A vulnerability related to TNS listener has been reported in Oracle Security Alert for CVE-2012-1675, which is disclosed as "TNS Listener Poison Attack". Attackers may exploit it to manipulate database instances without any authentication.
A remote user may exploit it to influence the confidentiality, integrity and availability of database systems. With applying Class of Secure Transports (COST) restriction which addresses this issue, only local instances will be allowed to register with local listener.
Please note that, for Oracle database 11.2.0.3 or early versions, you should fix Bug 12880299 before applying Class of Secure Transports (COST).
Before Applying Class of Secure Transports (COST)
1. List the services on the server db1
[oracle@db1 ~]$ lsnrctl services
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 30-JUL-2018 14:21:15
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
Services Summary...
Service "ORCL1" has 2 instance(s).
Instance "ORCL1", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0
LOCAL SERVER
Instance "ORCL1", status READY, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
LOCAL SERVER
Service "ORCL1XDB" has 1 instance(s).
Instance "ORCL1", status READY, has 1 handler(s) for this service...
Handler(s):
"D000" established:0 refused:0 current:0 max:1022 state:ready
DISPATCHER <machine: db1.example.com, pid: 4655>
(ADDRESS=(PROTOCOL=tcp)(HOST=db1)(PORT=50429))
The command completed successfully
As we can see, there're 2 ORCL1 service instances found in the listener, the first is a static one, and the other is a dynamic one. All services are from the local database.
Further reading: How to Add Static Service Registered in Listener
2. Register a remote service with the listener
In the remote server db2, we make REMOTE_LISTENER point to the port 1521 of db1, where it can find a listener to register with.
[oracle@db2 ~]$ sqlplus / as sysdba
...
SQL> alter system set remote_listener='(address=(protocol=tcp)(host=db1.example.com)(port=1521))' scope=memory;
System altered.
Then force Listener Registration (LREG) to register the service immediately.
SQL> alter system register;
System altered.
This will force Listener Registration (LREG) to register the service immediately.
3. List the services on the server db1 again
[oracle@db1 ~]$ lsnrctl services
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 30-JUL-2018 14:22:49
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
Services Summary...
Service "ORCL2" has 1 instance(s).
Instance "ORCL2", status READY, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
REMOTE SERVER
(ADDRESS=(PROTOCOL=TCP)(HOST=db2.example.com)(PORT=1521))
Service "ORCL2XDB" has 1 instance(s).
Instance "ORCL2", status READY, has 1 handler(s) for this service...
Handler(s):
"D000" established:0 refused:0 current:0 max:1022 state:ready
DISPATCHER <machine: db2.example.com, pid: 4435>
(ADDRESS=(PROTOCOL=tcp)(HOST=db2)(PORT=52779))
Service "ORCL1" has 2 instance(s).
Instance "ORCL1", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0
LOCAL SERVER
Instance "ORCL1", status READY, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
LOCAL SERVER
Service "ORCL1XDB" has 1 instance(s).
Instance "ORCL1", status READY, has 1 handler(s) for this service...
Handler(s):
"D000" established:0 refused:0 current:0 max:1022 state:ready
DISPATCHER <machine: db1.example.com, pid: 4655>
(ADDRESS=(PROTOCOL=tcp)(HOST=db1)(PORT=50429))
The command completed successfully
As we can see, the local listener allowed the remote instance on db2 to register services ORCL2 with it.
Further reading: How to Resolve The listener supports no services
Applying Class of Secure Transports (COST)
1. Add a COST restriction
The setting is simple, just add a Class of Secure Transports (COST) parameter called SECURE_REGISTER_listener_name to listener.ora like this:
[oracle@db1 ~]$ vi $ORACLE_HOME/network/admin/listener.ora
...
SECURE_REGISTER_LISTENER=(TCP)
Additionally, if you're working on a RAC environment, you should add IPC in the list as well.
2. Restart the listener
A bounce on the listener is required to take the new setting effect.
[oracle@db1 ~]$ lsnrctl stop
...
[oracle@db1 ~]$ lsnrctl start
...
After Applying Class of Secure Transports (COST)
Now, we have to verify the consequences of Class of Secure Transports (COST).
1. List the services on the server db1
[oracle@db1 ~]$ lsnrctl services
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 30-JUL-2018 15:01:20
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
Services Summary...
Service "ORCL1" has 2 instance(s).
Instance "ORCL1", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0
LOCAL SERVER
Instance "ORCL1", status READY, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
LOCAL SERVER
Service "ORCL1XDB" has 1 instance(s).
Instance "ORCL1", status READY, has 1 handler(s) for this service...
Handler(s):
"D000" established:0 refused:0 current:0 max:1022 state:ready
DISPATCHER <machine: db1.example.com, pid: 4655>
(ADDRESS=(PROTOCOL=tcp)(HOST=db1)(PORT=50429))
The command completed successfully
As we expected, we found no services from the remote server db2.
Later on, when we check the listener log, we found TNS-01194: The listener command did not arrive in a secure transport.