This discussion is archived
1 2 Previous Next 18 Replies Latest reply: May 2, 2012 11:30 AM by rukbat RSS

Oracle TNS Poison vulnerability

Acooper Explorer
Currently Being Moderated
Hello;

I have an e-mail from our internal Security team warning me about this and providing this link as proof:

http://isc.sans.edu/diary/Critical+Unpatched+Oracle+Vulnerability/13069

Question:

Is this something I should worry about? If yes why?

All helpful comments welcome.

Cooper
  • 1. Re: Oracle TNS Poison vulnerability
    892953 Newbie
    Currently Being Moderated
    Did you patch your DB for April PSU?
  • 2. Re: Oracle TNS Poison vulnerability
    Acooper Explorer
    Currently Being Moderated
    "dynamic_registration = off" in the in the listener.ora configuration file.
  • 3. Re: Oracle TNS Poison vulnerability
    jgarry Guru
    Currently Being Moderated
    Depends. The exact details on how to do it have been published. It doesn't seem to be too difficult for those experienced with sniffing tools and legitimate access. It exploits the load balancing feature of the listener, together with dynamic registration. So if you set dynamic registration off, you are protected. Other possible workarounds, such as for those who need rac, are in the published exploit. Oracle advanced security works too. 11g listener log default behavior also logs bogus registrations, if one thinks to look.
  • 4. Re: Oracle TNS Poison vulnerability
    Acooper Explorer
    Currently Being Moderated
    I just decided. I like you.

    Cooper
  • 5. Re: Oracle TNS Poison vulnerability
    Jonathan Lewis Oracle ACE Director
    Currently Being Moderated
    Cooper wrote:
    I have an e-mail from our internal Security team warning me about this and providing this link as proof:

    http://isc.sans.edu/diary/Critical+Unpatched+Oracle+Vulnerability/13069

    Is this something I should worry about? If yes why?

    All helpful comments welcome.
    The details of how to mount the attack are in the document; if I were you I would pick one of your development databases and see if you can attack it (without taking advantage of prior information that you might know because you're the DBA). If you can't mount the attack by yourself get your network and sys admins to help.

    Although it's not conclusive evidence of the level of threat, you might note that the author of the original article has suggested that the vulnerability has been around for 13 years, which means there's been a lot of time for someone to be hit by it and scream very loudly about the damage it's done.

    Regards
    Jonathan Lewis
  • 6. Re: Oracle TNS Poison vulnerability
    Acooper Explorer
    Currently Being Moderated
    Thanks Jonathan;

    That is exactly what I needed!
  • 7. Re: Oracle TNS Poison vulnerability
    qbucb Newbie
    Currently Being Moderated
    If you are not using RAC or fail-over features that require remote listener registration, you can restrict instance registration to local instances only via IPC. This is done in listener.ora using:
    secure_register_<listener_name> = IPC

    You will also need to create an alias for each listener in tnsnames.ora and set the local_listener parameter in each database (even if they are using the default listener) to use the alias. The alias looks like:
    <listener_name> =
    (DESCRIPTION=
    (ADDRESS=(PROTOCOL=ipc)(KEY=<keyvalue>)))
    -- where <keyvalue> matches whatever IPC is set to in listener.ora.
  • 8. Re: Oracle TNS Poison vulnerability
    jgarry Guru
    Currently Being Moderated
    >

    >
    The details of how to mount the attack are in the document; if I were you I would pick one of your development databases and see if you can attack it (without taking advantage of prior information that you might know because you're the DBA). If you can't mount the attack by yourself get your network and sys admins to help.

    Although it's not conclusive evidence of the level of threat, you might note that the author of the original article has suggested that the vulnerability has been around for 13 years, which means there's been a lot of time for someone to be hit by it and scream very loudly about the damage it's done.
    The vulnerability has, but there are two new things: Published details, and Oracle saying it is fixed when it isn't. Or is it?
  • 9. Re: Oracle TNS Poison vulnerability
    jgarry Guru
    Currently Being Moderated
    Awwww....

    Anyways, the IPC and other official fixes are also referenced in the notes in http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  • 10. Re: Oracle TNS Poison vulnerability
    Acooper Explorer
    Currently Being Moderated
    I looked for the "very helpful" button but only found the "helpful"

    Good man!!
  • 11. Re: Oracle TNS Poison vulnerability
    MarcusMonnig Newbie
    Currently Being Moderated
    http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html

    I don't see a solution for databases running with Oracle Failsafe in there. Since the listener is dynamically configured by the Failsafe software and it writes the LOCAL_LISTENER parameter with a TCP protocol into the init.ora file, I doubt that the non-RAC solution would work.

    Marcus
  • 12. Re: Oracle TNS Poison vulnerability
    934517 Newbie
    Currently Being Moderated
    Hi all,
    It seems that for non-RAC a simple workaround exists (see http://www.h-online.com/security/news/item/Oracle-databases-vulnerable-to-injected-listeners-1563150.html) just by setting
    DYNAMIC_REGISTRATION = OFF (in listener.ora).

    * Can anyone confirm whether or not this works? And if yes, would it work in Oracle 9i? (I can not check it myself, Oracle.com leads me to http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1 (for non-RAC), but my Oracle.com account has not enough privileges.
    * And yes, I have checked the Oracle documentation (both 9i and 11g), but that does not really help

    In the documentation I do find a setting DYNAMIC_REGISTRATION _<listener_name> = ..., but not DYNAMIC_REGISTRATION = ...
    So I'm not sure if this setting actually exists, can anyone confirm?
    * And if the setting exists, I did it as below, is this correct, given an instance name XYX?
    Thanks in advance for your help!


    XYZ =
    (DESCRIPTION_LIST =
    (DESCRIPTION =
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = TCP)(HOST = ...)(PORT = 1521))
    )
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
    )
    )
    )

    SID_LIST_XYZ =
    (SID_LIST =
    (SID_DESC =
    ...
    (ORACLE_HOME = ...)
    (PROGRAM = extproc)
    (DYNAMIC_REGISTRATION = OFF)
    )
    )

    Thanks very much for your help?
  • 13. Re: Oracle TNS Poison vulnerability
    Acooper Explorer
    Currently Being Moderated
    Looks like you are doing it wrong.

    DYNAMIC_REGISTRATION = OFF

    This is a separate line by itself.

    And it should be

    DYNAMIC_REGISTRATION_LISTENER = OFF

    If you want this to work then you need to add a static entry for all databases on that server ( to the listener.ora )

    EX. ( under SID_LIST_LISTENER )

    (SID_DESC =
    (GLOBAL_DBNAME = ORCL)
    (ORACLE_HOME = ?? )
    (SID_NAME = ORCL)
    )

    Test it. If it fails remove the entries from the listener.ora
  • 14. Re: Oracle TNS Poison vulnerability
    934517 Newbie
    Currently Being Moderated
    Hi Cooper,

    Thanks for your reply! Not sure yet however, I am not a DBA (but an Oracle developer, but I am supposed to manage this). I am not entirely sure on the correct format of listener.ora
    You state that you give an example with DYNAMIC_REGISTRATION_LISTENER = OFF, but in your EX I don't see this entry, so I am a bit confused now.

    Could you (or someone else) please post a more elaborated example, so I can feel sure where exactly to put this setting?

    Thanks very much for your helpfulness!
    Jan-Hendrik
1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points