CVE-2012-1675漏洞是Oracle允許攻擊者在不提供用戶名/密碼的情況下,向遠程“TNS Listener”組件處理的數據投毒的漏洞。
舉例:攻擊者可以在不需要用戶名密碼的情況下利用網絡中傳送的數據消息(包括加密或者非加密的數據),如果結合(CVE-2012-3137漏洞進行密碼破解)從而進一步影響甚至控制局域網內的任何一台數據庫。
COST 是class of secure transports 的縮寫。是為了控制實例注冊提供的一種安全控制機制。其作用是對於一個確定的listener,限制哪些實例通過哪些協議可以進行注冊。這將避免有其他遠程實例進行惡意注冊,並由此產生信息泄露等風險。
它通過在 listner.ora中設置參數SECURE_REGISTER_listener_name的值,指定為一個transport list(限定的注冊協議列表,如IPC、TCP、TCPS)來實現這一功能。 該功能從 10.2.0.3 版本開始支持(雖然10g R2的在線文檔中並未明確說明),一直到11.2.0.4版本及之后依然可用。但是,在11.2.0.4后,oracle建議使用默認的VNCR配置。
此配置可以解決oracle之遠程數據投毒漏洞(CVE-2012-1675)
配置方式:
一、使用TCP協議設置COST限制注冊本地實例
1、在listener.ora增加"SECURE_REGISTER_listener_name = (TCP)"
LISTENER_PROD =
(DESCRIPTION_LIST =
(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
)
)
SECURE_REGISTER_LISTENER_PROD = (TCP)
2、重啟監聽
$ lsnrctl stop
$ lsnrctl start
二、使用IPC協議設置COST限制注冊本地實例
1、停止監聽
$ lsnrctl stop
2、在listener.ora增加"SECURE_REGISTER_listener_name = (IPC)"
LISTENER_PROD =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER))
(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
)
)
SECURE_REGISTER_LISTENER_PROD = (IPC)
3、啟動監聽
$ lsnrctl start
驗證方式:
1. 注釋相關設置,重啟listener
LISTENER_PROD =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
)
)
# SECURE_REGISTER_LISTENER_PROD = (TCP)
2. 修改系統參數remote_listener
$ sqlplus "/ as sysdba"
SQL*Plus: Release 10.2.0.5.0 - Production on Fri May 4 10:11:27 2012
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> show parameter remote_listener;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_listener string
SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=netfl-bde)(PORT=1551))' scope=memory;
System altered.
3. 查看listener的service中有“REMOTE SERVER”
LSNRCTL> services listener_prod
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC2)))
Services Summary...
Service "N102.us.oracle.com" has 1 instance(s).
Instance "N102", status READY, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
REMOTE SERVER
(ADDRESS=(PROTOCOL=TCP)(HOST=mes2)(PORT=1521))
The command completed successfully
4. 刪除listener.ora的注釋,重啟listener
LISTENER_PROD =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
)
)
SECURE_REGISTER_LISTENER_PROD = (TCP)
開啟遠程注冊協議限定,限定來自主機netfl-bde的連接客戶端只能通過TCP協議、走1551端口才能訪問數據庫實例
5. 強制注冊remote listener
SQL> alter system register;
System altered.
6. 先重啟listener,再檢查listener的service中是否有“REMOTE SERVER”
[oracle@bde]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.2.0 - Production on 04-MAY-2012 10:42:57
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> services listener_prod
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC2)))
The listener supports no services
The command completed successfully
7. 查看listener日志,會出現TNS-01194拒絕注冊的信息
$ tail /u01/app/oracle/product/11.2.0.2/network/log/listener.log
04-MAY-2012 10:43:03 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=netfl-bde)(USER=oracle))
(COMMAND=services)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647040)) * services * 0
04-MAY-2012 10:43:05 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
04-MAY-2012 10:44:05 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
8. 驗證完成,清除系統參數remote_listener設置
SQL> alter system set remote_listener='' scope=memory;
System altered.
最詳注解
http://blog.itpub.net/17997/viewspace-763695/
https://blog.csdn.net/wengtf/article/details/46632405
非rac操作:
https://blog.csdn.net/brj880719/article/details/53158507
https://www.linuxidc.com/Linux/2016-09/135428.htm
問題說明:
http://blog.itpub.net/17997/viewspace-763695/
COST說明:
https://blogs.oracle.com/database4cn/class-of-secure-transport-cost