Security researcher Wolfgang Ettlinger from SEC Consult Vulnerability Lab has discovered a security vulnerability in Oracle Access Manager that can be exploited by a remote attacker to bypass the authentication and take over the account of any user or administrator on affected systems.
Oracle Access Management provides Web SSO with MFA, coarse-grained authorization and session management, and standard SAML Federation and OAuth capabilities to enable secure access to mobile applications and external cloud.
The flaw, tracked as CVE-2018-2879, relates a flawed cryptographic format used by the Oracle Access Manager.
“The Oracle Access Manager is the component of the Oracle Fusion Middleware that handles authentication for all sorts of web applications,” SEC Consult researcher Wolfgang Ettlinger explained.
“we will demonstrate how minor peculiarities of the cryptographic implementation had a real-life impact on the security of the product. By exploiting this vulnerability we were able to fabricate arbitrary authentication tokens, allowing us to impersonate any user and effectively break the main functionality of OAM.”
Ettlinger explained that an attacker can exploit a vulnerability in the way OAM handles encrypted messages to trick the software into accidentally disclosing information that can be used to log in impersonating other users.
The attacker can power a padding oracle attack to disclose an account’s authorization cookie, he can create a script that generates valid login keys for any desired user, including administrators.
“During a research project, we found that a cryptographic format used by the OAM exhibits a serious flaw. By exploiting this vulnerability, we were able to craft a session token. When a WebGate is presented with this token, it would accept it as a legitimate form of authentication and allow us to access protected resources.” explained the expert.
“What’s more, the session cookie crafting process lets us create a session cookie for an arbitrary username, thus allowing us to impersonate any user known to the OAM.”
The following video PoC shows that an attacker can impersonate arbitrary users by triggering the flaw.
Oracle Access Management 11g and 12c versions were both affected by the vulnerability. The experts used a simple Google Dork to find about 11.800 OAM installs, some of them belonging to high-profile organizations (including Oracle). We have to consider the there are many other installations that are not reachable from the Internet.
The experts responsibly disclosed this flaw to Oracle in November 2017. the IT giant addressed it with the latest Critical Patch Update (CPU) in April 2018.
“As this patch was provided in Oracle’s regular update schedule, we expect OAM administrators to have applied the patch by now. If this is not the case for your organization, it’s high time to do so now” continues the advisory.
Technical details about the CVE-2018-2879 are included in the security advisory published by the SEC Consult Cryptography Competence Center.