Some of our Internal DBs Oracle installed in Linux and Windows servers have been highlighted with the issue Oracle TNS Listener Remote Poisoning (CVE-2012-1675).
This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as "TNS Listener Poison Attack" affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied.
All our DBs are 11.2.0.4, but reading all the notes from Oracle or third parts seems that this Oracle's version is not affected.
Anyway,Following the Doc ID 1600630.1 from Oracle Support, I made a change in the listener.ora adding the below string:
VALID_NODE_CHECKING_REGISTRATION_listener_name = ON
We are using NessusScan to highlight the Vulnerabilities on our servers. After i made the change above, we ran the scan and there is still one server highlighted with this error:
The remote Oracle TNS listener allows service registration from a
remote host. An attacker can exploit this issue to divert data from a
legitimate database server or client to an attacker-specified system.Successful exploits will allow the attacker to manipulate database
instances, potentially facilitating man-in-the-middle, session-
hijacking, or denial of service attacks on a legitimate database
server.
Checking the server and Oracle Listener there is nothing wrong or any errors, it just come up with the Scan with the above error.
Trying to fix this issue, I found this page:
https://community.oracle.com/thread/4008690?start=0&tstart=0
but mine is not a XE version, my version is:
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Release 11.2.0.4.0 - Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
Please, if anyone had to face this issue with Oracle 11.2.0.4, could share how it has been fixed would be great.
Best Answer
So a scanner program shown some nice text message without any facts (timestamp, addresses, how it determined the listener was vulnerable). Yet you say you saw nothing on the server.
The listener logs service registrations. It also logs rejected tries with VNCR enabled.
So here is my listener without the parameter set:
Now I set VNCR (not even in
listener.ora
, but dynamically):From a different host, but the same subnet (which does not matter know because this level of this parameter rejects requests even from the same subnet):
From a database instance, I try to register that instance into the listener on the other host:
Then, still no services:
And in the log of the listener I see this:
As you can see the registration attempt was rejected, works as intended. I still find it difficult to believe that you configured VNCR correctly and the scanner found the listener vulnerable.
Maybe the name of the parameter was mistyped, or the listener was not restarted. Or the scanner reports a false positive for whatever reason.
Anyway you can simply test and confirm just as I did above.