Oracle Database 12c’s Data Redaction Security Smashed Live on Stage

 Oracle’s newly launched Data Redaction security feature in Oracle Database 12c can be easily disrupted by an attacker without any need to use exploit code, a security researcher long known as a thorn in Oracle’s side said at Defcon.

Data Redaction is one of the new Advanced Security features introduced in Oracle Database 12c. The service is designed to allow administrators to automatically protect sensitive data, such as credit card numbers or health information, during certain operations by either totally obscuring column data or partially masking it.

But according to David Litchfield, a self-taught security researcher who found dozens and dozens of critical vulnerabilities in Oracle’s products, a close look at this Data Redaction security feature help him found a slew of trivially exploitable vulnerabilities that an attacker don’t even need to execute native exploit code to defeat the feature.

David Litchfield is a security specialist at Datacomm TSS and the author of The Oracle Hacker’s Handbook, For many years, he was one of the top bug hunters in the game and specialized in digging into the Oracle’s database products and breaking them.

Data redaction feature is actually a “great idea”, Litchfield said during a talk at the Black Hat USA 2014 conference on Wednesday. But unfortunately, the feature is so thoroughly riddled with basic security vulnerabilities that it is trivial for attackers to bypass it. The database security expert found many methods to bypass the data redaction feature and tricking the system into returning data that should be actually masked in Oracle Database 12c. Litchfield then started giving a live demonstration of some of many flaws he had discovered in Oracle’s data redaction feature, some of which were previously documented in his paper PDF.

The first method is to use the “RETURNING INTO” clause after a DML operation. This clause allows data to be returned into a variable – a big failure on Oracle’s part that he said could be used to bypass Oracle data redaction, which would have been discovered by conducting only a penetration test.

A second method he found is essentially a brute force attack on the data in a redacted column in a database. Litchfield said that the methods he found were so simple and so easily done that he doesn’t even feel right to call them exploits.

The data redaction bypass flaws have been patched, but Litchfield said he recently sent Oracle a critical flaw that enables a user gain control of the database, which isn’t patched yet but is in the pipeline. This shows that its Java security problems still persist.

Enjoyed this post? Subscribe to our newsletter and don’t miss a thing!