Author |
Topic: TNS Poisoning (Read 14983 times) |
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender: 
Posts: 309
|
 |
TNS Poisoning
« on: May 29th, 2012, 2:50pm » |
Quote | Modify
|
You might have heared about the latest Oracle security bug, the TNS Poisoning bug. It's a bug that exists since Oracle 8i.
What's the problem?
With this bug it is possible to register a listener on a remote location on an Oracle instance. The problem with that is that you can listen in on Oracle network traffic.
Oracle made it possible to add remote listeners to an instance for Oracle Real Application Clusters (RAC). Nowadays it is best practice in RAC systems to define (remote) so called SCAN listeners.
How big is the problem?
I don't know the CVSS score (the score that measures how severe a security bug is). Probably it's a pretty high CVSS score.
I've got questions of several people that never install Critical Patch Updates. Do that first, before you worry about this bug.
Why isn't the patch for this bug part of a Critical Patch Update?
The next Critical Patch Update will be available only in July. Very likely this bug will be solved in that CPU.
What is the solution at this moment?
There are three possible solutions: two for single instance databases (the usual setup) and one for RAC databases. See Oracle support note 1453883.1 for single instance and note 1340831.1 for RAC databases.
The short description: one of the solutions for single instance databases is a patch for bug 12880299. You can search patches on bugs in support.oracle.com. You’ll find it that way. The other single instance solution is changing the protocol with what de listener communicates with the database from TCP to IPC.
(I believe you also can turn of dynamic listener registration with a parameter. From then on you have to register a listener to the database manually.)
The RAC solution has to work around the fact that you actually want remote listeners to connect to a database. Remote SCAN listeners have become a best practice in high availability solutions. So Oracle had to think up a solution for that as well. And the solution is to protect listener-database communication with SSL. This solution is actually part of the Advanced Security option, but Oracle has allowed customers to use this particular Advanced Security functionality without having to pay for the license (if you don't have that license). If you implement any other functionality of the Oracle Advanced Security Option, you will have to pay for the license.
So if I choose the IPC solution, I don't need the patch?
It seems that way. I haven't tried it myself.
Why isn't there a patch for bug 12880299 on Windows?
Actually, there is: there is a patch for 11.1.0.7 and 11.2.0.3 on Windows (32 and 64 bit). It was issued later than the patches for Linux.
What's the impact of these solutions?
As far as I know: you have to restart one or more listeners.
|
|
 IP Logged |
Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: TNS Poisoning
« Reply #2 on: Jun 6th, 2012, 2:21pm » |
Quote | Modify
|
I've been reading a lot of Oracle CPU assessments by TeamSHATTER and I've learned that Oracle's CVSS scores can be lower due to their Partial+ scoring system. If not Oracle, the CVSS score would often be 9 or 10.
Quote:| Indeed, DYNAMIC_REGISTRATION_LISTENER=off sounds wise. You will then be back to the good old SID_LIST_LISTENER days... Probably the best protection |
|
If this is the way things are going (less userfriendly is more secure) we'll be dealing with maxextent in no time. 
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
|
Maybe other workaround exists