Oracle Applications 11i User Password Weakness - Follow-up

Due to the number of client inquiries regarding my recent posting on the Oracle Applications 11i password decryption issue, we have written a whitepaper on the subject to provide more details and additional recommendations.  This issue is really a "perfect storm" with the convergence of (1) an inherent architectural weakness in the application, (2) generally accepted insecure operational policies and procedures for ad-hoc query access and cloning, and (3) multiple examples of effective, easy to execute exploit code for decrypting application passwords.

For those of you not familiar with the issue, the fundamental problem is that the Oracle Applications 11i application account passwords are stored in the database encrypted using the APPS database password as the encryption key rather than using a strong, one-way hash algorithm. In order to provide access to the APPS database password upon login and for other processes, it is stored encrypted in the database for each application account using the account username and password as the encryption key. In a well-controlled and secured Oracle Applications environment, this issue is difficult to exploit. However, most implementations allow some form of ad-hoc query access and have numerous cloned databases. Using published exploit code, an insider via ad-hoc query access or in a cloned database is able to decrypt easily both application account passwords and the APPS database account password. In our experience performing security assessments of Oracle Applications environments, virtually all Oracle Applications 11i implementations are vulnerable to this issue to some degree. The question is most often not if a production database is vulnerable rather can 10 or 500 people exploit it, can only trusted employees exploit it or every off-shore developer.

Whitepaper: Oracle Applications 11i Password Decryption