Oracle TNS Listener Poisoning Attack
Oracle database users connect to the database services through Oracle TNS Listener. The Oracle TNS listener poisoning attack exploits a vulnerability in the Oracle listener’s database service registration functionality. On successful exploitation of this vulnerability, attacker can take complete control of an Oracle database. Important point to be noted here is that an attacker can carry out the attack remotely without any authentication credentials. This is basically a man-in-the-middle (MITM) attack and has been published as security alert CVE 2012-1675. Joxean Koret discovered this vulnerability in 2008 and publicly disclosed in 2012.
- An attacker, residing on the same network as the database, registers a malicious (evil) service with the database listener with the same service name as legitimate database service.
- No credentials are required to register a database service with the listener.
- An attacker can use Oracle database software or easily available other tools to register a malicious database service.
After completion of the malicious database service registration with the same name as legitimate service name, Oracle listener has two services to choose from – a legitimate service and an evil service.
With two databases services, Oracle listener switches to the load balancing mode, directing users alternatively to the legitimate service and the evil service. At least, 50% of the user sessions are directed to the evil service. Database user sessions, which are now communicating through the evil service, can be hijacked by the attacker. An attacker is in the middle. All communication from the users to the database is now passing through the attacker.
- Attacker has full purview of what users are communicating with the database. At a minimum, the attacker can view and steal the data.
- Additional SQL commands may be injected to broaden the scope or carry out additional attacks.
- If a database user communicating with the database happens to be a privileged user with the DBA role, then the attacker has complete control of the database. Hence the Database is compromised.
- Oracle Database Releases 12.1 or above: By default Oracle listener configuration in Oracle 12c would protect you against this vulnerability. But still make sure that VALID_NODE_CHECKING_REGISTRATION_<listener_name> parameter is set to LOCAL in listener.ora. This parameter ensures that databases that are on the same server as the listener are permitted to register services with the listener. No remote registration of the services is permitted. Oracle clustering solution, Oracle RAC, requires remote registration of services. In order to protect Oracle RAC from TNS poison Attack, you also need to set REGISTRATION_INVITED_NODES_<listener name> to specify IP addresses of the nodes from which remote registration is required.
- Oracle Database Release 184.108.40.206: Set VALID_NODE_CHECKING_REGISTRATION_<listener_name> to LOCAL. Alternate values for this parameter are ON or 1 and accomplishes the same objective. The default value for this parameter is OFF, which is insecure. As mentioned above, if you are running RAC, then you also need to set REGISTRATION_INVITED_NODES_<listener name> to allow instance registration from trusted/valid nodes.
- Oracle Database Release 220.127.116.11 or older releases: Oracle has already stopped the support for 18.104.22.168 or older releases. No security patches are available for older database releases. Make sure you should upgrade as soon as possible.
Even after years have passed since the disclosure of this vulnerability, still there are numerous organization who are running Oracle database and haven’t yet remediated this flaw. Are you one of those organizations? If yes, then you should fix it as soon as possible.