Vigil@nce: Oracle Database, brute force on authentication
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A network attacker can use a brute force attack on the
authentication protocol version 11 of Oracle Database, in order to
login in five hours.
– Impacted products: Oracle DB
– Severity: 2/4
– Creation date: 21/09/2012
DESCRIPTION OF THE VULNERABILITY
The access to Oracle Database requires an authentication. The
authentication protocol is in version 10, 11.1 or 11.2.
Versions 11.1 and 11.2 use a hash, with a salt. However, the
algorithm is weak. An eight characters lowercase password can be
retrieved with a brute force of 5 hours. Technical details are
unknown.
A network attacker can therefore use a brute force attack on the
authentication protocol version 11 of Oracle Database, in order to
login in five hours.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Oracle-Database-brute-force-on-authentication-11966