Oracle Database suffers from "stealth password cracking vulnerability"
Weakness makes it trivial for attackers to crack Oracle Database user passwords. by Dan Goodin Sept 20 2012 Ars Technica A weakness in an Oracle login system-used in the company's databases which grant access to sensitive information-makes it trivial for attackers to crack user passwords and gain entry without authorization, a researcher has warned. The issue has been dubbed the "Oracle stealth password cracking vulnerability," by the researcher who discovered it, and the problem stems from a session key the Oracle Database 11g Releases 1 and 2 sends to users each time they attempt to log, according to a report published Thursday by Threatpost. The key leaks information about a cryptographic hash used to obscure the plaintext password. The hash, in turn, can be cracked using off-the-shelf hardware, free software, and a variety of attack methods that have grown increasingly powerful over the past decade. Proof-of-concept code exploiting the weakness can crack an eight-character alphabetic password in about five hours using standard CPUs. ... http://arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/ _______________________________________________ Please be sure to include a URL to the article. Reply to the sender with a "Thank you" if you like this post. _______________________________________________ Medianews mailing list [email protected] http://lists.etskywarn.net/mailman/listinfo/medianews
