The Oracle database component contains a vulnerability in the TNS listener service that may be exploited to sniff database traffic and run arbitrary database commands.
The Oracle database component contains a vulnerability in the TNS listener service that has been referred to as (TNS Poison) in public discussions. The TNS listener service accepts unauthenticated remote registrations with the appropriate connect packet (COMMAND=SERVICE_REGISTER_NSGR). Joxean Koret's email to the Full Disclosure mailing list contains additional details. Oracle Security Alert for CVE-2012-1675 also contains more information.
An unauthenticated attacker may be able to register a client using an already registered database's instance name to perform a man-in-the-middle attack that allows the attack to sniff database traffic and inject database commands to the server.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds provided by Oracle.
"To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = (IPC)" is used to restrict instance registration with database listeners. With this COST restriction in place only local instances will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only local instances."
This vulnerability was discovered by Joxean Koret.
This document was written by Jared Allar.
|Date First Published:||2012-05-01|
|Date Last Updated:||2012-05-01 18:30 UTC|