Shulou(Shulou.com)06/01 Report--

About CVE-2012-1675

Green League scanning system, reported a security breach, studied the following

Normal 0 7.8 lb 0 2 false false false EN-US ZH-CN X-NONE

Oracle security warning

It is described in Security warning CVE-2012-1675:

Http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html

The discoverer and description of this vulnerability

Http://seclists.org/fulldisclosure/2012/Apr/204

The vulnerability mainly affects listeners.

The main harm is that attackers can create a database with the same name as the current production database and register it with the monitoring of the production database.

This will cause the user connection to be routed to the instance created by the attacker, resulting in an interruption of the business response

Application reports ORA-12545: Connect failed because target host or object does not exist

Affected version

Although the security warning describes the beginning of 10203, it is actually any version starting from 8i

How to find an attacker

If you encounter an attack, it is not convenient to view the attacker's machine.

At that time, it was tested that the feasible method was to close the database instance and all connections, and check the machines still connected to port 1521.

There is no registrant's IP and hostname information in the listening log

TRC snooping could not find the IP and hostname of the registered listener

How to avoid being affected by this security vulnerability?

1. Setting listeners does not accept dynamic registration, and all instances are registered statically (single instance and RAC without load_balance)

two。 Set to allow only specific IP access listeners

3. Set Class of Secure Transport to allow only local instances or instances of specific machines to register with listeners.

This feature was introduced in 10203, but there is Bug 12880299-TCP handlers block if listener registration is restricted to IPC with COST [ID 12880299.8]

If the patch is not installed, only the dynamic snooping registration of IPC protocol can be restricted, and the default dynamic snooping registration of TCP protocol cannot be restricted.

If you use the TCP protocol between the monitor and the database, you need to install Patch22880299, which is included in each version of the latest PSU (not included in 10203)

11.2.0.4. Patch Set Update

11.2.0.3.3 Patch Set Update

11.2.0.2.7 Patch Set Update

11.1.0.7.12 Patch Set Update

10.2.0.5.8 Patch Set Update

10.2.0.4.13 Patch Set Update

Single instance, RAC of server load balancer is not ready to be enabled. For more information, please see

Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1]

Https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1

RAC that requires server load balancing. Refer to

Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]

Https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1340831.1

1. Identify the solution

2. Application solution

3. Verify patching

4.Reference

1. Identify the solution

The solution given by the safety manufacturer:

Link: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html

Follow this link for a solution:

1 2 3 4Solution Recommendations for protecting against this vulnerability can be found at: My Oracle Support Note 1340831.1 for Oracle Database deployments that use Oracle Real Application Clusters (RAC). My Oracle Support Note 1453883.1 for Oracle Database deployments that do not use RAC.

Currently, the environment here is not RAC. Refer to document 1453883.1:

Using Class of Secure Transport (COST) to Restrict Instance Registration (document ID 1453883.1)

Find two solutions:

1 2 3 4 5 6 7SOLUTION There are two methods that can be used to protect the listener using COST "SECURE_REGISTER_listener_name =" in stand alone database installations. 1) Restricting registration to the TCP protocol (Requires the fix for BUG:12880299)-or-2) Restricting registration to the IPC protocol (The patch for BUG:12880299 is NOT required for the IPC method) Either method accomplishes the same goal but it is your choice which type to implement subject to the restriction* noted below. Both methods will be discussed. The second method (using IPC) cannot be used if the database is a member of an Oracle Data Guard broker configuration.

I choose the first solution here:

1) Restricting registration to the TCP protocol (Requires the fix for BUG:12880299).

two。 Application solution

2.1 determine the status quo

Monitoring profile: listener.ora

Storage path: cd% ORACLE_HOME%/network/admin

Content (ensure security, all IP-related information has been processed twice):

? 12 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 2 listener.ora Network Configuration File: e:\ oracle\ product\ 10.2.0\ db_1\ NETWORK\ ADMIN\ listener.ora # Generated by Oracle configuration tools. LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC) (KEY = EXTPROC1521)) (ADDRESS = (PROTOCOL = TCP) (HOST = 192.168.1.138) (PORT = 1521) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = E:\ oracle\ product\ 10.2.0\ db_1) (PROGRAM = extproc) (ENVS = "EXTPROC_DLLS=ANY") SID_DESC = (GLOBAL = orcl) (ORACLE_HOME = E:\ oracle\ product\ 10.2.0\ db_1) (SID_NAME = orcl) ADR_BASE_LISTENER = E:\ oracle

Database listening information, the original are null values:

? 1 2 3 4 5 6 7 8 9SQL > show parameter local_listener NAME TYPE VALUE-local_listener string SQL > show parameter remote_listener NAME TYPE VALUE-remote_listener string SQL >

2.2 try to apply the solution

2.2.1 stop snooping

Lsnrctl stop listener

2.2.2 modify the monitoring profile

1 2Add the COST TCP protocol restriction "SECURE_REGISTER_ [listener _ name] = (TCP)" to the listener.ora. Match the COST parameter variable listener_name with the name of the listener you are using in the listener.ora, e.g., If your listener name is "LISTENER_PROD" then use SECURE_REGISTER_LISTENER_PROD = (TCP)

Actual modification process:

Switch to the path where the listening profile is located:

Cd ORACLE_HOME%/network/admin

Modify the listener.ora file directly by adding a line at the end of the file:

1SECURE_REGISTER_LISTENER = (TCP)

2.2.3 start monitoring

Start monitoring:

1lsnrctl start listener

Register dynamic Monitoring now:

1SQL > alter system register

2.2.4 set local_listener

1 2alter system set local_listener='(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP) (HOST = 192.168.1.138) (PORT = 1521)) 'scope = both; show parameter local_listener

2.2.5 View monitoring service information

1 2 3 4 5lsnrctl services listener E:\ oracle\ product\ 10.2.0\ db_1\ network\ ADMIN > lsnrctl services listener LSNRCTL for 32-bit Windows: Version 10.2.0.3.0-Production on 21-September-2016 10:2 Copyright (c) 1991, 2006, Oracle. All rights reserved.

12 3 4 5 6 7 8 9 10 11 12 13 is connecting to (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY = EXTPROC1521)) service summary.. The service "PLSExtProc" contains 1 routine. Routine "PLSExtProc", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" established: 0 rejected: 0 LOCAL SERVER service "orcl" contains 1 routine. Routine "orcl", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" established: 3 rejected: 0 LOCAL SERVER command executed successfully

3. Verify patching

3.1Annotation COST rule verification snooping

3.1.1 comment out the COST rules for listener.ora files and restart snooping

1Comment the COST rule in listener.ora and restart the listener.

Modify the listener.ora file directly, adding a "#" comment to the line you added before.

1#SECURE_REGISTER_LISTENER = (TCP)

Restart monitoring:

1 2lsnrctl stop listener lsnrctl start listener

3.1.2 View the monitoring service information after setting remote_listener

Set up the remote_listener:

1 2SQL > alter system set remote_listener='(ADDRESS = (PROTOCOL = TCP) (HOST = 192.168.1.138) (PORT = 1521)) 'scope=memory; SQL > show parameter remote_listener

Fast dynamic Monitoring Registration:

1SQL > alter system register

Check the monitoring service information and find the word "REMOTE SERVER", indicating that the vulnerability exists at this time:

12 34 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 23 24 25 26 27 29 30 31 33 33 36 37 38 39 40 41E:\ oracle\ product\ 10.2.0\ db_1\ network\ ADMIN > lsnrctl services listener LSNRCTL for 32-bit Windows: Version 10.2.0.3.0-Production on 21-September-2016 4:18 Copyright (c) 1991, 2006, Oracle. All rights reserved. Connecting to (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY = EXTPROC1521)) service summary.. The service "PLSExtProc" contains 1 routine. Routine "PLSExtProc", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" established: 0 rejected: 0 LOCAL SERVER service "orcl" contains 2 routines. Routine "orcl", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" established: 0 rejected: 0 LOCAL SERVER routine "orcl", status READY, containing 2 handlers for this service. Handler: "DEDICATED" established: 0 rejected: 0 status: ready LOCAL SERVER "DEDICATED" established: 0 rejected: 0 status: ready REMOTE SERVER (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY = EXTPROC1521) Service "orclXDB" contains 1 routine. Routine "orcl", status READY, contains 1 handler for this service. Handler: "D000" established: 0 rejected: 0 current: 0 Max: 1002 status: ready DISPATCHER (ADDRESS= (PROTOCOL=tcp) (HOST=INSPUR-IRMS-138) (PORT=52676)) Service "orcl_XPT" contains 1 routine. Routine "orcl", status READY, contains 2 handlers for this service. Handler: "DEDICATED" established: 0 rejected: 0 status: ready LOCAL SERVER "DEDICATED" established: 0 rejected: 0 status: ready REMOTE SERVER (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY = EXTPROC1521) command executed successfully

3.2 Uncomment COST rules to verify listening

3.2.1 uncomment COST rules restart monitoring and quickly register to verify monitoring service information

Remove the "#" sign before the end of the listening file:

1SECURE_REGISTER_LISTENER = (TCP)

Restart monitoring:

1 2lsnrctl stop listener lsnrctl start listener

Quickly register for dynamic monitoring:

1SQL > alter system register

Verify the information of the listening service. According to the description of the official file, there should be no "REMOTE SERVER" in normal:

12 34 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 23 24 25 26 27 28 29 31 32 33 35 36 37 38E:\ oracle\ product\ 10.2.0\ db_1\ network\ ADMIN > lsnrctl services listener LSNRCTL for 32-bit Windows: Version 10.2.0.3.0-Production on 21-September-2016 0:23 Copyright (c) 1991, 2006, Oracle. All rights reserved. Connecting to (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY = EXTPROC1521)) service summary.. The service "PLSExtProc" contains 1 routine. Routine "PLSExtProc", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" established: 0 rejected: 0 LOCAL SERVER service "orcl" contains 2 routines. Routine "orcl", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" created: 1 rejected: 0 LOCAL SERVER routine "orcl", status READY, containing 1 handler for this service. Handler: "DEDICATED" established: 0 rejected: 0 status: blocked REMOTE SERVER (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY = EXTPROC1521) Service "orclXDB" contains 1 routine. Routine "orcl", status READY, contains 1 handler for this service. Handler: "D000" established: 0 rejected: 0 current: 0 Max: 1002 status: ready DISPATCHER (ADDRESS= (PROTOCOL=tcp) (HOST=INSPUR-IRMS-138) (PORT=52676)) Service "orcl_XPT" contains 1 routine. Routine "orcl", status READY, contains 1 handler for this service. Handler: "DEDICATED" has been established: 0 rejected: 0 status: blocked REMOTE SERVER (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY = EXTPROC1521)) command is successfully executed and the word "REMOTE SERVER" is actually found, but the corresponding listeners are all blocked.

3.2.2 View Monitoring Log

Cd ORACLE_HOME%/network/log

The listener.log log file already has TNS-01194 information, which is consistent with the official file:

1 23 4 5 6 721-September-2016 11:00:23 * (CONNECT_DATA= (CID= (PROGRAM=) (HOST=) (USER = Administrator)) (COMMAND=services) (ARGUMENTS=64) (SERVICE=listener) (VERSION=169870080)) * services * 021-September-2016 11:00:54 * service_register_NSGR * 1194 TNS-01194: listener commands did not reach secure transmission 21-September-2016 11:01:54 * service_register_NSGR * 1194 TNS-01194: monitor Program commands did not reach secure transfer 21-September-2016 11:02:54 * service_register_NSGR * 1194 TNS-01194: listener commands did not reach secure transfer

3.2.3 restore remote_listener settings

Test complete, restore remote_listener settings

1 2alter system set remote_listener= 'scope=memory; SQL > alter system set remote_listener=' scope=memory

3.2.4 View monitoring service information

12 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17E:\ oracle\ product\ 10.2.0\ db_1\ network\ ADMIN > lsnrctl services listener LSNRCTL for 32-bit Windows: Version 10.2.0.3.0-Production on 21-September-2016 2:17 Copyright (c) 1991, 2006, Oracle. All rights reserved. Connecting to (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY = EXTPROC1521)) service summary.. The service "PLSExtProc" contains 1 routine. Routine "PLSExtProc", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" established: 0 rejected: 0 LOCAL SERVER service "orcl" contains 1 routine. Routine "orcl", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" established: 1 rejected: 0 LOCAL SERVER command executed successfully

4.Reference

Using Class of Secure Transport (COST) to Restrict Instance Registration (document ID 1453883.1)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.