Oracle 监听投毒COST解决

一 说明

Oracle Database Server 在实现上存在可允许攻击者向远程“TNS Listener”组件处理的数据投毒的漏洞。攻击者可利用此漏洞将数据库服务器的合法“TNS Listener”组件中的数据转向到攻击者控制的系统，导致控制远程组件的数据库实例，造成组件和合法数据库之间的攻击者攻击、会话劫持或拒绝服务攻击。现以限制监听注册的方法来阻止该监听投毒漏洞。 注意，该文档适用于 10.2.0.3 to 11.2.0.3 版本的单机或者rac数据库。 如果是11204的数据库，可以参考 文档 ID 1600630.1，参考文档最下方     

二 前期准备工作

关键补丁检查

存在该补丁12880299。

创建wallet 用户

  节点 1 Oracle 用户下：mkdir /oracle/grid/crs_1/network/admin/cost $ orapki wallet create -wallet /oracle/grid/crs_1/network/admin/costOracle PKI Tool : Version 11.2.0.3.0 - ProductionCopyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. Enter password:            Enter password again: 密码设置为uni09net   orapki wallet remove -trusted_cert_all -wallet /oracle/grid/crs_1/network/admin/cost （该步骤可忽略，目的是删除cost 里面的所有内容）

将节点1 加到wallet 里去

orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650

$ orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650

Oracle PKI Tool : Version 11.2.0.3.0 - Production

Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:  

PKI-02003: Unable to load the wallet at: /oracle/grid/crs_1/network/admin/cost

[oracle@apple1 ~]$ orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650

Oracle PKI Tool : Version 11.2.0.3.0 - Production

Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

展示cost内的内容：

orapki wallet display -wallet /oracle/grid/crs_1/network/admin/cost -summary

$ orapki wallet display -wallet /oracle/grid/crs_1/network/admin/cost -summary

Oracle PKI Tool : Version 11.2.0.3.0 - Production

Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:          

Requested Certificates:

User Certificates:

Subject:        CN=secure_register

Trusted Certificates:

Subject:        CN=secure_register

将cost 文件复制到二节点 oracle 用户下( 提前创建好目录）

scp /oracle/grid/crs_1/network/admin/cost/ewallet.p12 apple2:/oracle/grid/crs_1/network/admin/cost

2.5 oracle 用户下，两节点创建sso 文件

orapki wallet create -wallet /oracle/grid/crs_1/network/admin/cost -auto_login   $ orapki wallet create -wallet /oracle/grid/crs_1/network/admin/cost -auto_login Oracle PKI Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.   Enter wallet password:             

权限修改

  chmod 640 cwallet.sso   -rw-r-----. 1 oracle oinstall 2485 Aug  2 09:09 cwallet.sso -rw-------. 1 oracle oinstall 2408 Aug  2 09:07 ewallet.p12 

三 修改listener.ora, 添加一下内容

注意， 所有节点， GI_HOME 的 listener.ora  WALLET_LOCATION =   (SOURCE =    (METHOD = FILE)     (METHOD_DATA =      (DIRECTORY = /oracle/grid/crs_1/network/admin/cost)     )   ) #SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)   #### 一个scan就写一个，多个就继续添加如下 #SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS) #SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)    

配置scan_listener

$ srvctl config scan_listenerSCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521 srvctl modify scan_listener -p TCP:1521/TCPS:1523  (grid 用户下） srvctl stop scan_listenersrvctl start scan_listener srvctl config scan_listenerSCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523

修改sqlnet.ora 文件

两节点的Oracle 用户下：vi $ORACLE_HOME/network/admin/sqlnet.ora  ## 没有该文件直接创建  添加一下信息：WALLET_LOCATION =  (SOURCE =   (METHOD = FILE)    (METHOD_DATA =     (DIRECTORY = /oracle/grid/crs_1/network/admin/cost))    )  )    添加完之后，两节点数据库重启

修改remote_listener 参数

原来的： SQL> show parameter remote_listener     NAME                                 TYPE        VALUE ------------------------------------ ----------- ------------------------------ remote_listener                      string      apple-scan:1521     修改后   alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.240.195)(PORT=1523)))' scope=both sid='*';   SQL> show parameter remote   NAME                                 TYPE        VALUE ------------------------------------ ----------- ------------------------------ remote_dependencies_mode             string      TIMESTAMP remote_listener                      string      (ADDRESS_LIST=(ADDRESS=(PROTOC                                                  OL=TCPS)(HOST=192.168.240.195)                                                  (PORT=1523)))                                                                                             2.5  将两个节点grid下面的listener.ora中的注释删掉并重启scan监听 #SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)    [oracle@rac1]$ srvctl stop scan_listener [oracle@rac1]$ srvctl start scan_listener   

测试成果

测试1 ：将其他rac库的remote listener参数改成如下，192.168.240.195为scan ip alter system set remote_listener ='192.168.240.195:1521';   可以看到日志中如下，说明阻止了其他rac注册到监听中 Tue Jul 31 13:12:45 2018 31-JUL-2018 13:12:45 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=apple2)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN1)(VERSION=186647296)) * status * 0 Tue Jul 31 13:13:45 2018 31-JUL-2018 13:13:45 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=apple2)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN1)(VERSION=186647296)) * status * 0 Tue Jul 31 13:14:39 2018 31-JUL-2018 13:14:39 * service_register_NSGR * 1194 TNS-01194: The listener command did not arrive in a secure transport 31-JUL-2018 13:14:39 * service_register_NSGR * 1194 TNS-01194: The listener command did not arrive in a secure transport     测试2：                           C:\Users\think>sqlplus system/oracle@192.168.240.195:1521/prod SQL*Plus: Release 11.2.0.4.0 Production on 星期二 7月 31 13:32:14 2018 Copyright (c) 1982, 2013, Oracle.  All rights reserved. 连接到: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP, Data Mining and Real Application Testing options SQL> exit  

四、非 scan 监听配置

Add the COST TCP protocol restriction "SECURE_REGISTER_[listener_name] = (TCP)" to the listener.ora.

Match the COST parameter variable listener_name with the name of the listener you are using in the listener.ora, e.g.,  If your listener name is "LISTENER_PROD" then use SECURE_REGISTER_LISTENER_PROD = (TCP)

LISTENER_PROD =   (DESCRIPTION_LIST =     (DESCRIPTION =       (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))     )   ) SECURE_REGISTER_LISTENER_PROD = (TCP)   ## 这个是单机的         

 The database must be using the TCP protocol to register with the listener. Check the value of the startup parameter local_listener to confirm.

Important for grid installations: The grid agent uses the IPC protocol to contact and manage the listener so both IPC and TCP must be enabled in this step. For a grid environment use the following value,  ### 下面这个是rac的监听

SECURE_REGISTER_LISTENER_PROD = (IPC,TCP)    

五： 回退措施

1 alter system set remote_listener='apple-scan:1521' sid='*'; 2 rm -rf /oracle/grid/crs_1/network/admin/cost 两节点 3 /oracle/grid/crs_1/network/admin/listener.ora 中添加的注释掉 两节点 4 $ORACLE_HOME/network/amdin/sqlnet.ora 中添加的东西注释掉 两节点数据库重启 5 grid 用户下配置scan_listener srvctl modify scan_listener -p TCP:1521 srvctl stop scan_listener srvctl start scan_listener

关于 11204 数据监听偷渡的修改，

VALID_NODE_CHECKING_REGISTRATION _listener_name Values:      OFF/0 - Disable VNCR      ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register.      SUBNET/2 - All machines in the subnet are allowed registration.

12c 默认是 ON，11204默认是off；

在listener.ora 将参数添加重启监听即可。

。。。。=ON