Skip to main content
Delphix

TB083 Non-Privileged User May Be Able to Perform Certain Actions on the Masking Engine

 

 

Alert Type

Security

Impact

FIPS 199 Severity Level: High

CVSS Score: 8.5 and lower

CVSS: 3.1

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): N

Scope (S): C

Confidentiality (C): H

Integrity (I): L

Availability (A): N

This vulnerability allows certain operations to be performed by a user who can be:

  • an unauthenticated user 

  • an authenticated user who is not authorized to perform a particular operation.

An unauthenticated user who has not logged into the product can perform the operations below:

  • Download masking job reports

  • Download a job’s prescript and postscript

  • Download an environment’s utilization report

  • Import an inventory CSV file

 

Authorization enforcement is missing for the following privileges:

 

Object Type

Privilege(s)1

ENVIRONMENT

VIEW

CONNECTOR

VIEW

RULESET

VIEW, CREATE, UPDATE, COPY, DELETE

INVENTORY

VIEW, CREATE, UPDATE, EXPORT, IMPORT, DELETE

MASKING_JOB

VIEW

ALGORITHM

VIEW

CUSTOM_ALGORITHM

VIEW, CREATE

FILE_FORMAT

VIEW, CREATE, UPDATE, DELETE

JDBC_DRIVER

VIEW

PROFILE_JOB

VIEW

DOMAIN

VIEW

PROFILE_EXPRESSION

VIEW

DIAGNOSTIC

VIEW

 1Note: The CREATE privilege is called “Add” in the GUI and “CREATE” in the REST API.

Below are examples of the resulting vulnerabilities: 

  • Users without create/update/delete permissions for “FileFormats” are able to create/update/delete a record type on the inventory UI for delimited and fixed-width file masking.

  • Users without permission for “Custom Algorithms” are able to create custom algorithms.

  • Users without view permissions for Algorithms/Rulesets/Domains are able to view Algorithms/Rulesets/Domains.

  • Users without copy permission for Ruleset are able to copy Ruleset.

  • Users without import Inventory permission are able to import Inventory.

 

Contributing Factors

 
Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.0.0, 5.2.1.0, 5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.3.1, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2

 

Symptoms

This attack can be detected by viewing all the configured non-admin users in Masking Engine. 

Any non-admin user, who has performed certain actions for which the user is not authorized indicates an attack. Such attacks can be detected by using the below steps:

  1. Check if a user is non-admin.

  2. Check the audit logs for the login time and logout time of the user.

  3. Check the info logs if the user has performed certain actions for which the user is not authorized in the duration identified in step two above.

Sample Log messages:

The below log messages are for a non-admin user with user id “user_test” who did not have permissions for add/update/delete crud operations but added/updated/deleted records type for delimited file inventory.

2020-09-04 17:57:05,715 user_test [http-nio-127.0.0.1-8284-exec-2] INFO  com.dmsuite.user.login.LoginHelper - User user_test: email user@delphix.com

2020-09-04 17:57:11,533  [http-nio-127.0.0.1-8284-exec-1] INFO  c.dmsuite.manager.EnvironmentManager - User is admin: false
 

2020-09-04 17:57:16,930  [http-nio-127.0.0.1-8284-exec-7] INFO  c.d.w.i.FileFormatInventoryController - isAdmin0

2020-09-04 17:57:40,204  [http-nio-127.0.0.1-8284-exec-3] INFO  c.d.w.i.FileFormatInventoryController -  Going to add record type..............

 

2020-09-04 17:57:40,611  [http-nio-127.0.0.1-8284-exec-3] INFO  c.d.w.i.FileFormatInventoryController - isAdmin0

2020-09-04 17:57:53,007  [http-nio-127.0.0.1-8284-exec-6] INFO  c.d.w.i.FileFormatInventoryController - in update record type

 

2020-09-04 17:57:53,491  [http-nio-127.0.0.1-8284-exec-6] INFO  c.d.w.i.FileFormatInventoryController - isAdmin0

2020-09-04 17:58:03,278  [http-nio-127.0.0.1-8284-exec-2] INFO  c.d.w.i.FileFormatInventoryController - in Delete record type

 

84-exec-2] INFO  c.d.w.i.FileFormatInventoryController - lastUpdatedInventoryDate :09/04/20 17:57

2020-09-04 17:58:04,106  [http-nio-127.0.0.1-8284-exec-2] INFO  c.d.w.i.FileFormatInventoryController - isAdmin0

2020-09-04 17:58:13,501  [http-nio-127.0.0.1-8284-exec-1] INFO  c.dmsuite.web.user.LogoutController - successfully logout from application............


 

Relief/Workaround

  • At the network layer, IP address allowlisting may be used to limit Delphix appliance access to only approved users.  

  • Customers are strongly recommended to upgrade to 6.0.4.0 or later

Resolution

These issues are fully resolved in the 6.0.4.0 release.

Additional Information

N/A

Related Documents

N/A