DOAG BEST OF 2020 - Oracle Security Services by Red ......Oracle Vulnerabilities 2020 Number of...
70
Best of Oracle Security 2020 What happened in 2020?
Transcript of DOAG BEST OF 2020 - Oracle Security Services by Red ......Oracle Vulnerabilities 2020 Number of...
Best of Oracle Security 2020
What happened in 2020?
Introduction
What will be shown in the next 45 minutes? ! Oracle Security Patches ! Oracle Index / Fulltext Index / Histograms ! How Oracle violates GDPR/DSGVO out of the box ! How to bypass Auditing, VPD / RAS, Database Vault
! Outlook 2021
Database Vulnerabilities and CPU
More security bugs, no trend change (from 12 in 2018 to 27 in 2019 to 144 in 2020)
Oracle Vulnerabilities 2020
Oracle Vulnerabilities 2020
Number of vulnerabilities in Oracle database increased again
! 144 findings in 2020 (2019: 27, 2018: 12, 2017: 14, 2016:30 , 2015: 29, 2014: 43, 2013: 13 2012: 17)
! Number includes security bugs from the footnotes
! 11 remote exploitable bugs
• January 2020 CPU (17 Vulnerabilities – 4 remote)
• April 2020 CPU (14 Vulnerabilities – 2 remote)
• July 2020 CPU (49 Vulnerabilities – 1 remote)
• October 2020 CPU (64 Vulnerabilities – 5 remote)
Vulnerabilities in Footnotes (Oct 2020)
Jan 2020 - Nov 2020
January 2020
Oracle CPU January 2020 *
* https://www.oracle.com/security-alerts/cpujan2020.html
January 2020 CPU*
17 security fixes (3 remote exploitable)
5 RDBMS (CVSS3 7.7, 7.5, 4.1, 3.9, 2.4)
1 Java VM (CVSS3 7.5)
1 Workload Manager (CVSS3 7.5)
3 Database Gateway for ODBC (CVSS3 5.9, 5.0, 3.3)
2 Oracle Applications for DBA (CVSS3 3.9)
" https://www.oracle.com/security-alerts/cpujan2020.html
January 2020 CPU*Alexander Kornbrust of Red Database Security: CVE-2020-2511, CVE-2020-2516, CVE-2020-2527, CVE-2020-2572, CVE-2020-2608, CVE-2020-2609, CVE-2020-2610, CVE-2020-2611, CVE-2020-2612, CVE-2020-2613, CVE-2020-2614, CVE-2020-2615, CVE-2020-2616, CVE-2020-2617, CVE-2020-2618, CVE-2020-2619, CVE-2020-2620, CVE-2020-2621, CVE-2020-2622, CVE-2020-2623, CVE-2020-2624, CVE-2020-2625, CVE-2020-2626, CVE-2020-2628, CVE-2020-2629, CVE-2020-2630, CVE-2020-2631, CVE-2020-2632, CVE-2020-2633, CVE-2020-2634, CVE-2020-2635, CVE-2020-2636, CVE-2020-2637, CVE-2020-2638, CVE-2020-2639, CVE-2020-2640, CVE-2020-2641, CVE-2020-2642, CVE-2020-2643, CVE-2020-2644, CVE-2020-2645
January 2020 CPU*CVE-2020-2511 (CVSS3 7.7)
Simple SQL can crash Oracle (see Best-of-Oracle Security 2019)
January 2020 CPUCVE-2020-2527 (CVSS3 4.1) Explanation later
January 2020 CPU*CVE-2020-2516 (CVSS3 2.4) Create ANY MATERIALIZED VIEW does not trigger unified auditing Similar bug to CREATE TABLE AS SELECT …
Sample: CREATE MATERIALIZED VIEW emp_mv
BUILD IMMEDIATE REFRESH FORCE ON DEMAND AS SELECT * FROM [email protected];
* Subject: CREATE ANY MATERIALIZED VIEW DOES NOT TRIGGER UNIFIED AUDIT SELECT* CVSSv3.0 Base Score: 2.4* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N* Credited As: Alexander Kornbrust of Red Database Security
January 2020 CPU*The rest of my findings affected Cloud Control
S1205296/CVE-2020-2608:* Subject: DBA USERS CAN BYPASS SYS.USER$ RESTRICTION AS SYSMAN* CVSSv3.0 Base Score: 6* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L* Credited As: Alexander Kornbrust of Red Database Security
S1207225/CVE-2020-2609:* Subject: PACKAGE 2 of 42 ECM_CMP_RSLT PRIV ESCALATION VIA DBMS_ASSERT NOT FULLY QUALIFIED* CVSSv3.0 Base Score: 6.3* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L* Credited As: Alexander Kornbrust of Red Database Security
S1207239/CVE-2020-2610:* Subject: PACKAGE 3 of 42 ECM_COMPARISON PRIV ESCALATION VIA DBMS_ASSERT NOT FULLY QUALIFIED* CVSSv3.0 Base Score: 6* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L* Credited As: Alexander Kornbrust of Red Database Security
S1207241/CVE-2020-2612:* Subject: PACKAGE 5 of 42 ECM_WEBSVC_UTIL PRIV ESCALATION VIA DBMS_ASSERT NOT FULLY QUALIFIED* CVSSv3.0 Base Score: 6* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L* Credited As: Alexander Kornbrust of Red Database Security…
February 2020
Nothing
March 2020
nothing special happened
April 2020
Oracle CPU April 2020*
* https://www.oracle.com/security-alerts/cpuapr2020.html
April 2020 CPU*
14 security fixes (2 remote exploitable)
1 Core RDBMS (CVSS3 6.4)
1 Java VM (CVSS3 8.0)
1 Oracle Multimedia (CVSS3 8.0)
1 WLM (Apache Tomcat) (CVSS3 7.5)
1 Oracle Text (CVSS3 6.3)
2 Oracle APEX (CVSS3 6.1, 4.6)
1 RDBMS Optimizer (CVSS3 2.4)
* https://www.oracle.com/security-alerts/cpuapr2020.html
April 2020 CPU*CVE-2020-2737 (CVSS3 6.4)
May 2020
None
June 2020
None
July 2020
Oracle CPU July 2020 *
* https://www.oracle.com/security-alerts/cpujul2020.html
July 2020 CPU*
49 security fixes (1 remote exploitable)
1 Oracle MapViewer (CVSS 8.8)
1 Java VM (CVSS3 8.0)
1 Core RDBMS (CVSS 7.2)
8 APEX (CVSS3 5.4)
1 Data Pump (CVSS3 6.6)
…
* https://www.oracle.com/security-alerts/cpujul2020.html
July 2020 CPU*
CVE-2020-2984 (CVSS3 7.1) As shown in the Best-of-Oracle-Security 2019
August 2020
None
September 2020
! Nothing special
October 2020
Oracle CPU October 2020 *
* https://www.oracle.com/security-alerts/cpuoct2020.html
October 2020 CPU*
10 security fixes (2 remote exploitable)
1 Java VM (CVSS 6.8, remote)
1 Jackson Databind (CVSS 5.7)
7 Core RDBMS (CVSS 5.0-2.3)
* https://www.oracle.com/security-alerts/cpuoct2020.html
October 2020 CPU*
Alexander Kornbrust of Red Database Security: CVE-2020-14742, CVE-2020-14901
* https://www.oracle.com/security-alerts/cpuoct2020.html
October 2020 CPU*CVE-2020-14901 (CVSS3 4.0) Details soon
* Subject: ISSUE 3 OF 7: ANALYZE ANY IS GRANTED TO TOO MANY GRANTEES* CVSSv3.1 Base Score: 4.9* CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N* Credited As: Alexander Kornbrust of Red Database Security
October 2020 CPU*CVE-2020-14472 (CVSS3 2.7) Details soon
* Subject: ALL_USERS/DBA_USERS/CDB_USERS/USER_USERS DO NOT SHOW THE USER BUT IT CAN STILL BE USED* CVSSv3.1 Base Score: 2.7* CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N* Credited As: Alexander Kornbrust of Red Database Security
November 2020
DOAG 2020
* https://mahmoudhatem.wordpress.com/2017/11/17/injecting-a-backdoor-in-an-oracle-database/#more-8100
And now the special topic Security & Indexes & Histograms
Some of my database security research
DSGVO / GDPR Violation of Oracle Bypass TDE Bypass Database Vault Bypass Auditing Bypass VPD
This research affects other database vendors (Microsoft, SAP, … ) as well. This presentation covers only Oracle.
Oracle Index
Oracle Index Security I
Idea from Gunther Pipperr at the DOAG party 2018 All relational databases support indexes. An index is normally created by the dba or developer. In some cases the system itself is creating indexes automatically (Oracle Exadata Auto-Index Feature). To create an index it is necessary to read the entire table. The boundaries of each index (low/high value is normally stored unencrypted in a different place / table in the database).
Oracle Index Security II
• CREATE INDEX SECALERT1 ON myuser (PASSWORD ASC);
• The Index high/low value is stored in the table SYS.HIST_HEAD$
• The Views ALL_TAB_COLUMNS / DBA_TAB_COLUMNS contain the high/low value as well
Oracle Index Security - Exploit
Oracle Index Security - Exploit
Oracle Index Security - Exploit
Oracle Fulltext Index
Oracle Fulltext Index Security I
Majority of databases support full text indexes. These fulltext indexes are normally implemented as additional table containing the entire text column content. This fulltext content can be accessed without accessing the original table. Some databases do not audit the SELECT from the index creation. Fulltext indexes can be used to bypass audit systems (similar to Oracle Materialized Views).
• Oracle: CREATE INDEX system.myuserindex ON secalert.myuser(password) INDEXTYPE IS CTXSYS.CONTEXT;
Oracle Fulltext Index Security II
Oracle Fulltext Index Security III
Oracle Fulltext Index Security IV
Oracle Fulltext Index Security V
Histograms
Oracle Histograms IA database optimizer is trying to find the best execution plan for a SQL query by using table statistics, column statistics and index information. Due to an architecture flaw in the database optimizer concept the statistic and index information is stored unencrypted outside of the table in a different table in the database. (DSGVO/GDPR?)Unencrypted copies of (sensitive) data are inserted in different system and non-system tables. (TDE?)Additional security bugs in the database optimizer allow to escalate privileges, bypass auditing and other security functionality. The majority of database vendors (Oracle, SQL Server, MySQL, ...) are affected.
Oracle Histograms IISecurity issues related to this topic: Creation of duplicate data without the knowledge of the data owner (Auto-Indexing, Statistics) Bypass of SELECT privilege (Read data without SELECT privilege) (Exploit for Oracle 18c/19c) Bypass Auditing of SELECT Sensitive Data Bypass Database Encryption Technology (e.g. Transparent Data Encryption, Oracle <=12.1 or non full-database encryption) Potential Issue with data anonymization (e.g. Data anonymized/deleted but not the histograms) Bypass VPD/Row Level Security
Oracle Histograms IIISome database vendors/SW architects are aware that this architecture flaw exits and they are trying to hide clear text strings instead of fixing this issue (which is not so easy...) Oracle: Database Views are hiding histogram data for certain users. Modifying the underlying SQL command (replace =1 with !=1) shows the data again. There are also partial hints on the Internet regarding some of the problems
TDE dataleak on histograms (2015) *
Oracle 12.2 full database encryption (TDE) (2017)**
Keeping Secrets - Emerging Practice in Database Encryption (2018)***
• * https://community.oracle.com/blogs/oraclewizard/2015/07/07/tde-dataleak-on-histograms ** https://www.spotonoracle.com/?p=220 ** https://i.blackhat.com/eu-18/Wed-Dec-5/eu-18-White-Keeping-Secrets.pdf
Oracle Histograms IVRelational databases are (automatically) creating histograms (MSSQL: Statistics) for tables containing “sample” data. The sample data is stored unencrypted (sometimes encoded (BASE64,...)) in a different place in the database. Additionally the creation of histogram data can be controlled by the (privileged and unprivileged) user.
• Oracle: exec DBMS_STATS.GATHER_TABLE_STATS ( ownname => ‘<OWNER>' , tabname => ‘<TABLENAME>' , method_opt => 'FOR COLUMNS <COLUMNNAME> size 2048' );
• MySQL: ANALYZE TABLE <DBNAME>. <TABLENAME> UPDATE HISTOGRAM ON opening_line,author,title WITH 30 BUCKETS;
• SQL Server: CREATE STATISTICS statsecret3 ON <TABLENAME> (<COLUMNNAME>) ;
• SAP Hana: CREATE STATISTICS ON <TABLENAME> (<COLUMNNAME>) FOR DEFAULT STORAGE TYPE HISTOGRAM BUCKETS 1000;
• Sybase ASE: Update index statistics <DBNAME>.<TABLENAME>
• PostgreSQL: CREATE STATISTICS s1 (dependencies) on <COLUMNNAME> from <TABLENAME>; ANALYZE <TABLENAME>;
Summary
Summary
Index/Fulltext Index and Histograms are powerful features Be careful with ANALYZE ANY, DBMS_STATS package and check who can use them Check your histogram tables for sensitive content Check the values of normal indexes (e.g. password columns, …) Check your full text indexes Check if you can use Full Tablespace Encryption
Outlook 2021
Outlook 2021
More PDBs More Auditing More Bugs (in rare Oracle Components)
Q & A
Thank you Contact:
Red-Database-Security GmbH Eibenweg 42 D-63150 Heusenstamm Germany
