Software Engineering Institute

The Oracle database component contains a vulnerability in the TNS listener service that has been referred to as (TNS Poison) in public discussions. The TNS listener service accepts unauthenticated remote registrations with the appropriate connect packet (COMMAND=SERVICE_REGISTER_NSGR). Joxean Koret's email to the Full Disclosure mailing list contains additional details. Oracle Security Alert for CVE-2012-1675 also contains more information.

An unauthenticated attacker may be able to register a client using an already registered database's instance name to perform a man-in-the-middle attack that allows the attack to sniff database traffic and inject database commands to the server.

We are currently unaware of a practical solution to this problem. Please consider the following workarounds provided by Oracle.

Using Class of Secure Transport (COST) to Restrict Instance Registration

"To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = (IPC)" is used to restrict instance registration with database listeners. With this COST restriction in place only local instances will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only local instances."

Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC
"To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = " is used to restrict instance registration with local node and SCAN listeners in an 11.2. RAC environment. With COST restrictions in place only local and  authorized instances having appropriate credentials will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only those instances having appropriate credentials."

Additional information may be found at the links above.