How to Prevent Remote Service Register with Listener

  • by

A vulnerability related to TNS listener has been reported in Oracle Security Alert for CVE-2012-1675, which is disclosed as “TNS Listener Poison Attack”. Attackers may exploit it to manipulate database instances without any authentication.

A remote user may exploit it to influence the confidentiality, integrity and availability of database systems. With applying Class of Secure Transports (COST) restriction which addresses this issue, only local instances will be allowed to register with local listener.

Please note that, for Oracle database 11.2.0.3 or early versions, you should fix Bug 12880299 before applying Class of Secure Transports (COST).

Before Applying Class of Secure Transports (COST)

1. List the services on the server db1

[oracle@db1 ~]$ lsnrctl services

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 30-JUL-2018 14:21:15

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
Services Summary...
Service "ORCL1" has 2 instance(s).
  Instance "ORCL1", status UNKNOWN, has 1 handler(s) for this service...
    Handler(s):
      "DEDICATED" established:0 refused:0
         LOCAL SERVER
  Instance "ORCL1", status READY, has 1 handler(s) for this service...
    Handler(s):
      "DEDICATED" established:0 refused:0 state:ready
         LOCAL SERVER
Service "ORCL1XDB" has 1 instance(s).
  Instance "ORCL1", status READY, has 1 handler(s) for this service...
    Handler(s):
      "D000" established:0 refused:0 current:0 max:1022 state:ready
         DISPATCHER <machine: db1.example.com, pid: 4655>
         (ADDRESS=(PROTOCOL=tcp)(HOST=db1)(PORT=50429))
The command completed successfully

As we can see, there’re 2 ORCL1 service instances found in the listener, the first is a static one, and the other is a dynamic one. All services are from the local database.

Further reading: How to Add Static Service Registered in Listener

2. Register a remote service with the listener

In the remote server db2, we make REMOTE_LISTENER point to the port 1521 of db1, where it can find a listener to register with.

[oracle@db2 ~]$ sqlplus / as sysdba
...
SQL> alter system set remote_listener='(address=(protocol=tcp)(host=db1.example.com)(port=1521))' scope=memory;

System altered.

Then force Listener Registration (LREG) to register the service immediately.

SQL> alter system register;

System altered.

This will force Listener Registration (LREG) to register the service immediately.

3. List the services on the server db1 again

[oracle@db1 ~]$ lsnrctl services

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 30-JUL-2018 14:22:49

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
Services Summary...
Service "ORCL2" has 1 instance(s).
  Instance "ORCL2", status READY, has 1 handler(s) for this service...
    Handler(s):
      "DEDICATED" established:0 refused:0 state:ready
         REMOTE SERVER
         (ADDRESS=(PROTOCOL=TCP)(HOST=db2.example.com)(PORT=1521))
Service "ORCL2XDB" has 1 instance(s).
  Instance "ORCL2", status READY, has 1 handler(s) for this service...
    Handler(s):
      "D000" established:0 refused:0 current:0 max:1022 state:ready
         DISPATCHER <machine: db2.example.com, pid: 4435>
         (ADDRESS=(PROTOCOL=tcp)(HOST=db2)(PORT=52779))

Service "ORCL1" has 2 instance(s).
  Instance "ORCL1", status UNKNOWN, has 1 handler(s) for this service...
    Handler(s):
      "DEDICATED" established:0 refused:0
         LOCAL SERVER
  Instance "ORCL1", status READY, has 1 handler(s) for this service...
    Handler(s):
      "DEDICATED" established:0 refused:0 state:ready
         LOCAL SERVER
Service "ORCL1XDB" has 1 instance(s).
  Instance "ORCL1", status READY, has 1 handler(s) for this service...
    Handler(s):
      "D000" established:0 refused:0 current:0 max:1022 state:ready
         DISPATCHER <machine: db1.example.com, pid: 4655>
         (ADDRESS=(PROTOCOL=tcp)(HOST=db1)(PORT=50429))
The command completed successfully

As we can see, the local listener allowed the remote instance on db2 to register services ORCL2 with it.

Further reading: How to Resolve The listener supports no services

Applying Class of Secure Transports (COST)

1. Add a COST restriction

The setting is simple, just add a Class of Secure Transports (COST) parameter called SECURE_REGISTER_listener_name to listener.ora like this:

[oracle@db1 ~]$ vi $ORACLE_HOME/network/admin/listener.ora
...
SECURE_REGISTER_LISTENER=(TCP)

Additionally, if you’re working on a RAC environment, you should add IPC in the list as well.

2. Restart the listener

A bounce on the listener is required to take the new setting effect.

[oracle@db1 ~]$ lsnrctl stop
...
[oracle@db1 ~]$ lsnrctl start
...

After Applying Class of Secure Transports (COST)

Now, we have to verify the consequences of Class of Secure Transports (COST).

1. List the services on the server db1

[oracle@db1 ~]$ lsnrctl services

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 30-JUL-2018 15:01:20

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
Services Summary...
Service "ORCL1" has 2 instance(s).
  Instance "ORCL1", status UNKNOWN, has 1 handler(s) for this service...
    Handler(s):
      "DEDICATED" established:0 refused:0
         LOCAL SERVER
  Instance "ORCL1", status READY, has 1 handler(s) for this service...
    Handler(s):
      "DEDICATED" established:0 refused:0 state:ready
         LOCAL SERVER
Service "ORCL1XDB" has 1 instance(s).
  Instance "ORCL1", status READY, has 1 handler(s) for this service...
    Handler(s):
      "D000" established:0 refused:0 current:0 max:1022 state:ready
         DISPATCHER <machine: db1.example.com, pid: 4655>
         (ADDRESS=(PROTOCOL=tcp)(HOST=db1)(PORT=50429))
The command completed successfully

As we expected, we found no services from the remote server db2.

2. Check Listener Log

Let’s check what we can see in the listener’s log.

[oracle@db1 ~]$ tail -f $ORACLE_BASE/diag/tnslsnr/$(hostname -s)/listener/trace/listener.log
...
Mon JUL 30 15:01:34 2018
30-JUL-2018 15:01:34 * service_update * ORCL1 * 0
30-JUL-2018 15:01:43 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport

Mon JUL 30 15:02:04 2018
30-JUL-2018 15:02:04 * service_update * ORCL1 * 0
Mon JUL 30 15:02:34 2018
30-JUL-2018 15:02:34 * service_update * ORCL1 * 0
30-JUL-2018 15:02:43 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport

Mon JUL 30 15:03:01 2018
30-JUL-2018 15:03:01 * service_update * ORCL1 * 0
Mon JUL 30 15:03:31 2018
30-JUL-2018 15:03:31 * service_update * ORCL1 * 0
Mon JUL 30 15:03:43 2018
30-JUL-2018 15:03:43 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport

In the log, we found “TNS-01194: The listener command did not arrive in a secure transport”. Which means the remote instance tried to register services with the listener every 60 seconds but failed eventually.

Leave a Reply

Your email address will not be published. Required fields are marked *