A serious vulnerability in an older version of Oracle databases' authentication protocol that leaves some customers passwords vulnerable to hackers has been uncovered.
The vulnerability was revealed by AppSec researcher Esteban Martinez Fayo in a talk at the Ekoparty Security Conference.
Fayo claims that the bug means hackers can crack simple passwords stored on the database in as little as five hours.
Kaspersky researcher David Emm told V3 that to get the passwords, criminals would need to mount a brute force attack.
"Data sent by the server during the login authentication process, i.e. the session key and the salt, is enough to allow an attacker to use a brute-force attack by trying lots of passwords until the correct one is found," he said.
"This tactic is used to obtain a valid password and get access to the database."
Oracle reportedly fixed the bug version 12 of authentication protocol, but currently has no plans to apply the fix to its still widely used version 11.1 protocol.
Emm claimed warned that without the patch hackers would continue to target companies using the vulnerability, adding it was "vital" administrators take steps to reduce their exposure to attacks.
"In this case, it means using the version of the authentication protocol provided by Oracle to fix the problem and making the necessary configuration changes to only allow new versions of this protocol," said Emm.
"So a further step that administrators should take is enforce the use of strong passwords using alpha-numeric plus special characters, so even on ‘vulnerable' systems it would take an attacker a long time to be able to crack a password."
For more insight into some of the major security issues affecting businesses make sure you sign up to the V3 Security Summit taking place on Tuesday 25 September which includes high-level speakers such as Mimecast chief scientist Nathaniel Borenstein and cryptographer Bruce Schneier.