doag best of 2020 - oracle security services by red ......oracle vulnerabilities 2020 number of...

Best of Oracle Security 2020

What happened in 2020?

Introduction

What will be shown in the next 45 minutes? ! Oracle Security Patches ! Oracle Index / Fulltext Index / Histograms ! How Oracle violates GDPR/DSGVO out of the box ! How to bypass Auditing, VPD / RAS, Database Vault

! Outlook 2021

Database Vulnerabilities and CPU

More security bugs, no trend change (from 12 in 2018 to 27 in 2019 to 144 in 2020)

Oracle Vulnerabilities 2020

Oracle Vulnerabilities 2020

Number of vulnerabilities in Oracle database increased again

! 144 findings in 2020 (2019: 27, 2018: 12, 2017: 14, 2016:30 , 2015: 29, 2014: 43, 2013: 13 2012: 17)

! Number includes security bugs from the footnotes

! 11 remote exploitable bugs

• January 2020 CPU (17 Vulnerabilities – 4 remote)

• April 2020 CPU (14 Vulnerabilities – 2 remote)

• July 2020 CPU (49 Vulnerabilities – 1 remote)

• October 2020 CPU (64 Vulnerabilities – 5 remote)

Vulnerabilities in Footnotes (Oct 2020)

Jan 2020 - Nov 2020

January 2020

Oracle CPU January 2020 *

* https://www.oracle.com/security-alerts/cpujan2020.html

January 2020 CPU*

17 security fixes (3 remote exploitable)

5 RDBMS (CVSS3 7.7, 7.5, 4.1, 3.9, 2.4)

1 Java VM (CVSS3 7.5)

1 Workload Manager (CVSS3 7.5)

3 Database Gateway for ODBC (CVSS3 5.9, 5.0, 3.3)

2 Oracle Applications for DBA (CVSS3 3.9)

" https://www.oracle.com/security-alerts/cpujan2020.html

January 2020 CPU*Alexander Kornbrust of Red Database Security: CVE-2020-2511, CVE-2020-2516, CVE-2020-2527, CVE-2020-2572, CVE-2020-2608, CVE-2020-2609, CVE-2020-2610, CVE-2020-2611, CVE-2020-2612, CVE-2020-2613, CVE-2020-2614, CVE-2020-2615, CVE-2020-2616, CVE-2020-2617, CVE-2020-2618, CVE-2020-2619, CVE-2020-2620, CVE-2020-2621, CVE-2020-2622, CVE-2020-2623, CVE-2020-2624, CVE-2020-2625, CVE-2020-2626, CVE-2020-2628, CVE-2020-2629, CVE-2020-2630, CVE-2020-2631, CVE-2020-2632, CVE-2020-2633, CVE-2020-2634, CVE-2020-2635, CVE-2020-2636, CVE-2020-2637, CVE-2020-2638, CVE-2020-2639, CVE-2020-2640, CVE-2020-2641, CVE-2020-2642, CVE-2020-2643, CVE-2020-2644, CVE-2020-2645

January 2020 CPU*CVE-2020-2511 (CVSS3 7.7)

Simple SQL can crash Oracle (see Best-of-Oracle Security 2019)

January 2020 CPUCVE-2020-2527 (CVSS3 4.1) Explanation later

January 2020 CPU*CVE-2020-2516 (CVSS3 2.4) Create ANY MATERIALIZED VIEW does not trigger unified auditing Similar bug to CREATE TABLE AS SELECT …

Sample: CREATE MATERIALIZED VIEW emp_mv

BUILD IMMEDIATE REFRESH FORCE ON DEMAND AS SELECT * FROM emp@db1.world;

* Subject: CREATE ANY MATERIALIZED VIEW DOES NOT TRIGGER UNIFIED AUDIT SELECT* CVSSv3.0 Base Score: 2.4* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N* Credited As: Alexander Kornbrust of Red Database Security

January 2020 CPU*The rest of my findings affected Cloud Control

S1205296/CVE-2020-2608:* Subject: DBA USERS CAN BYPASS SYS.USER$ RESTRICTION AS SYSMAN* CVSSv3.0 Base Score: 6* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L* Credited As: Alexander Kornbrust of Red Database Security

S1207225/CVE-2020-2609:* Subject: PACKAGE 2 of 42 ECM_CMP_RSLT PRIV ESCALATION VIA DBMS_ASSERT NOT FULLY QUALIFIED* CVSSv3.0 Base Score: 6.3* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L* Credited As: Alexander Kornbrust of Red Database Security

S1207239/CVE-2020-2610:* Subject: PACKAGE 3 of 42 ECM_COMPARISON PRIV ESCALATION VIA DBMS_ASSERT NOT FULLY QUALIFIED* CVSSv3.0 Base Score: 6* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L* Credited As: Alexander Kornbrust of Red Database Security

S1207241/CVE-2020-2612:* Subject: PACKAGE 5 of 42 ECM_WEBSVC_UTIL PRIV ESCALATION VIA DBMS_ASSERT NOT FULLY QUALIFIED* CVSSv3.0 Base Score: 6* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L* Credited As: Alexander Kornbrust of Red Database Security…

February 2020

Nothing

March 2020

nothing special happened

April 2020

Oracle CPU April 2020*

* https://www.oracle.com/security-alerts/cpuapr2020.html

April 2020 CPU*

14 security fixes (2 remote exploitable)

1 Core RDBMS (CVSS3 6.4)

1 Java VM (CVSS3 8.0)

1 Oracle Multimedia (CVSS3 8.0)

1 WLM (Apache Tomcat) (CVSS3 7.5)

1 Oracle Text (CVSS3 6.3)

2 Oracle APEX (CVSS3 6.1, 4.6)

1 RDBMS Optimizer (CVSS3 2.4)

* https://www.oracle.com/security-alerts/cpuapr2020.html

April 2020 CPU*CVE-2020-2737 (CVSS3 6.4)

May 2020

None

June 2020

None

July 2020

Oracle CPU July 2020 *

* https://www.oracle.com/security-alerts/cpujul2020.html

July 2020 CPU*

49 security fixes (1 remote exploitable)

1 Oracle MapViewer (CVSS 8.8)

1 Java VM (CVSS3 8.0)

1 Core RDBMS (CVSS 7.2)

8 APEX (CVSS3 5.4)

1 Data Pump (CVSS3 6.6)

…

* https://www.oracle.com/security-alerts/cpujul2020.html

July 2020 CPU*

CVE-2020-2984 (CVSS3 7.1) As shown in the Best-of-Oracle-Security 2019

August 2020

None

September 2020

! Nothing special

October 2020

Oracle CPU October 2020 *

* https://www.oracle.com/security-alerts/cpuoct2020.html

October 2020 CPU*

10 security fixes (2 remote exploitable)

1 Java VM (CVSS 6.8, remote)

1 Jackson Databind (CVSS 5.7)

7 Core RDBMS (CVSS 5.0-2.3)

* https://www.oracle.com/security-alerts/cpuoct2020.html

October 2020 CPU*

Alexander Kornbrust of Red Database Security: CVE-2020-14742, CVE-2020-14901

* https://www.oracle.com/security-alerts/cpuoct2020.html

October 2020 CPU*CVE-2020-14901 (CVSS3 4.0) Details soon

* Subject: ISSUE 3 OF 7: ANALYZE ANY IS GRANTED TO TOO MANY GRANTEES* CVSSv3.1 Base Score: 4.9* CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N* Credited As: Alexander Kornbrust of Red Database Security

October 2020 CPU*CVE-2020-14472 (CVSS3 2.7) Details soon

* Subject: ALL_USERS/DBA_USERS/CDB_USERS/USER_USERS DO NOT SHOW THE USER BUT IT CAN STILL BE USED* CVSSv3.1 Base Score: 2.7* CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N* Credited As: Alexander Kornbrust of Red Database Security

November 2020

DOAG 2020

* https://mahmoudhatem.wordpress.com/2017/11/17/injecting-a-backdoor-in-an-oracle-database/#more-8100

And now the special topic Security & Indexes & Histograms

Some of my database security research

DSGVO / GDPR Violation of Oracle Bypass TDE Bypass Database Vault Bypass Auditing Bypass VPD

This research affects other database vendors (Microsoft, SAP, … ) as well. This presentation covers only Oracle.

Oracle Index

Oracle Index Security I

Idea from Gunther Pipperr at the DOAG party 2018 All relational databases support indexes. An index is normally created by the dba or developer. In some cases the system itself is creating indexes automatically (Oracle Exadata Auto-Index Feature). To create an index it is necessary to read the entire table. The boundaries of each index (low/high value is normally stored unencrypted in a different place / table in the database).

Oracle Index Security II

• CREATE INDEX SECALERT1 ON myuser (PASSWORD ASC);

• The Index high/low value is stored in the table SYS.HIST_HEAD$

• The Views ALL_TAB_COLUMNS / DBA_TAB_COLUMNS contain the high/low value as well

Oracle Index Security - Exploit

Oracle Index Security - Exploit

Oracle Index Security - Exploit

Oracle Fulltext Index

Oracle Fulltext Index Security I

Majority of databases support full text indexes. These fulltext indexes are normally implemented as additional table containing the entire text column content. This fulltext content can be accessed without accessing the original table. Some databases do not audit the SELECT from the index creation. Fulltext indexes can be used to bypass audit systems (similar to Oracle Materialized Views).

• Oracle: CREATE INDEX system.myuserindex ON secalert.myuser(password) INDEXTYPE IS CTXSYS.CONTEXT;

Oracle Fulltext Index Security II

Oracle Fulltext Index Security III

Oracle Fulltext Index Security IV

Oracle Fulltext Index Security V

Histograms

Oracle Histograms IA database optimizer is trying to find the best execution plan for a SQL query by using table statistics, column statistics and index information. Due to an architecture flaw in the database optimizer concept the statistic and index information is stored unencrypted outside of the table in a different table in the database. (DSGVO/GDPR?)Unencrypted copies of (sensitive) data are inserted in different system and non-system tables. (TDE?)Additional security bugs in the database optimizer allow to escalate privileges, bypass auditing and other security functionality. The majority of database vendors (Oracle, SQL Server, MySQL, ...) are affected.

Oracle Histograms IISecurity issues related to this topic: Creation of duplicate data without the knowledge of the data owner (Auto-Indexing, Statistics) Bypass of SELECT privilege (Read data without SELECT privilege) (Exploit for Oracle 18c/19c) Bypass Auditing of SELECT Sensitive Data Bypass Database Encryption Technology (e.g. Transparent Data Encryption, Oracle <=12.1 or non full-database encryption) Potential Issue with data anonymization (e.g. Data anonymized/deleted but not the histograms) Bypass VPD/Row Level Security

Oracle Histograms IIISome database vendors/SW architects are aware that this architecture flaw exits and they are trying to hide clear text strings instead of fixing this issue (which is not so easy...) Oracle: Database Views are hiding histogram data for certain users. Modifying the underlying SQL command (replace =1 with !=1) shows the data again. There are also partial hints on the Internet regarding some of the problems

TDE dataleak on histograms (2015) *

Oracle 12.2 full database encryption (TDE) (2017)**

Keeping Secrets - Emerging Practice in Database Encryption (2018)***

• * https://community.oracle.com/blogs/oraclewizard/2015/07/07/tde-dataleak-on-histograms ** https://www.spotonoracle.com/?p=220 ** https://i.blackhat.com/eu-18/Wed-Dec-5/eu-18-White-Keeping-Secrets.pdf

Oracle Histograms IVRelational databases are (automatically) creating histograms (MSSQL: Statistics) for tables containing “sample” data. The sample data is stored unencrypted (sometimes encoded (BASE64,...)) in a different place in the database. Additionally the creation of histogram data can be controlled by the (privileged and unprivileged) user.

• Oracle: exec DBMS_STATS.GATHER_TABLE_STATS ( ownname => ‘<OWNER>' , tabname => ‘<TABLENAME>' , method_opt => 'FOR COLUMNS <COLUMNNAME> size 2048' );

• MySQL: ANALYZE TABLE <DBNAME>. <TABLENAME> UPDATE HISTOGRAM ON opening_line,author,title WITH 30 BUCKETS;

• SQL Server: CREATE STATISTICS statsecret3 ON <TABLENAME> (<COLUMNNAME>) ;

• SAP Hana: CREATE STATISTICS ON <TABLENAME> (<COLUMNNAME>) FOR DEFAULT STORAGE TYPE HISTOGRAM BUCKETS 1000;

• Sybase ASE: Update index statistics <DBNAME>.<TABLENAME>

• PostgreSQL: CREATE STATISTICS s1 (dependencies) on <COLUMNNAME> from <TABLENAME>; ANALYZE <TABLENAME>;

Summary

Summary

Index/Fulltext Index and Histograms are powerful features Be careful with ANALYZE ANY, DBMS_STATS package and check who can use them Check your histogram tables for sensitive content Check the values of normal indexes (e.g. password columns, …) Check your full text indexes Check if you can use Full Tablespace Encryption

Outlook 2021

Outlook 2021

More PDBs More Auditing More Bugs (in rare Oracle Components)

Q & A

Thank you Contact:

Red-Database-Security GmbH Eibenweg 42 D-63150 Heusenstamm Germany