Vulnerability Note VU#359816

Oracle database TNS listener vulnerability

Original Release date: 01 May 2012 | Last revised: 01 May 2012

Overview

The Oracle database component contains a vulnerability in the TNS listener service that may be exploited to sniff database traffic and run arbitrary database commands.

Description

The Oracle database component contains a vulnerability in the TNS listener service that has been referred to as (TNS Poison) in public discussions. The TNS listener service accepts unauthenticated remote registrations with the appropriate connect packet (COMMAND=SERVICE_REGISTER_NSGR). Joxean Koret's email to the Full Disclosure mailing list contains additional details. Oracle Security Alert for CVE-2012-1675 also contains more information.

Impact

An unauthenticated attacker may be able to register a client using an already registered database's instance name to perform a man-in-the-middle attack that allows the attack to sniff database traffic and inject database commands to the server.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds provided by Oracle.

Using Class of Secure Transport (COST) to Restrict Instance Registration

    "To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = (IPC)" is used to restrict instance registration with database listeners. With this COST restriction in place only local instances will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only local instances."


Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC
    "To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = " is used to restrict instance registration with local node and SCAN listeners in an 11.2. RAC environment. With COST restrictions in place only local and  authorized instances having appropriate credentials will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only those instances having appropriate credentials."

Additional information may be found at the links above.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Oracle CorporationAffected-01 May 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 5.9 E:POC/RL:OF/RC:C
Environmental 5.9 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was discovered by Joxean Koret.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-1675
  • Date Public: 27 Apr 2012
  • Date First Published: 01 May 2012
  • Date Last Updated: 01 May 2012
  • Document Revision: 15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.