TB083 Non-Privileged User May Be Able to Perform Certain Actions on the Masking Engine

Impact

FIPS 199 Severity Level: High

CVSS Score: 8.5 and lower

CVSS: 3.1

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): N

Scope (S): C

Confidentiality (C): H

Integrity (I): L

Availability (A): N

This vulnerability allows certain operations to be performed by a user who can be:

• an unauthenticated user 

• an authenticated user who is not authorized to perform a particular operation.

An unauthenticated user who has not logged into the product can perform the operations below:

• Download masking job reports

• Download a job’s prescript and postscript

• Download an environment’s utilization report

• Import an inventory CSV file

 

Authorization enforcement is missing for the following privileges:

 

Object Type	Privilege(s)1
ENVIRONMENT	VIEW
CONNECTOR	VIEW
RULESET	VIEW, CREATE, UPDATE, COPY, DELETE
INVENTORY	VIEW, CREATE, UPDATE, EXPORT, IMPORT, DELETE
MASKING_JOB	VIEW
ALGORITHM	VIEW
CUSTOM_ALGORITHM	VIEW, CREATE
FILE_FORMAT	VIEW, CREATE, UPDATE, DELETE
JDBC_DRIVER	VIEW
PROFILE_JOB	VIEW
DOMAIN	VIEW
PROFILE_EXPRESSION	VIEW
DIAGNOSTIC	VIEW

 ¹Note: The CREATE privilege is called “Add” in the GUI and “CREATE” in the REST API.

Below are examples of the resulting vulnerabilities: 

• Users without create/update/delete permissions for “FileFormats” are able to create/update/delete a record type on the inventory UI for delimited and fixed-width file masking.

• Users without permission for “Custom Algorithms” are able to create custom algorithms.

• Users without view permissions for Algorithms/Rulesets/Domains are able to view Algorithms/Rulesets/Domains.

• Users without copy permission for Ruleset are able to copy Ruleset.

• Users without import Inventory permission are able to import Inventory.

 

Contributing Factors

 

Click here to view the versions of the Delphix engine to which this article applies

Major Release	All Sub Releases
6.0	6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1
5.3	5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0
5.2	5.2.0.0, 5.2.1.0, 5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.3.1, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2

 

Symptoms

This attack can be detected by viewing all the configured non-admin users in Masking Engine. 

Any non-admin user, who has performed certain actions for which the user is not authorized indicates an attack. Such attacks can be detected by using the below steps:

1. Check if a user is non-admin.

2. Check the audit logs for the login time and logout time of the user.

3. Check the info logs if the user has performed certain actions for which the user is not authorized in the duration identified in step two above.

Sample Log messages:

The below log messages are for a non-admin user with user id “user_test” who did not have permissions for add/update/delete crud operations but added/updated/deleted records type for delimited file inventory.

2020-09-04 17:57:05,715 user_test [http-nio-127.0.0.1-8284-exec-2] INFO  com.dmsuite.user.login.LoginHelper - User user_test: email user@delphix.com

2020-09-04 17:57:11,533  [http-nio-127.0.0.1-8284-exec-1] INFO  c.dmsuite.manager.EnvironmentManager - User is admin: false
 

2020-09-04 17:57:16,930  [http-nio-127.0.0.1-8284-exec-7] INFO  c.d.w.i.FileFormatInventoryController - isAdmin0

2020-09-04 17:57:40,204  [http-nio-127.0.0.1-8284-exec-3] INFO  c.d.w.i.FileFormatInventoryController -  Going to add record type..............

 

2020-09-04 17:57:40,611  [http-nio-127.0.0.1-8284-exec-3] INFO  c.d.w.i.FileFormatInventoryController - isAdmin0

2020-09-04 17:57:53,007  [http-nio-127.0.0.1-8284-exec-6] INFO  c.d.w.i.FileFormatInventoryController - in update record type

 

2020-09-04 17:57:53,491  [http-nio-127.0.0.1-8284-exec-6] INFO  c.d.w.i.FileFormatInventoryController - isAdmin0

2020-09-04 17:58:03,278  [http-nio-127.0.0.1-8284-exec-2] INFO  c.d.w.i.FileFormatInventoryController - in Delete record type

 

84-exec-2] INFO  c.d.w.i.FileFormatInventoryController - lastUpdatedInventoryDate :09/04/20 17:57

2020-09-04 17:58:04,106  [http-nio-127.0.0.1-8284-exec-2] INFO  c.d.w.i.FileFormatInventoryController - isAdmin0

2020-09-04 17:58:13,501  [http-nio-127.0.0.1-8284-exec-1] INFO  c.dmsuite.web.user.LogoutController - successfully logout from application............

 

Relief/Workaround

• At the network layer, IP address allowlisting may be used to limit Delphix appliance access to only approved users.  

• Customers are strongly recommended to upgrade to 6.0.4.0 or later

Related Documents

N/A