Tag Archives: Critical Patch Update

Oracle TNS Poison vulnerability

A few days after the last critical patch update Oracle had to post security alert for CVE-2012-1675. The issue also known as “TNS Listener Poison Attack” is affecting any Oracle Database Server. As a personal reference I have summarized the most important information about this topic.

Vulnerability Description

This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as “TNS Listener Poison Attack” affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied. The post The history of a -probably- 13 years old Oracle bug: TNS Poison from Joxean Koret is explaining how this vulnerability can be exploited.

Impact

The attack point of this vulnerability is once again the Oracle listener. The impact of this vulnerability differs from the network configuration of the database server and listener. Public accessible listener will suffer a lot from this issue while internal listener a bit less.

  • Public accessible Listener e.g. listener is accessible from the internet => extremely critical
  • Listener is accessible by the company network e.g. any client can access the listener => very critical
  • Network zoning or network segmentation is used. E.g only a limited number of system accessing (application server) can access listener => critical

Bug fix

According to Oracle (see web sources below) there is no security fix for this issue. It probably will not be fixed before Oracle 12c. Until now there are several workarounds to eliminate or minimize the potential security risk.

Workaround

In order to prevent the exploitation of the vulnerability the dynamic registration must be switched of or it must be limited (e.g only local registrations, allow certain IP’s or identified by certificate )

  1. Switch off dynamic registration

    2. Switch off dynamic registration by setting dynamic_registration_LISTENER_NAME=off in listener.ora according to DYNAMIC_REGISTRATION_listener_name To switch off the dynamic registration is not an option if you’re using Oracle DataGuard, RAC or the PL/SQL Gateway in connection with APEX.

  2. Using Class of Secure Transport on single inctance databases

    3. Oracle recommend to set class of secure transportation to restrict instance registration to the local system. This parameter is available since Oracle 10.2.0.3 and can be implemented according to MOS Note 1453883.1

  3. Using Class of Secure Transport in Oracle RAC

    4. For RAC the use of COST is a bit more complex and require to configure SSL/TCPS. This is as well only possible for Oracle 10.2.0.3 and newer. It can be implemented according to MOS Note 1340831.1

  4. Limit Network Access

    5. Start using valid node checking to limit access to listener to certain IP addresses.

    TCP.VALIDNODE_CHECKING = YES
TCP.INVITED_NODE = (Comma separated list of ALL valid, clients)
  5. Limit Network Access on the network

    6. As an alternative limit network access to certain listener on the network layer e.g. network segmentation, firewalls etc.

Strategy

I recommend to install the latest CPU / PSU as well as one of the workaround mentioned above. In it is a good advice to switch of remote registration in general if it is not used e.g for RAC.

What to do when the workaround is not available for the database release e.g 9i databases? From the security point of view I recommend to upgrade the database to the latest supported major release with in a useful time.

Web Sources

Web sources around this topic.

Important links around the Oracle CPU / PSU April 2012

I’ve been out of office when the April CPU / PSU has been officially released by Oracle and missed to write a blog post. Nevertheless I’ll now take the chance to put a few information and links around the latest CPU together.
The current CPU / PSU patches are available for 10g and 11g, whereby the download of 10g patches is only possible with a corresponding Extended Support contract.
Overall Oracle addressed 88 vulnerabilities for several Oracle products in this security advisory. 6 of these fixes are just for the Oracle Database Server and one for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 9.0, which is quite high. But the big bang are not security fixes with a CVSS of 9.0 but old vulnerabilities which are not fixed. oracle addressed them with a dedicated alert Oracle Security Alert for CVE-2012-1675. The alert is related to an issue identified by Joxean Koret somewhen in 2008 and known as TNS Poison I’ll post a few comments on this later this week.

Affected database component according to the Database Server Risk Matrix:

  • Core RDBMS (mainly Oracle Net)
  • OCI
  • Application Express
  • Enterprise Manager Base Platform

The Database Server Patch’s are available for Oracle Database 11g Release 2 (11.2.0.2, 11.2.0.3), Oracle Database 11g Release (11.1.0.7) and Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5). There is no patch available for Oracle Database 10g Release 1 (10.1.0.5).

A bunch of useful links around the current CPU / PSU:

As well as a few generic links about CPU / PSU:

Oracle CPU / PSU Pre-Release Announcement Januar 2012

Oracle has recently published the Pre-Release Announcement for the CPU Patch. This Critical Patch Update contains 78 new security vulnerability fixes for several Oracle products. 2 of these fixes are just for the Oracle Database Server, but none of them is for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 5.5, which seams to be not critical. But on the other hand Oracle mention that 1 of this 2 fixes can may be remotely exploitable without authentication. If this is true, I would expect a higher CVSS rating. We will see it next week in detailed. Nevertheless the following Database Server Products are affected.

  • Core RDBMS
  • Listener

So far the Database Server Patch’s are planned for Oracle Database 11g Release 2 (11.2.0.2,11.2.0.3), Oracle Database 11g Release (11.2.0.7), Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5) and Oracle Database 10g Release 1 (10.1.0.5). It looks like that the first CPU in 2012 is as well the first one for 11.2.0.3.

The official release for the CPU / PSU is planned for next week 17 Januar 2012. More details about the patch will follow soon on the Oracle Security Pages:

Oracle CPU / PSU Pre-Release Announcement October 2011

Oracle has recently published the Pre-Release Announcement for the CPU Patch. This Critical Patch Update contains 56 new security vulnerability fixes for several Oracle products. 4 of these fixes are just for the Oracle Database Server, but none of them is for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 6.5, which is high but not critical. The following Database Server Products are affected.

  • Application Express
  • Core RDBMS
  • Database Vault
  • Oracle Text

So far the Database Server Patch’s are planned for Oracle Database 11g Release 2 (11.2.0.2), Oracle Database 11g Release (11.2.0.7), Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5) and Oracle Database 10g Release 1 (10.1.0.5). There seems to be no CPU patch for 11.2.0.3.

The official release for the CPU / PSU is planned for next week 18 October 2011. More details about the patch will follow soon on the Oracle Security Pages: