Crypto flaw in Oracle Access Manager can let attackers pass through

A padding oracle vulnerability in Oracle Access Manager (CVE-2018-2879) can be exploited by attackers to bypass authentication and impersonate any user account.

About the vulnerability

The vulnerability arises from a flawed cryptographic format used by the OAM.

“The Oracle Access Manager is the component of the Oracle Fusion Middleware that handles authentication for all sorts of web applications,” SEC Consult researcher Wolfgang Ettlinger explained.

“In typical scenarios, the web server that provides access to the application is equipped with an authentication component (the Oracle WebGate). When a user requests a protected resource from the web server, it redirects her to an authentication endpoint of the OAM. The OAM then authenticates the user (e.g. with username and password) and redirects her back to the web application. Since all the authentication is handled by a central application, a user only has to authenticate once to access any application protected by the OAM (Single Sign-On).”

But the vulnerability can be exploited to decrypt and encrypt messages used to communicate between the OAM and web servers. The researchers have managed to construct a valid session token and encrypt it, then pass it off as valid to the web server. This allowed them to access protected resources as a user already known to the OAM.

The attack

SEC Consult released a vide demonstration of the attack:

The vulnerability affects OAM versions 11g and 12c.

“A simple Google Dork to find OAM installations yields about 11.800 results, some pointing to high-profile organizations (including Oracle itself). Those are only the installations reachable on the Internet,” Ettlinger noted.

He believes that most of these are likely to be patched by now but, nevertheless, the company has decided not to release the Python script they developed to create an arbitrary authentication token/cookie for any user.

Ettlinger praised Oracle’s responsiveness to their vulnerability disclosure, but is worried about the fact that it existed in the first place.

“SEC Consult did not conduct a full security audit as only a cryptographic implementation was analyzed. However, since the vulnerability was found in such a central component of the OAM, we suspect that an insufficient amount of attention has been given to information security,” he noted.

“Given the central position in an organization’s security infrastructure, we recommend Oracle’s customers to either conduct a full audit of the component or to request the results of such audits from Oracle.”

In the meantime, OAM administrators are urged to implement the update (if they haven’t already) and to analyze historic logs for evidence of attacks.

“A successful attack causes a large number of decryption failures resulting from bad padding (javax.crypto.BadPaddingException),” he pointed out.