November 22, 2014 Leave a comment
The Oracle database component contains a vulnerability in the TNS listener service that has been referred to as (TNS Poison) in public discussions. The TNS listener service accepts unauthenticated remote registrations with the appropriate connect packet (COMMAND=SERVICE_REGISTER_NSGR). An unauthenticated attacker may be able to register a client using an already registered database’s instance name to perform a man-in-the-middle attack that allows the attack to sniff database traffic and inject database commands to the server. Joxean Koret was the first one to identify and provided code to produce man in middle attack by hacking the communication between client and DB server in 2008.
Oracle came with solution for this risk in 2012 April, as fix in code as well as securing listeners by COST (Class Of Secure Transports) and VNCR (Valid Node Checking for Registration). COST is supported solution for 10g to 11gR2 while from 188.8.131.52 onwards VNCR is alternate to COST. Cost is little bit complex setup using subset of Oracle’s advanced security which was allowed to use without license only to securing listeners. VNCR is easy to configure compared to COST.
The class of secure transports (COST) parameters specifies a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COST will not affect client connections utilizing other protocols.
IPC protocol support is similar to BEQ protocol support in that it can only be used when the client program and the Oracle server are installed on the same system. IPC protocol support differs from BEQ protocol support in that it can be used with Oracle Shared Server configurations. IPC protocol support requires a listener for its operation.
Here are steps to configure COST in 11g database.
Step -1 Create wallet directories on each node (as root)
mkdir -p /etc/oracle/wallets/COST
chown -R oracle:dba /etc/oracle/wallets