Oracle SBC: Multiple Security Vulnerabilities Leading to Unauthorized Access and Denial of Service

Oracle Communications Session Border Controller (SBC) is one of the most popular products worldwide, helping service providers deliver trusted, carrier-grade, real-time communications such as VoLTE, VoIP, video conferencing, calling, presence, IM, and IPTV. Harold Zang, Senior Technical Security Specialist, and Jeremy Nunn, Security Specialist at Trustwave SpiderLabs, identified three vulnerabilities in the Oracle SBC.

The Oracle SBC provides a ‘File Management’ function to application users, allowing low-privileged users to navigate sub-folders and download files. For instance, an application user can navigate to the ‘Logs’ folder to download or audit log files like access.log. This function has a flawed implementation, leading to the following security vulnerabilities.

The Oracle SBC application is affected by Insecure Direct Object References (IDOR), allowing an authenticated low-privileged user to download arbitrary files.

When an application user navigates to a sub-folder, such as the ‘Audit Logs’ sub-folder, by clicking the link, the user’s browser sends the following request to the SBC application via the POST method.

XML

<?xml version='1.0' encoding='UTF-8'?>
<acmeWebReq version="1.0" category=system object=dirListing type=list parentKey=AUDITLOGS >
</acmeWebReq>

The SBC application allows users to modify the subfolder value (the ‘parentKey’ parameter’s value) and gain unauthorized access to other folders, such as the ‘BOOT’ folder.

  1. Navigate to the application using a web interception proxy as a low-privileged user.
  2. Click the “System” button to access the “System Objects” page.
  3. Under the “File Management” function, click the “Audit Log” link, and intercept the request to the application.
  4. In the intercepted request, change the value of the ‘parentKey’ parameter from “AUDITLOGS” to “BOOT”.

XML

<?xml version='1.0' encoding='UTF-8'?>
<acmeWebReq version="1.0" category=system object=dirListing type=list parentKey=BOOT>
</acmeWebReq>
  1. Forward the modified request.
  2. Observe the successful listing of the ‘BOOT’ folder.
  3. Open a terminal window and execute the following command to download the file.

Bash

wget --header='Cookie: activeTabs=1; usersessionid=ValidSessionID' http://DeviceIPAddress/view/BOOT/bootFileName.bz
  1. Observe the successful file download.

The second vulnerability pertains to downloading the configuration file. When an application user tries to download the configuration file from the server to their local machine by clicking the file name, a window pops up in the user’s browser, prompting them to provide a filename.

However, the function handling user input for the filename is improperly implemented. Consequently, an application user can insert “../” into the filename, enabling the configuration file to be written to an arbitrary directory on the remote server.

  1. Download the ’local-account’ configuration file as a low-privileged user with a web interception proxy
  2. Click the ‘Download’ button.
  3. Note that a dialogue box pops up instructing the user to specify the ‘Download file name’.
  4. Enter the following payload as the value and click ‘Download’. ../../boot/trustwave-test.csv
  5. Observe that the file has been written into the ‘boot’ folder on the remote server.

The third vulnerability also occurs in the ‘download file’ function. When an application user selects a file and clicks download, the application sends the following data to the SBC application via the HTTP POST method.

XML

<?xml version='1.0' encoding='UTF-8'?>
<acmeWebReq version="1.0" category="system" object="download" type="list" parentKey="LOGS" clientfilename= acct.log>
</acmeWebReq>

Once again, the user’s input is improperly validated. If the application user modifies the value of the ‘parentKey’ parameter to a non-existing folder, such as ‘crash’, and the filename to a non-existing file, such as ’etc’, one of the device’s CPU cores will overload at 100%.

  1. Navigate to the application using a web interception proxy as a low-privileged user.
  2. Exploit the Insufficient Authorization: Insecure Direct Object Reference vulnerability to navigate to the ‘Log’ page.
  3. Select a log file and click ‘download’.
  4. Intercept the request and change the value of the ‘parentKey’ parameter from ‘LOGS’ to ‘crash’, and change the value of the ‘clientfilename’ parameter from ‘acct.log’ to ’etc’.

XML

<?xml version='1.0' encoding='UTF-8'?>
<acmeWebReq version="1.0" category="system" object="download" type="list" parentKey="crash" clientfilename='etc'>
</acmeWebReq>
  1. Observe that the request times out and one of the CPU cores’ utilization increases to 100%.
  2. Resend a standard log download request.
  3. Observe that the device is not able to execute the request.

Trustwave SpiderLabs researchers identified three vulnerabilities in the Oracle SBC. These include authenticated IDOR (CVE-2022-21381), Directory Traversal (CVE-2022-21382), and DOS vulnerabilities (CVE-2022-21383). Exploiting these vulnerabilities could allow an attacker to push unauthorized changes to Oracle SBC accessible data, including adding, deleting, or modifying that data, or denying access to that data altogether.

These vulnerabilities were reported to Oracle as part of Trustwave SpiderLabs’s Responsible Disclosure process and Oracle has released a patch for these issues. We recommend administrators of affected systems apply patches as quickly as possible to maintain network security and resiliency.

Oracle Critical Patch Update Advisory - January 2022