Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Oracle Communications Session Border Controller (SBC) is one of the most popular products worldwide that helps service providers deliver trusted, carrier-grade, real-time communications such as VoLTE, VoIP, video conferencing and calling, presence, IM, and IPTV. Harold Zang, Senior Technical Security Specialist and Jeremy Nunn, Security Specialist at Trustwave SpiderLabs, identified three vulnerabilities in the Oracle SBC.
The Oracle SBC provides a ‘File Management’ function to application users which allows a low privileged user to navigate the sub-folders and download files. For example, an application user can navigate to the ‘Logs’ folder to download/audit log files such as access.log. This function has a flawed implementation which led to the following security vulnerabilities.
The Oracle SBC application is affected by Insecure Direct Object References (IDOR), allowing an authenticated low privileged user to download arbitrary files.
When an application user navigates to a sub-folder, such as the ‘Audit Logs"’sub-folder, by clicking the sub-folder link, the user's browser will send the following request to the SBC application via the POST method.
<?xml version='1.0' encoding='UTF-8'?> <acmeWebReq version="1.0" category=system object=dirListing type=list parentKey=AUDITLOGS ></acmeWebReq>
The SBC application allows users to modify the subfolder value (the "parentKey" parameter's value) and gain unauthorized access to other folders, such as the ‘BOOT’ folder.
The second vulnerability relates to downloading the configuration file. When an application user attempts to download the configuration file from the server to their local machine by clicking the file name, a window pops up in the user's browser and asks the user to provide a filename.
However, the user input handling function is improperly implemented for the filename. As a result, an application user can insert "../" into the filename, allowing the configuration file to be written to an arbitrary directory on the remote server.
The third vulnerability also occurs in the ‘download file’ function. When an application user selects a file and clicks download, the application will send the following data to the SBC application via the HTTP POST method.
<?xml version='1.0' encoding='UTF-8'?><acmeWebReq version="1.0" category="system" object="download" type="list" parentKey="LOGS" clientfilename= acct.log></acmeWebReq>
Again, the user's input is improperly validated. If the application user modifies the “parentKey” parameter's value to a non-existing folder, such as ‘crash’, and the filename to a non-existing file, such as ‘etc’, one of the device's CPU cores will overload at a hundred percentage.
Observe that the device is not able to execute the request.
Trustwave SpiderLabs researchers identified three vulnerabilities in the Oracle SBC. These include authenticated IDOR (CVE-2022-21381), Directory Traversal (CVE-2022-21382), and DOS vulnerabilities (CVE-2022-21383). Exploiting these vulnerabilities could allow an attacker to push unauthorized changes to Oracle SBC accessible data, including adding, deleting, or modifying that data, or denying access to that data altogether.
These vulnerabilities were reported to Oracle as part of Trustwave SpiderLabs’s Responsible Disclosure process and Oracle has released a patch for these issues. We recommend administrators of affected systems apply patches as quickly as possible to maintain network security and resiliency.
Oracle Critical Patch Update Advisory - January 2022
Trustwave Advisory: TWSL2022-002
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.