1 2 Previous Next 18 Replies Latest reply: May 2, 2012 1:30 PM by rukbat RSS

    Oracle TNS Poison vulnerability

    Seberg
      Hello;

      I have an e-mail from our internal Security team warning me about this and providing this link as proof:

      http://isc.sans.edu/diary/Critical+Unpatched+Oracle+Vulnerability/13069

      Question:

      Is this something I should worry about? If yes why?

      All helpful comments welcome.

      Cooper
        • 1. Re: Oracle TNS Poison vulnerability
          892953
          Did you patch your DB for April PSU?
          • 2. Re: Oracle TNS Poison vulnerability
            Seberg
            "dynamic_registration = off" in the in the listener.ora configuration file.
            • 3. Re: Oracle TNS Poison vulnerability
              jgarry
              Depends. The exact details on how to do it have been published. It doesn't seem to be too difficult for those experienced with sniffing tools and legitimate access. It exploits the load balancing feature of the listener, together with dynamic registration. So if you set dynamic registration off, you are protected. Other possible workarounds, such as for those who need rac, are in the published exploit. Oracle advanced security works too. 11g listener log default behavior also logs bogus registrations, if one thinks to look.
              • 4. Re: Oracle TNS Poison vulnerability
                Seberg
                I just decided. I like you.

                Cooper
                • 5. Re: Oracle TNS Poison vulnerability
                  Jonathan Lewis
                  Cooper wrote:
                  I have an e-mail from our internal Security team warning me about this and providing this link as proof:

                  http://isc.sans.edu/diary/Critical+Unpatched+Oracle+Vulnerability/13069

                  Is this something I should worry about? If yes why?

                  All helpful comments welcome.
                  The details of how to mount the attack are in the document; if I were you I would pick one of your development databases and see if you can attack it (without taking advantage of prior information that you might know because you're the DBA). If you can't mount the attack by yourself get your network and sys admins to help.

                  Although it's not conclusive evidence of the level of threat, you might note that the author of the original article has suggested that the vulnerability has been around for 13 years, which means there's been a lot of time for someone to be hit by it and scream very loudly about the damage it's done.

                  Regards
                  Jonathan Lewis
                  • 6. Re: Oracle TNS Poison vulnerability
                    Seberg
                    Thanks Jonathan;

                    That is exactly what I needed!
                    • 7. Re: Oracle TNS Poison vulnerability
                      qbucb
                      If you are not using RAC or fail-over features that require remote listener registration, you can restrict instance registration to local instances only via IPC. This is done in listener.ora using:
                      secure_register_<listener_name> = IPC

                      You will also need to create an alias for each listener in tnsnames.ora and set the local_listener parameter in each database (even if they are using the default listener) to use the alias. The alias looks like:
                      <listener_name> =
                      (DESCRIPTION=
                      (ADDRESS=(PROTOCOL=ipc)(KEY=<keyvalue>)))
                      -- where <keyvalue> matches whatever IPC is set to in listener.ora.
                      • 8. Re: Oracle TNS Poison vulnerability
                        jgarry
                        >

                        >
                        The details of how to mount the attack are in the document; if I were you I would pick one of your development databases and see if you can attack it (without taking advantage of prior information that you might know because you're the DBA). If you can't mount the attack by yourself get your network and sys admins to help.

                        Although it's not conclusive evidence of the level of threat, you might note that the author of the original article has suggested that the vulnerability has been around for 13 years, which means there's been a lot of time for someone to be hit by it and scream very loudly about the damage it's done.
                        The vulnerability has, but there are two new things: Published details, and Oracle saying it is fixed when it isn't. Or is it?
                        • 9. Re: Oracle TNS Poison vulnerability
                          jgarry
                          Awwww....

                          Anyways, the IPC and other official fixes are also referenced in the notes in http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
                          • 10. Re: Oracle TNS Poison vulnerability
                            Seberg
                            I looked for the "very helpful" button but only found the "helpful"

                            Good man!!
                            • 11. Re: Oracle TNS Poison vulnerability
                              MarcusMonnig
                              http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html

                              I don't see a solution for databases running with Oracle Failsafe in there. Since the listener is dynamically configured by the Failsafe software and it writes the LOCAL_LISTENER parameter with a TCP protocol into the init.ora file, I doubt that the non-RAC solution would work.

                              Marcus
                              • 12. Re: Oracle TNS Poison vulnerability
                                934517
                                Hi all,
                                It seems that for non-RAC a simple workaround exists (see http://www.h-online.com/security/news/item/Oracle-databases-vulnerable-to-injected-listeners-1563150.html) just by setting
                                DYNAMIC_REGISTRATION = OFF (in listener.ora).

                                * Can anyone confirm whether or not this works? And if yes, would it work in Oracle 9i? (I can not check it myself, Oracle.com leads me to http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1 (for non-RAC), but my Oracle.com account has not enough privileges.
                                * And yes, I have checked the Oracle documentation (both 9i and 11g), but that does not really help

                                In the documentation I do find a setting DYNAMIC_REGISTRATION _<listener_name> = ..., but not DYNAMIC_REGISTRATION = ...
                                So I'm not sure if this setting actually exists, can anyone confirm?
                                * And if the setting exists, I did it as below, is this correct, given an instance name XYX?
                                Thanks in advance for your help!


                                XYZ =
                                (DESCRIPTION_LIST =
                                (DESCRIPTION =
                                (ADDRESS_LIST =
                                (ADDRESS = (PROTOCOL = TCP)(HOST = ...)(PORT = 1521))
                                )
                                (ADDRESS_LIST =
                                (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
                                )
                                )
                                )

                                SID_LIST_XYZ =
                                (SID_LIST =
                                (SID_DESC =
                                ...
                                (ORACLE_HOME = ...)
                                (PROGRAM = extproc)
                                (DYNAMIC_REGISTRATION = OFF)
                                )
                                )

                                Thanks very much for your help?
                                • 13. Re: Oracle TNS Poison vulnerability
                                  Seberg
                                  Looks like you are doing it wrong.

                                  DYNAMIC_REGISTRATION = OFF

                                  This is a separate line by itself.

                                  And it should be

                                  DYNAMIC_REGISTRATION_LISTENER = OFF

                                  If you want this to work then you need to add a static entry for all databases on that server ( to the listener.ora )

                                  EX. ( under SID_LIST_LISTENER )

                                  (SID_DESC =
                                  (GLOBAL_DBNAME = ORCL)
                                  (ORACLE_HOME = ?? )
                                  (SID_NAME = ORCL)
                                  )

                                  Test it. If it fails remove the entries from the listener.ora
                                  • 14. Re: Oracle TNS Poison vulnerability
                                    934517
                                    Hi Cooper,

                                    Thanks for your reply! Not sure yet however, I am not a DBA (but an Oracle developer, but I am supposed to manage this). I am not entirely sure on the correct format of listener.ora
                                    You state that you give an example with DYNAMIC_REGISTRATION_LISTENER = OFF, but in your EX I don't see this entry, so I am a bit confused now.

                                    Could you (or someone else) please post a more elaborated example, so I can feel sure where exactly to put this setting?

                                    Thanks very much for your helpfulness!
                                    Jan-Hendrik
                                    1 2 Previous Next