11i: Encrypted Password String Disclosure
Integrigy has released an advisory regarding an undisclosed security vulnerability in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications' user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user's password or the Oracle Applications' main database account password (APPS). The attacker must have direct SQL*Net access to the database (e.g., SQL*Plus) and to exploit the vulnerability neither of the Oracle Applications security features "Managed SQL*Net Access" and "Server Security" can be enabled.
In a majority of Oracle Applications implementations, neither "Managed SQL*Net Access" nor "Server Security" are enabled. "Managed SQL*Net Access" is enabled by default beginning with 11.5.10, although, it is commonly disabled due to the complexity of managing permitted hosts and the limitations in only allowing a small number of hosts direct access to the database. "Sever Security" is not enabled by default in any version of Oracle Applications and seldom is enabled as the purpose and security benefits of this feature are poorly understood. All Oracle Applications implementations should enable at least "Server Security" and preferably also enable "Managed SQL*Net Access".
The underlying issue is that Oracle Applications passwords can be easily decrypted using methods previously published. There are a number of ways an attacker (most likely an insider) may obtain encrypted password strings, including through ad-hoc query access, from cloned instances like development, or through SQL injection vulnerabilities in the application or standard database packages. The advisory relates to an additional method of obtaining encrypted passwords strings through exploitation of a specific undisclosed security vulnerability.
For more information see the Integrigy Security Advisory Oracle Applications 11i Encrypted Password Disclosure