==================================================================== CERT-Renater Note d'Information No. 2012/VULN205 ____________________________________________________________________ DATE : 02/05/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Oracle database versions 11g, 10g. . ====================================================================== http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html http://www.kb.cert.org/vuls/id/359816 ______________________________________________________________________ Oracle Security Alert for CVE-2012-1675 Description This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as "TNS Listener Poison Attack" affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied. Affected Products and Versions Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database component that is affected by this vulnerability, Oracle recommends that customers apply the solution for this vulnerability to the Oracle Database component. Supported Products and Versions Security Alert solutions are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that Security Alert solutions are available for the versions they are currently running. Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by this vulnerability. Supported Database is patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support. Products in Extended Support Security Alert solutions are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert solutions for products in the Extended Support Phase. Solution Recommendations for protecting against this vulnerability can be found at: My Oracle Support Note 1340831.1 for Oracle Database deployments that use Oracle Real Application Clusters (RAC). My Oracle Support Note 1453883.1 for Oracle Database deployments that do not use RAC. Please note that Oracle has added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters and Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Node options so that the directions provided in the Support Notes referenced above can be applied by all Oracle customers without additional cost. Note: Please refer to the Oracle licensing documentation available on Oracle.com regarding licensing changes that allow Oracle Advanced Security SSL/TLS to be used with Oracle SE Oracle Real Application Clusters and Oracle Enterprise Edition Real Application Customers (Oracle RAC) and Oracle RAC OneNode Options. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply this Security Alert solution as soon as possible. References Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ] Oracle Security Alert CVE-2012-1675 Solution Documents [ My Oracle Support Note 1340831.1 and My Oracle Support Note 1453883.1] Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ] Risk Matrix definitions [ Risk Matrix Definitions ] Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ] English text version of the risk matrix [ Oracle Technology Network ] List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ] Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ] Modification History Date Comments 2012-May-01 Rev 2. Updated Supported Products and Versions section 2012-April-30 Rev 1. Initial Release ______________________________________________________________________ Vulnerability Note VU#359816 Oracle database TNS listener vulnerability Original Release date: 01 mai 2012 | Last revised: 01 mai 2012 The Oracle database component contains a vulnerability in the TNS listener service that may be exploited to sniff database traffic and run arbitrary database commands. Description The Oracle database component contains a vulnerability in the TNS listener service that has been referred to as (TNS Poison) in public discussions. The TNS listener service accepts unauthenticated remote registrations with the appropriate connect packet (COMMAND=SERVICE_REGISTER_NSGR). Joxean Koret's email to the Full Disclosure mailing list contains additional details. Oracle Security Alert for CVE-2012-1675 also contains more information. Impact An unauthenticated attacker may be able to register a client using an already registered database's instance name to perform a man-in-the-middle attack that allows the attack to sniff database traffic and inject database commands to the server. Solution We are currently unaware of a practical solution to this problem. Please consider the following workarounds provided by Oracle. Using Class of Secure Transport (COST) to Restrict Instance Registration "To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = (IPC)" is used to restrict instance registration with database listeners. With this COST restriction in place only local instances will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only local instances." Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC "To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = " is used to restrict instance registration with local node and SCAN listeners in an 11.2. RAC environment. With COST restrictions in place only local and authorized instances having appropriate credentials will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only those instances having appropriate credentials." Additional information may be found at the links above. Vendor Information Vendor Status Date Notified Date Updated Oracle Corporation Affected - 01 May 2012 CVSS Metrics (Learn More) Group Score Vector Base 7,5 AV:N/AC:L/Au:N/C:P/I:P/A:P Temporal 5,9 E:POC/RL:OF/RC:C Environmental 5,9 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND References http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1340831.1 http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1 http://seclists.org/fulldisclosure/2012/Apr/204 http://seclists.org/fulldisclosure/2012/Apr/343 http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html Credit This vulnerability was discovered by Joxean Koret. This document was written by Jared Allar. Other Information CVE IDs: CVE-2012-1675 Date Public: 27 avr. 2012 Date First Published: 01 mai 2012 Date Last Updated: 01 mai 2012 Document Revision: 15 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================