More Oracle Security Woes: Weak Password Hashing Algorithm
Over on the SANS Internet Storm Center's Daily Incident Handlers' Diary:
Handler Joshua Wright and Dr. Carlos Cid from the Information Security Group at the Royal Holloway, University of London have published a paper describing the inner workings and vulnerabilities in the Oracle password hashing algorithm. A copy of the paper is available through the SANS Reading Room at http://www.sans.org/rr/special/index.php?id=oracle_pass.
The authors findings indicates that the password hashing algorithm is weak, and subject to a number of attacks. If an attacker is able to obtain Oracle password hash information from a compromised system, through traffic sniffing, SQL injection or other attack vectors, they will likely be able to recover plaintext passwords with few resources, even when strong passwords are selected. The paper also recommends several actions Oracle DBA's can take to help mitigate this threat.
The SANS Institute contacted the Oracle product security team about these findings on 7/12/2005. Subsequent requests for clarification on what Oracle plans to do to address these vulnerabilities have gone unanswered. Oracle customers are encouraged to communicate their desire to resolve these vulnerabilities through the appropriate channels.