CVE CyberSecurity Database News

CVE-2024-21184 - How Oracle Database RDBMS Security Can Be Taken Over via the XS_DIAG Privilege

Poster -

Date: June 2024
Author: [YourNameHere]

What Is CVE-2024-21184?

CVE-2024-21184 is a critical security vulnerability found in the Oracle Database Server—specifically in the RDBMS Security component. It impacts Oracle Database versions from 19.3 up to 19.23. It has a CVSS 3.1 Base Score of 7.2, which means it's quite powerful if abused. This score reflects possible heavy impacts to confidentiality, integrity, and availability of affected systems.

In simple terms:
- If an attacker already has certain powerful privileges (Execute on SYS.XS_DIAG) and can reach your Oracle Database over the network, they can *take over* the database’s security mechanisms.

Who Is at Risk?

Anyone running Oracle Database versions 19.3 to 19.23. If your users or apps use the SYS.XS_DIAG privilege and network access is allowed to your database, you’re exposed.

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Original Advisory

See Oracle’s own advisory for CVE-2024-21184 here:
- Oracle CPU Advisory - April 2024
- NVD Entry - CVE-2024-21184

About the XS_DIAG Privilege

The SYS.XS_DIAG package is typically used for diagnostics by Oracle administrators. If a privileged attacker can execute procedures/functions in this package, they may be able to trigger insecure code that interacts with core security mechanisms—potentially escalating their own privileges or manipulating sensitive security settings.

*Attacker connects to the database over the network (using Oracle Net).*

3. *Attacker executes a payload or sequence of calls through the XS_DIAG package to reach vulnerable code.*

Example Exploit Flow

Let’s say an attacker wants to view or change a security configuration. Here’s how simplified code might look (for educational purposes):

-- Attacker connects with privileges
sqlplus attacker_user/SecretPW@//dbserver:1521/service

-- Attacker tries to call an internal XS_DIAG function
BEGIN
  SYS.XS_DIAG.DIAGNOSE('DUMP_USER_SECRETS', 'SYS');
END;
/

Note:
The above is *not* the real exploit, as Oracle has not published specifics for security reasons. But attacks would generally follow this pattern—abusing privileged functions to reveal or change critical settings.

1. Patch Immediately

Apply Oracle’s April 2024 Database Patch Set. Oracle has fixed this issue in recent releases for all supported platforms.

Audit your users for the EXECUTE privilege on any sensitive packages

SELECT GRANTEE FROM DBA_TAB_PRIVS
  WHERE TABLE_NAME = 'XS_DIAG' AND PRIVILEGE = 'EXECUTE';

Revoke privilege unless absolutely necessary

REVOKE EXECUTE ON SYS.XS_DIAG FROM <user>;

### 3. Filter/Restrict Network Access

Limit who can connect over the network using firewall rules, VPNs, or Oracle’s own listener configurations.

4. Monitor for Unusual XS_DIAG Usage

Review your audit logs and any monitoring/alerting for XS_DIAG package execution events.

Conclusion

CVE-2024-21184 is a serious flaw in Oracle Database’s RDBMS Security, allowing anyone with EXECUTE on SYS.XS_DIAG and network access to potentially compromise your database. Fix it by patching, locking down privileges, and watching for suspicious activity. Don’t delay!

References

- Oracle Critical Patch Update (CPU) Advisory - April 2024
- National Vulnerability Database Entry

Timeline

Published on: 07/16/2024 23:15:23 UTC
Last modified on: 07/19/2024 13:38:01 UTC