Oracle patches a serious vulnerability that could allow an attacker to impersonate arbitrary users (even admins)
Researchers at SEC Consult Vulnerability Lab last uncovered a nasty flaw with a vital Oracle security tool designed for authentication.
The problem was discovered by SEC’s Wolfgang Ettlinger, and concerns the Oracle Access Manager (OAM).
The OAM is the component of the Oracle Fusion Middleware that handles authentication for all sorts of web applications. So any flaw with this tool is potentially very serious, as the OAM could effectively be tricked to allow unauthorised access to data.
According to Ettlinger’s blog on the matter, the flaw with OAM was discovered last November.
“During a research project, we found that a cryptographic format used by the OAM exhibits a serious flaw,” wrote Ettlinger. “By exploiting this vulnerability, we were able to craft a session token. When a WebGate is presented with this token, it would accept it as a legitimate form of authentication and allow us to access protected resources. What’s more, the session cookie crafting process lets us create a session cookie for an arbitrary username, thus allowing us to impersonate any user known to the OAM.”
SEC said that it had responsibly disclosed this vulnerability to Oracle immediately after it had identified it in November 2017.
Both currently supported versions, OAM 11g and 12c are affected by this vulnerability, but thankfully Oracle has issued a patch for it.
“Oracle was very responsive and provided a fix with the latest Critical Patch Update (CPU) in April 2018,” wrote the researcher. “As this patch was provided in Oracle’s regular update schedule, we expect OAM administrators to have applied the patch by now. If this is not the case for your organisation, it’s high time to do so now!”
The following video demonstrates the vulnerability and shows that an attacker can impersonate arbitrary users (even admins) in the protected web applications/resources.
Meanwhile another security researcher warned that there were many other online services that if not patched are vulnerable to this attack.
“By crafting a series of URLs, attackers can cause OAM to believe it has received a valid authentication cookie and allow access to protected resources,” said Bob Rudis, chief data scientist at Rapid7.
“A secondary feature of the OAM flaw is that this brute-force attack also enables the attacker to impersonate any application user: i.e. anything from a ‘regular user’ to accounts with administrator-level access,” he said. “there are potentially over 11,000 internet-reachable services that – if not patched – are susceptible to this attack. Aggregated data from Rapid7’s Project Sonar, PublicWWW and other sources also show active, vulnerable instances are currently live on the internet.”
“The danger is not just to internet-connected systems,” said Rudis. “Because this attack does not require authentication, attackers that gain an entry point into an organisation’s network – say, through a phishing attack – can seek out OAM-protected internal applications and use this vulnerability to gain highly privileged access to any data that the application is designed to process or access.”
“Thankfully, due to the the noisy, brute-force nature of this attack organisations can monitor their application and web server logs for large numbers of invalid authentication attempts or for a pattern of authentication attempts as seen in the SEC Consult example attack description,” he said. “Any organisation running OAM 11g and 12c should make patching a priority to avoid becoming a victim of this attack and suffer either a data breach or a data loss event.”
In February Oracle announced it was acquiring Zenedge, a four-year-old startup whose technology will add to Oracle’s security offerings.
The Zenedge deal gives Oracle Web Application Firewall (WAF) and denial-of-service protection technology that can shield cloud, on-premises or hybrid enterprise environments.
Do you know all about security? Try our quiz!