With more than 100 security vulnerabilities plaguing Oracle within the last year and potentially hundreds more yet to be patched, a new report on Oracle's weak authentication scheme by Joshua Wright (deputy director of training at the SANS institute) and Carlos Cid couldn't have come at a worse time. Last week at the NS2005 SANS conference, Wright revealed some serious weaknesses in Oracle's database authentication scheme, which made Dan Farber wonder if Oracle should still be using the word "unbreakable" to describe their products. Oracle no longer uses the term "unbreakable", but they've switched to the marketing slogan of "never breaks" which essentially means the same thing and is equally dubious. The truth of the matter is, Oracle like everyone else never had unbreakable software and it's starting to look more like they're even more breakable than any other database maker based on the number of vulnerabilities they’ve been having in recent years.
Finding password authentication weaknesses seems to be a specialty for Joshua Wright, whose ASLEAP tool earlier last year forced Cisco to admit problems with their LEAP wireless LAN authentication protocol. In December of 2004, ASLEAP was upgraded with PPTP cracking capabilities which affects common Microsoft and Linux VPN implementations. Software makers seem to be making the same mistakes over and over again, violating the simplest best practices in password authentication. Strong password authentication boils down to implementing SSL or its successor TLS to make it practically impossible to do rapid offline dictionary or brute force attacks against password authentication sessions. The next best thing is to implement a good SALT mechanism that increases cracking complexity by a few orders of magnitude, but Oracle took the shortcut of using the username as the SALT. This means that hackers can tailor a high speed offline attack against any specific user such as the "system" account which would give administrative privileges to the attacker.
To make things worse, it seems that Oracle has been stonewalling the two researchers and not addressing the issue head on. Wright and Cid wouldn't be the first researchers to be ignored by Oracle; Alexander Kornbrust has been waiting more than two years to have some of the serious vulnerabilities he discovered addressed. There seems to be a deep culture of denial that not only afflicts Oracle the company, but many Oracle consultants and administrators. Every time an embarrassing rash of vulnerabilities comes up in their quarterly mega-patches, attention is deflected elsewhere. It's gotten common to hear Oracle "experts" say irrelevant things like "Oracle is protected behind a firewall while Microsoft SQL isn't." Never mind that the issue isn't about Microsoft SQL server or that Microsoft doesn't have nearly as many security problems with their database, being behind a corporate firewall should never be a free pass for application vulnerabilities. Firewalls typically do nothing to protect against application layer vulnerabilities. It's time that Oracle takes a good look in the mirror and deal with their problems honestly and thoroughly. Until they do, the flood of security holes will keep coming and eventually catch up with their reputation.