Securing Oracle Listeners against TNS Poison Attack by COST

The Oracle database component contains a vulnerability in the TNS listener service that has been referred to as (TNS Poison) in public discussions. The TNS listener service accepts unauthenticated remote registrations with the appropriate connect packet (COMMAND=SERVICE_REGISTER_NSGR). An unauthenticated attacker may be able to register a client using an already registered database’s instance name to perform a man-in-the-middle attack that allows the attack to sniff database traffic and inject database commands to the server. Joxean Koret was the first one to identify and provided code to produce man in middle attack by hacking the communication between client and DB server in 2008.

Oracle came with solution for this risk in 2012 April, as fix in code as well as securing listeners by COST (Class Of Secure Transports) and VNCR (Valid Node Checking for Registration). COST is supported solution for 10g to 11gR2 while from 11.2.0.4 onwards VNCR is alternate to COST. Cost is little bit complex setup using subset of Oracle’s advanced security which was allowed to use without license only to securing listeners. VNCR is easy to configure compared to COST.

The class of secure transports (COST) parameters specifies a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COST will not affect client connections utilizing other protocols.

IPC protocol support is similar to BEQ protocol support in that it can only be used when the client program and the Oracle server are installed on the same system. IPC protocol support differs from BEQ protocol support in that it can be used with Oracle Shared Server configurations. IPC protocol support requires a listener for its operation.

Here are steps to configure COST in 11g database.

Step -1 Create wallet directories on each node (as root)

mkdir -p /etc/oracle/wallets/COST

chown -R oracle:dba /etc/oracle/wallets

Step-2 Create an auto-login wallet and self-signed certificate on node1 (as oracle)

orapki wallet create -wallet /etc/oracle/wallets/COST -auto_login -pwd [password]"

Step-3 Validate the wallet

orapki wallet display -wallet /etc/oracle/wallets/COST -summary

Step-4 Remove well-known certs

orapki wallet remove -trusted_cert_all -wallet /etc/oracle/wallets/COST -pwd [password]"

Step-5 Create a new self-signed cert

orapki wallet add -wallet /etc/oracle/wallets/COST -self_signed -dn "cn=CERT_COST" -keysize 2048 -validity 3650 -sign_alg sha1 -pwd [password]

Step-6 Change the permissions on the wallet

chmod 640 /etc/oracle/wallets/COST/{cwallet.sso,ewallet.p12}"

Step-7 Copy the wallet directory to all other nodes

scp /etc/oracle/wallets/COST/* node2:/etc/oracle/wallets/COST/"

Step-8 Update $GRID_HOME/network/admin/listener.ora on each node to include COST configuration which will limit listener registration only for TCPS and IPC

Add following lines to listener.ora located in GRID_HOME/network/admin location or TNS_ADMIN location

# Configuration for COST

SECURE_REGISTER_LISTENER_TEST_1522=(IPC,TCP)

SECURE_REGISTER_LISTENER_SCAN1=(IPC,TCPS)

SECURE_REGISTER_LISTENER_SCAN2=(IPC,TCPS)

SECURE_REGISTER_LISTENER_SCAN3=(IPC,TCPS)

WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /etc/oracle/wallets/COST) ) )

Step-9    Update LOCAL LISTENER in tnsnames.ora to use port 1522

Step-10    For ADC databases, remove any unnamed listeners from the CRS configuration

Step-11    Modify the SCAN listener to add a port for the TCPS protocol.

srvctl modify scan_listener -p TCP:1521/TCPS:1523

Step-12    Confirm the scan listeners

srvctl config scan_listener"

Step-13    Create sqlnet.ora in $TNS_ADMIN to include “WALLET_LOCATION”

WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /etc/oracle/wallets/COST) ) )

Step-14    “Identify the IP addresses of the SCAN

srvctl config scan"

Step-15    Create new entry for REMOTE_LISTENER in tnsnames.ora of databases.

REMOTE_LISTENER.US.ORACLE.COM =

(DESCRIPTION =

     (ADDRESS = (PROTOCOL = TCPS)(HOST =)(PORT = 1523))

     (ADDRESS = (PROTOCOL = TCPS)(HOST =)(PORT = 1523))

     (ADDRESS = (PROTOCOL = TCPS)(HOST =)(PORT = 1523))

)

Step-16    Modify the remote_listener parameter in the database

alter system set remote_listener='REMOTE_LISTENER.US.ORACLE.COM' sid='*' scope=both;

Step-17    Restart the SCAN listener

srvctl stop scan_listener

srvctl start scan_listener

Step-18    Restart the Local listener

srvctl stop listener -l LISTENER_TEST

srvctl start listener -l LISTENER_TEST

Step-19    Force pmon to register services

alter system register;

Step-20    Check service registration to all SCAN and local listeners

Step-21    Restart All instances in rolling fashion if no service registration with SCAN Listeners.

COST configuration complete now.

We will cover VNCR in our coming post, thanks for your time.

References:

Disclaimer

The views expressed on this blog are my own and do not necessarily reflect the views of either the companies I have worked for or Oracle Corporation and its affiliates. The comments, views and opinions expressed by visitors on this blog are theirs alone and may not reflect mine. Whatever scenarios suggested under this blog were simulated only on demo environment, so it’s advisable to test those in test systems before pushing to your production environment.

Advertisements

One Response to Securing Oracle Listeners against TNS Poison Attack by COST

  1. Pingback: How Many SCAN Listeners? | Amit Saraswat

Share Your Comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Pierre blog

Pierre Forstmann Oracle Database blog

flashdba

Oracle databases, storage and the high-performance world of flash memory

Future Veterans

Ramblings about Oracle

Ranjeet Srivastava

Smile! You’re at the best blog ever

Kevin Closson's Blog: Platforms, Databases and Storage

Platform, Database and Storage Topics

Real Life Database / SQL Experiences : An Oracle Blog from Vivek Sharma

Being an Oracle Professional, I like to share all my Real Life Performance Tuning Challenges and Experiences. The Content and Views on this site are my own and not necessarily those of Oracle. While, I write on my real life experiences, the resolutions mentioned are solely mine. Comments / Criticisms are always a welcome.

Frits Hoogland Weblog

IT Technology; Oracle, linux, TCP/IP and other stuff I find interesting

OraStory

Dominic Brooks on Oracle Performance, Tuning, Data Quality & Sensible Design ... (Now with added Sets Appeal)

ASM Support Guy

Just Another Crazy Oracle DBA

Exadata Certification

Just Another Crazy Oracle DBA

Carlos Sierra's Tools and Tips

Tools and Tips for Oracle Performance and SQL Tuning

Sangram keshari's Oracle Blog

The Fusion Middleware Administration & Database Administration Blog

Amit Saraswat

Just Another Crazy Oracle DBA

Oracle Scratchpad

Just another Oracle weblog

The Tom Kyte Blog

Just Another Crazy Oracle DBA

Hemant's Oracle DBA Blog

Just Another Crazy Oracle DBA

Uwe Hesse

about Database Technology

Richard Foote's Oracle Blog

Focusing Specifically On Oracle Indexes, Database Administration and Some Great Music

%d bloggers like this: