Our team  was asked to see how CVE_2012_1675 affected us?
On our old infrastructure we use static registration and no default 1521 port nor dynamic registration, on a new machine SSC we make use of dynamic registration, …
On a dev machine with a DB called HP_TEST  in 11.2.0.4 PSU 2 I did following

alter system set local_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=SSC_DEV)(PORT=1521))’

this generates in the listener.log on the SSC_DEV 
TNS-01184: Listener rejected registration or update of service handler “DEDICATED”
TNS-01185: Registration attempted from a remote node


which makes sense it is a different machine after all, how could it be local 
on the DEV machine  
alter system set remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=SSC_DEV)(PORT=1521))’
On the SSC_DEV

LSNRCTL for Solaris: Version 11.2.0.4.0 – Production on 15-OCT-2014 16:14:59
Copyright (c) 1991, 2013, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
————————
Alias                     LISTENER
Version                   TNSLSNR for Solaris: Version 11.2.0.4.0 – Production
Start Date                01-SEP-2014 16:44:30
Uptime                    43 days 23 hr. 30 min. 29 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/grid/product/11.2.0.4/grid/network/admin/listener.ora
Listener Log File         /u01/app/grid/diag/tnslsnr/ssc_dev/listener/alert/log.xml
Listening Endpoints Summary…
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ssc_dev)(PORT=1521)))
Services Summary…
Service “+ASM” has 1 instance(s).
  Instance “+ASM”, status READY, has 1 handler(s) for this service…
Service “HPTEST” has 1 instance(s).
  Instance “HPTEST”, status READY, has 1 handler(s) for this service…
The command completed successfully
 the instance registered with that listener ….
So yes the exploit is possible but requires to put remote_listener parameter

There are a couple of workaround one is to use COST (Class of Secure Transport) see MOS note Doc ID 1453883.1
But this solution requires to setup a wallet etc when using RAC which we do in our new SSC infrastructure so we decided to go for the >= 11.2.0.4 solution 

Byputting following in the listener. ora this is called Valid Node Checking for Registration (Doc ID 1600630.1)


After setting following in listener.ora and reloading the config
# CVE-2012-1675
VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON
REGISTRATION_INVITED_NODES_LISTENER=(SSC_DEV)
 lsnrctl reload LISTENER
LSNRCTL for Solaris: Version 11.2.0.4.0 – Production on 15-OCT-2014 16:16:03
Copyright (c) 1991, 2013, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
The command completed successfully
lsnrctl status
LSNRCTL for Solaris: Version 11.2.0.4.0 – Production on 15-OCT-2014 16:16:09
Copyright (c) 1991, 2013, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
————————
Alias                     LISTENER
Version                   TNSLSNR for Solaris: Version 11.2.0.4.0 – Production
Start Date                01-SEP-2014 16:44:30
Uptime                    43 days 23 hr. 31 min. 39 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/grid/product/11.2.0.4/grid/network/admin/listener.ora
Listener Log File         /u01/app/grid/diag/tnslsnr/ssc_dev/listener/alert/log.xml
Listening Endpoints Summary…
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=SSC_DEV)(PORT=1521)))
Services Summary…
Service “+ASM” has 1 instance(s).
  Instance “+ASM”, status READY, has 1 handler(s) for this service…
The command completed successfully
/u01/app/grid/product/11.2.0.4/grid/network/admin$ lsnrctl status
LSNRCTL for Solaris: Version 11.2.0.4.0 – Production on 15-OCT-2014 16:16:18
Copyright (c) 1991, 2013, Oracle.  All rights reserved.
this isn’t possible anymore and following error is encountered while trying to do
15-OCT-2014 16:16:09 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=SSC_DEV)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647552)) * status * 0
Listener(VNCR option 1) rejected Registration request from destination
15-OCT-2014 16:16:14 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service “”
15-OCT-2014 16:16:09 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=SSC_DEV)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647552)) * status * 0
Listener(VNCR option 1) rejected Registration request from destination
15-OCT-2014 16:16:14 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service “”
voila, hope this helps 
On By phil

Leave a Reply

Related Post