Oracle Database Password Information Disclosure Vulnerability
30 October 2012
The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 18.104.22.168, 22.214.171.124, and 126.96.36.199 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."
CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
The existence of a botnet comprising of tens of thousands of compromised routers and other IoT devices is not news. Nevertheless, this latest one is special, as it seems that its herder does not have malicious intentions.