Turning off dynamic listener registration on non-RAC systems to protect against “Oracle TNS Listener Poison Attack”

Environment: Oracle database 11.2.0.3 64-bit, Oracle Linux 6.2 64-bit

Oracle recently released a security alert (CVE-2012-1675) where they warn against a possible “Oracle TNS Listener Poison Attack”. There is no real fix, but there are a number of workarounds that you can use to protect your listeners against unauthorised hijacking.

One of the workarounds involves turning off dynamic registration of database instances by the listener service. However, this workaround can only be used for stand-alone, non-RAC installations. For RAC, you can implement secure transports, which are explained in My Oracle Support document 1453883.1 (if you have access to Oracle support).

Dynamic registration is by default turned on in Oracle 11g. To turn it off, there are two things you need to modify in your $ORACLE_HOME/network/listener.ora file:

First, you need to add a description for all the database instances that the listener will handle. If you fail to do this, any clients trying to connect will receive “ORA-12154: TNS:could not resolve the connect identifier specified” errors after you turned off the dynamic registration.

This is an example for my instance “oratst.mydomain.com”:

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (GLOBAL_DBNAME = oratst.mydomain.com)
      (ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1)
      (SID_NAME = oratst)
    )
  )

Note: the GLOBAL_DBNAME and SID_NAME can be found by checking the Oracle initialization parameters db_name, db_domain and instance_name.

Next, to turn off dynamic registration, you need to add the following line to the listener.ora file:

DYNAMIC_REGISTRATION_LISTENER = OFF

This is how my full listener.ora file now looks like:

# listener.ora Network Configuration File: /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools.

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = oracle-tst.mydomain.com)(PORT = 1521))
    )
  )

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (GLOBAL_DBNAME = oratst.mydomain.com)
      (ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1)
      (SID_NAME = oratst)
    )
  )

ADR_BASE_LISTENER = /u01/app/oracle

# needed to solve a conflict with the ONS service installed in the OHS home
# see metalink note 284602.1
SUBSCRIBE_FOR_NODE_DOWN_EVENT_LISTENER = OFF

DYNAMIC_REGISTRATION_LISTENER = OFF

After this, use the listener control utility (lsnrctl) to reload your listener’s configuration, and check the status of the services and the dynamic registration:

>lsnrctl

LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 24-MAY-2012 13:45:49

Copyright (c) 1991, 2011, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> reload
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-tst.mydomain.com)(PORT=1521)))
The command completed successfully
LSNRCTL> services
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-tst.mydomain.com)(PORT=1521)))
Services Summary...
Service "oratst.mydomain.com" has 1 instance(s).
  Instance "oratst", status UNKNOWN, has 1 handler(s) for this service...
    Handler(s):
      "DEDICATED" established:0 refused:0
         LOCAL SERVER
The command completed successfully
LSNRCTL> show dynamic_registration
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-tst.mydomain.com)(PORT=1521)))
LISTENER parameter "dynamic_registration" set to OFF
The command completed successfully

Note: the status “UNKNOWN” is normal when you are not using dynamic registration.

Finally, check if you can still connect to the database using a remote client!

HTH,
Matthias

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: