SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
10 May 2018

Oracle Access Manager security bug so serious it let anyone access protected data

A bug that Oracle recently patched broke the main functionality of Oracle Access Manager (OAM), which should only give authorized users access to protected enterprise data.

OAM provides an authentication function for web applications based on Oracle Fusion Middleware. It can be used to provide and block access to external mobile and cloud applications.

However, researchers at Austrian security firm SEC-Consult found a flaw in OAM's cryptographic format that allowed them to create session tokens for any user, which the attacker could use to impersonate any legitimate user and access web apps that OAM should be protecting. As SEC-Consult explains, OAM-protected web servers feature an authentication component called an Oracle WebGate. When users attempt to access a protected resource from the web server, they're bumped across to an OAM page to enter a username and password. If successful, they're redirected back to the web application and can log in using an encrypted authentication token that's stored in a browser cookie.

However, a flaw in OAM's custom cryptographic format allowed SEC-Consult researcher Wolfgang Ettlinger to use a padding oracle attack to decrypt the authentication token. "We found that a cryptographic format used by the OAM exhibits a serious flaw," explained Ettlinger. "By exploiting this vulnerability, we were able to craft a session token. When a WebGate is presented with this token, it would accept it as a legitimate form of authentication and allow us to access protected resources.

"What's more, the session cookie crafting process lets us create a session cookie for an arbitrary username, thus allowing us to impersonate any user known to the OAM." Oracle Fusion Middleware 11g and 12c were affected by the vulnerability in the OAM authentication engine, which is tracked as CVE-2018-2879 and got a CVSS v3 score of 9.0 out of a possible 10 in Oracle's April critical patch update.

Ettlinger said there are two lessons to be drawn from the bug: "You do not roll your own crypto" and "You DO NOT roll your own crypto". "Cryptography is very hard to get exactly right. Even when using standard implementations of algorithms, it is challenging to design a proper cryptographic format or protocol," he wrote.

"Quite often, seemingly secure implementations can exhibit serious vulnerabilities -- and that goes way beyond the rather well-known padding oracle attack that was demonstrated here," he wrote."

Tags:
information leaks
Source:
ZDNet
1833
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015