A researcher has found vulnerability in an older version of Oracle’s database software that exposes user passwords to cybercriminals.
Security expert Esteban Martinez Fayo said his discovery of the critical security flaw means hackers can gain unauthorized access through simple passwords stored on the database in just five hours.
David Emm, security researcher at Kaspersky Lab, said passwords are procurable if the criminals mount a brute force attack.
“Data sent by the server during the login authentication process, i.e., the session key and the salt, is enough to allow an attacker to use a brute-force attack by trying lots of passwords until the correct one is found,” he said.
“This tactic is used to obtain a valid password and get access to the database.”
Oracle had patched the bug in version 12 of the authentication protocol, but has no immediate plans to use the fix on its still widely used 11.1 protocol version.
Emm warned about hackers’ tenacity to attack companies without the patch and those that continue to use the older version of Oracle’s database software.
“Cybercriminals use vulnerabilities of all kinds to get access to corporate systems, especially in applications that are widely-used. So it’s vital that administrators take steps to reduce their exposure to attacks,” he said.
“In this case, it means using the version of the authentication protocol provided by Oracle to fix the problem and making the necessary configuration changes to only allow new versions of this protocol.”
Emm advised system administrators must implement stronger passwords for customers using alphanumeric plus special characters, which will give hackers a harder time to crack their passwords even on vulnerable systems.
Source: Dark Reading
Image: Oracle PR, via Flickr (CC)