and Wright wrote.
One way of limiting danger from the problem at the moment would be to enforce a strong password policy among users, and to ensure users have access to the minimum of privileged resources, the paper said. Administrators could also put other protections into place, such as encrypting TNS traffic, the researchers said.
A better solution, though, would be for Oracle to improve its password management system, they said. The SANS Institute said it contacted Oracle about the problems in mid-July, but said Oracle hasn't responded on when it plans to take any action. SANS urged users to speak to Oracle themselves.
Oracle has come under increasing pressure over its security practices this year. The company has repeatedly issued critical security patches that don't work - its October patches didn't fix all the problems they were supposed to address, and in July, Oracle released two sets of database patches to fix flaws in previously released security patches. One of the affected fixes in July was itself a fix to an earlier set of patches - in other words, a patch for a patch for a patch.
Earlier this year a German security firm released details of several high-risk Oracle flaws, along with workarounds, claiming to have seen no action from Oracle two years after reporting the bugs. The firm said the delay was more evidence that Oracle's patching system is in disarray.
Oracle has said it stands behind the security of its products and takes security seriously.