Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Oracle SBC: Multiple Security Vulnerabilities Leading to Unauthorized Access and Denial of Service

Oracle Communications Session Border Controller (SBC) is one of the most popular products  worldwide that helps service providers deliver trusted, carrier-grade, real-time communications such as VoLTE, VoIP, video conferencing and calling, presence, IM, and IPTV. Harold Zang, Senior Technical Security Specialist and Jeremy Nunn, Security Specialist at Trustwave SpiderLabs, identified three vulnerabilities in the Oracle SBC.

Background

The Oracle SBC provides a ‘File Management’ function to application users which allows a low privileged user to navigate the sub-folders and download files. For example, an application user can navigate to the ‘Logs’ folder to download/audit log files such as access.log. This function has a flawed implementation which led to the following security vulnerabilities.

Finding-1: Insecure Direct Object Reference (CVE-2022-21381)

The Oracle SBC application is affected by Insecure Direct Object References (IDOR), allowing an authenticated low privileged user to download arbitrary files.

When an application user navigates to a sub-folder, such as the ‘Audit Logs"’sub-folder, by clicking the sub-folder link, the user's browser will send the following request to the SBC application via the POST method.

<?xml version='1.0' encoding='UTF-8'?> <acmeWebReq version="1.0" category=system object=dirListing type=list parentKey=AUDITLOGS ></acmeWebReq>

The SBC application allows users to modify the subfolder value (the "parentKey" parameter's value) and gain unauthorized access to other folders, such as the ‘BOOT’ folder.

Steps to reproduce:

  1. Navigate to the application using a web interception proxy as a low privileged user.
  2. Click the "System" button to navigate to the ‘System Objects’ page.
  3. Click the "Audit Log" link under the "File Management" function and intercept the request to the application.
  4. Change the ‘parentKey’ parameter value from ‘AUDITLOGS’ to ‘BOOT’.

    <?xml version='1.0' encoding='UTF-8'?> <acmeWebReq version="1.0" category=system object=dirListing type=list parentKey=BOOT></acmeWebReq>

  5. Forward the request.
  6. Observe successful listing of the ‘BOOT’ folder.
  7. Open a terminal window and submit the following command to download the file.

    wget --header='Cookie: activeTabs=1; usersessionid=ValidSessionID' http://DeviceIPAddress/view/BOOT/bootFileName.bz

  8. Observe the successful file download. .

Finding-2: Path Traversal Vulnerability (CVE-2022-21382)

The second vulnerability relates to downloading the configuration file. When an application user attempts to download the configuration file from the server to their local machine by clicking the file name, a window pops up in the user's browser and asks the user to provide a filename.

However, the user input handling function is improperly implemented for the filename. As a result, an application user can insert "../" into the filename, allowing the configuration file to be written to an arbitrary directory on the remote server.

Steps to reproduce:

  1. Download the ‘local-account' configuration file as a low privileged user with a web interception proxy.
  2. Click the ‘Download’ button.
  3. Observe that a dialogue box pops-up instructing the user to specify the ‘Download file name’.
  4. Submit the following payload as the value and click ‘Download’.
    ../../boot/trustwave-test.csv
  5. Observe that the file has been written into the ‘boot’ folder on the remote server.

Finding-3: Denial-of-Service Vulnerability (CVE-2022-21383)

The third vulnerability also occurs in the ‘download file’ function. When an application user selects a file and clicks download, the application will send the following data to the SBC application via the HTTP POST method.

<?xml version='1.0' encoding='UTF-8'?><acmeWebReq version="1.0" category="system" object="download" type="list" parentKey="LOGS" clientfilename= acct.log></acmeWebReq>

Again, the user's input is improperly validated. If the application user modifies the “parentKey” parameter's value to a non-existing folder, such as ‘crash’, and the filename to a non-existing file, such as ‘etc’, one of the device's CPU cores will overload at a hundred percentage.

Steps to reproduce:

  1. Navigate to the application using a web interception proxy as a low privileged user.
  2. Leverage the Insufficient Authorisztion: Insecure Direct Object Reference vulnerability to navigate to the ‘Log’ page.
  3. Choose a log file and click ‘download’.
  4. Intercept the request and change the ‘parentKey’ parameter value from ‘LOGS’ to ‘crash’ and change the ‘clientfilename’ parameter value from ‘acct.log’ to ‘etc’.
    <?xml version='1.0' encoding='UTF-8'?><acmeWebReq version="1.0" category="system" object="download" type="list" parentKey="crash" clientfilename='etc'></acmeWebReq>
  5. Observe that the request times-out and one of the CPU core's utilization increases to 100%.
  6. Send a standard log download request again.

Observe that the device is not able to execute the request.

Trustwave SpiderLabs researchers identified three vulnerabilities in the Oracle SBC. These include authenticated IDOR (CVE-2022-21381), Directory Traversal (CVE-2022-21382), and DOS vulnerabilities (CVE-2022-21383). Exploiting these vulnerabilities could allow an attacker to push unauthorized changes to Oracle SBC accessible data, including adding, deleting, or modifying that data, or denying access to that data altogether.

These vulnerabilities were reported to Oracle as part of Trustwave SpiderLabs’s Responsible Disclosure process and Oracle has released a patch for these issues. We recommend administrators of affected systems apply patches as quickly as possible to maintain network security and resiliency.

Reference

Oracle Critical Patch Update Advisory - January 2022

Trustwave Advisory: TWSL2022-002

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More