March 3, 2016 by

Oracle Database 12c’s Data Redaction Security Smashed Live on Stage

 
 Oracle’s newly launched Data Redaction security feature in Oracle Database 12c can be easily disrupted by an attacker without any need to use exploit code, a security researcher long known as a thorn in Oracle’s side said at Defcon.

Data Redaction is one of the new Advanced Security features introduced in Oracle Database 12c. The service is designed to allow administrators to automatically protect sensitive data, such as credit card numbers or health information, during certain operations by either totally obscuring column data or partially masking it.

But according to David Litchfield, a self-taught security researcher who found dozens and dozens of critical vulnerabilities in Oracle’s products, a close look at this Data Redaction security feature help him found a slew of trivially exploitable vulnerabilities that an attacker don’t even need to execute native exploit code to defeat the feature.

David Litchfield is a security specialist at Datacomm TSS and the author of The Oracle Hacker’s Handbook, For many years, he was one of the top bug hunters in the game and specialized in digging into the Oracle’s database products and breaking them.

Data redaction feature is actually a “great idea”, Litchfield said during a talk at the Black Hat USA 2014 conference on Wednesday. But unfortunately, the feature is so thoroughly riddled with basic security vulnerabilities that it is trivial for attackers to bypass it. The database security expert found many methods to bypass the data redaction feature and tricking the system into returning data that should be actually masked in Oracle Database 12c. Litchfield then started giving a live demonstration of some of many flaws he had discovered in Oracle’s data redaction feature, some of which were previously documented in his paper PDF.

The first method is to use the “RETURNING INTO” clause after a DML operation. This clause allows data to be returned into a variable – a big failure on Oracle’s part that he said could be used to bypass Oracle data redaction, which would have been discovered by conducting only a penetration test.

A second method he found is essentially a brute force attack on the data in a redacted column in a database. Litchfield said that the methods he found were so simple and so easily done that he doesn’t even feel right to call them exploits.

The data redaction bypass flaws have been patched, but Litchfield said he recently sent Oracle a critical flaw that enables a user gain control of the database, which isn’t patched yet but is in the pipeline. This shows that its Java security problems still persist.

Enjoyed this post? Subscribe to our newsletter and don’t miss a thing!

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

100% of Govt Entities See Own Employees as Biggest Cybersecurity Risk

A new cybersecurity report has claimed that the government sector is way behind others in...

Read more arrow_forward

Hacker who Hit Canadian Gold Mines & Casinos Plotting New Attacks

Researchers at cybersecurity firm FireEye have warned that the same hacker or hacking group who...

Read more arrow_forward

Putin Says ‘Patriotic” Russian Hackers Could Be Behind Cyberattacks

Russian President Vladimir Putin has claimed that Russians with “patriotic leanings” could be...

Read more arrow_forward