Oracle Database Server TNS Listener Remote Registration Vulnerability (CVE-2012-1675)

listeneroracleoracle-11gpatching

Some of our Internal DBs Oracle installed in Linux and Windows servers have been highlighted with the issue Oracle TNS Listener Remote Poisoning (CVE-2012-1675).

This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as "TNS Listener Poison Attack" affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied.

All our DBs are 11.2.0.4, but reading all the notes from Oracle or third parts seems that this Oracle's version is not affected.

Anyway,Following the Doc ID 1600630.1 from Oracle Support, I made a change in the listener.ora adding the below string:

VALID_NODE_CHECKING_REGISTRATION_listener_name = ON

We are using NessusScan to highlight the Vulnerabilities on our servers. After i made the change above, we ran the scan and there is still one server highlighted with this error:

The remote Oracle TNS listener allows service registration from a
remote host. An attacker can exploit this issue to divert data from a
legitimate database server or client to an attacker-specified system.

Successful exploits will allow the attacker to manipulate database
instances, potentially facilitating man-in-the-middle, session-
hijacking, or denial of service attacks on a legitimate database
server.

Checking the server and Oracle Listener there is nothing wrong or any errors, it just come up with the Scan with the above error.
Trying to fix this issue, I found this page:

https://community.oracle.com/thread/4008690?start=0&tstart=0

but mine is not a XE version, my version is:

SQL> select * from v$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Release 11.2.0.4.0 - Production
PL/SQL Release 11.2.0.4.0 - Production
CORE    11.2.0.4.0      Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production

Please, if anyone had to face this issue with Oracle 11.2.0.4, could share how it has been fixed would be great.

Best Answer

So a scanner program shown some nice text message without any facts (timestamp, addresses, how it determined the listener was vulnerable). Yet you say you saw nothing on the server.

The listener logs service registrations. It also logs rejected tries with VNCR enabled.

So here is my listener without the parameter set:

[oracle@o61 ~]$ cat /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
# listener.ora Network Configuration File: /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
# Generated by Oracle configuration tools.

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = o61.balazs.vm)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

ADR_BASE_LISTENER = /u01/app/oracle
[oracle@o61 ~]$ lsnrctl start

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 26-OCT-2018 22:45:22

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Starting /u01/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 11.2.0.4.0 - Production
System parameter file is /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/o61/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=o61.balazs.vm)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=o61.balazs.vm)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date                26-OCT-2018 22:45:22
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /u01/app/oracle/diag/tnslsnr/o61/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=o61.balazs.vm)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully

Now I set VNCR (not even in listener.ora, but dynamically):

[oracle@o61 ~]$ lsnrctl show valid_node_checking_registration

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 26-OCT-2018 22:46:35

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=o61.balazs.vm)(PORT=1521)))
LISTENER parameter "valid_node_checking_registration" set to
The command completed successfully

[oracle@o61 ~]$ lsnrctl set valid_node_checking_registration on

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 26-OCT-2018 22:46:43

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=o61.balazs.vm)(PORT=1521)))
LISTENER parameter "valid_node_checking_registration" set to on
The command completed successfully

From a different host, but the same subnet (which does not matter know because this level of this parameter rejects requests even from the same subnet):

[oracle@o62 ~]$ nslookup o61.balazs.vm
Server:         192.168.1.2
Address:        192.168.1.2#53

Name:   o61.balazs.vm
Address: 192.168.1.61

[oracle@o62 ~]$ nslookup o62.balazs.vm
Server:         192.168.1.2
Address:        192.168.1.2#53

Name:   o62.balazs.vm
Address: 192.168.1.62

[oracle@o62 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:fc:79:ce brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.62/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever

From a database instance, I try to register that instance into the listener on the other host:

[oracle@o62 ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Fri Oct 26 22:49:12 2018

Copyright (c) 1982, 2013, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> alter system set remote_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=o61.balazs.vm)(PORT=1521)))';

System altered.

Then, still no services:

[oracle@o61 ~]$ lsnrctl status

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 26-OCT-2018 22:49:50

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=o61.balazs.vm)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date                26-OCT-2018 22:45:22
Uptime                    0 days 0 hr. 4 min. 28 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /u01/app/oracle/diag/tnslsnr/o61/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=o61.balazs.vm)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully

And in the log of the listener I see this:

[oracle@o61 ~]$ tail -10 /u01/app/oracle/diag/tnslsnr/o61/listener/trace/listener.log
Fri Oct 26 22:49:18 2018
Listener(VNCR option 1) rejected Registration request from destination 192.168.1.62
26-OCT-2018 22:49:18 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service ""
Listener(VNCR option 1) rejected Registration request from destination 192.168.1.62
26-OCT-2018 22:49:21 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service ""
Fri Oct 26 22:49:50 2018
WARNING: Subscription for node down event still pending
26-OCT-2018 22:49:50 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=o61.balazs.vm)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647552)) * status * 0

As you can see the registration attempt was rejected, works as intended. I still find it difficult to believe that you configured VNCR correctly and the scanner found the listener vulnerable.

Maybe the name of the parameter was mistyped, or the listener was not restarted. Or the scanner reports a false positive for whatever reason.

Anyway you can simply test and confirm just as I did above.

Best Answer

Related Solutions

Oracle 11g: “With Clause” very slow

Shrinking the SYSTEM tablespace in Oracle

Related Question