The emergence has been named the “Oracle stealth password cracking vulnerability,” by the researcher who found it, and the exploits root is a session key the Oracle Database 11g Releases 1 and 2 sends to users each time they try to log, according to a study released Thursday by Threatpost. This key leaks data about a cryptography key used to hash the plain text data. The hash, in turn, can be cracked using off-the-shelf hardware, free software, and a variety of attack methods.
Proof-of-concept (POC) code exploiting the weakness can crack an eight-character alphabetic password in roughly five hours utilizing standard CPUs.
Oracle’s repair for the fault is essentially a new but incompatible variant of the protocol that leaves the current version still open to attack.
“Oracle has been very quiet about the fault,” says Alex Rothacker, manager of security research for AppSec’s TeamSHATTER. “The only comment from them was a paragraph about a new protocol fixing some security issues. They haven’t said anything that made people aware to update the database and all of the database clients.”.