Sunday, October 19, 2014

CVE-2012-1675 listener poisoning

Our team  was asked to see how CVE_2012_1675 affected us?


On our old infrastructure we use static registration and no default 1521 port nor dynamic registration, on a new machine SSC we make use of dynamic registration, ...



On a dev machine with a DB called HP_TEST  in 11.2.0.4 PSU 2 I did following


alter system set local_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=SSC_DEV)(PORT=1521))'



this generates in the listener.log on the SSC_DEV 

TNS-01184: Listener rejected registration or update of service handler "DEDICATED"
TNS-01185: Registration attempted from a remote node




which makes sense it is a different machine after all, how could it be local 


on the DEV machine  

alter system set remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=SSC_DEV)(PORT=1521))'


On the SSC_DEV


LSNRCTL for Solaris: Version 11.2.0.4.0 - Production on 15-OCT-2014 16:14:59

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Solaris: Version 11.2.0.4.0 - Production
Start Date                01-SEP-2014 16:44:30
Uptime                    43 days 23 hr. 30 min. 29 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/grid/product/11.2.0.4/grid/network/admin/listener.ora
Listener Log File         /u01/app/grid/diag/tnslsnr/ssc_dev/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ssc_dev)(PORT=1521)))
Services Summary...
Service "+ASM" has 1 instance(s).
  Instance "+ASM", status READY, has 1 handler(s) for this service...
Service "HPTEST" has 1 instance(s).
  Instance "HPTEST", status READY, has 1 handler(s) for this service...
The command completed successfully


 the instance registered with that listener ....


So yes the exploit is possible but requires to put remote_listener parameter


There are a couple of workaround one is to use COST (Class of Secure Transport) see MOS note Doc ID 1453883.1
But this solution requires to setup a wallet etc when using RAC which we do in our new SSC infrastructure so we decided to go for the >= 11.2.0.4 solution 


Byputting following in the listener. ora this is called Valid Node Checking for Registration (Doc ID 1600630.1)



After setting following in listener.ora and reloading the config

# CVE-2012-1675
VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON
REGISTRATION_INVITED_NODES_LISTENER=(SSC_DEV)



 lsnrctl reload LISTENER

LSNRCTL for Solaris: Version 11.2.0.4.0 - Production on 15-OCT-2014 16:16:03

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
The command completed successfully
lsnrctl status

LSNRCTL for Solaris: Version 11.2.0.4.0 - Production on 15-OCT-2014 16:16:09

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Solaris: Version 11.2.0.4.0 - Production
Start Date                01-SEP-2014 16:44:30
Uptime                    43 days 23 hr. 31 min. 39 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/grid/product/11.2.0.4/grid/network/admin/listener.ora
Listener Log File         /u01/app/grid/diag/tnslsnr/ssc_dev/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=SSC_DEV)(PORT=1521)))
Services Summary...
Service "+ASM" has 1 instance(s).
  Instance "+ASM", status READY, has 1 handler(s) for this service...
The command completed successfully
/u01/app/grid/product/11.2.0.4/grid/network/admin$ lsnrctl status

LSNRCTL for Solaris: Version 11.2.0.4.0 - Production on 15-OCT-2014 16:16:18

Copyright (c) 1991, 2013, Oracle.  All rights reserved.



this isn't possible anymore and following error is encountered while trying to do

15-OCT-2014 16:16:09 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=SSC_DEV)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647552)) * status * 0
Listener(VNCR option 1) rejected Registration request from destination
15-OCT-2014 16:16:14 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service ""


15-OCT-2014 16:16:09 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=SSC_DEV)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647552)) * status * 0
Listener(VNCR option 1) rejected Registration request from destination
15-OCT-2014 16:16:14 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service ""


voila, hope this helps 



No comments: