Valid Node Checking for Registration (VNCR) allows restriction of instance registration to come only from know servers. This has replaced the use of COST (setting up COST for 11gR1 SE and 11gR2 SE) for protecting against TNS Listener Poison Attack. COST could be still used if it is used for reasons other than listener restriction (for more read 1340831.1).
VNCR is available on 11.2.0.4 and 12c so if the DB is 11.2.0.3 then COST is still the only option available against this attack. Below is an example of setting VNCR on a single instance database. For RAC with SCAN listeners refer the MOS listed at the end of the post.
The listener runs on server with IP 192.168.0.66 (hpc1.domain.net). Currently no DB is registered.
In order to prevent this type of remote registrations enable valid node checking on the listener. To enable VNCR on 11.2.0.4 add following entry to listener.ora file In this case the listener name is "LISTENER".
Useful metalink notes
Valid Node Checking For Registration (VNCR) [ID 1600630.1]
How to Enable VNCR on RAC Database to Register only Local Instances [ID 1914282.1]
Related Posts
Implementing Class of Secure Transport (COST) to Restrict Instance Registration in Oracle 11gR2 SE RAC (Solution mentioned in Oracle Security Alert for CVE-2012-1675)
Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle SE RAC Fails (Solution mentioned in Oracle Security Alert for CVE-2012-1675)
VNCR is available on 11.2.0.4 and 12c so if the DB is 11.2.0.3 then COST is still the only option available against this attack. Below is an example of setting VNCR on a single instance database. For RAC with SCAN listeners refer the MOS listed at the end of the post.
The listener runs on server with IP 192.168.0.66 (hpc1.domain.net). Currently no DB is registered.
lsnrctl statusThe DB (something to register with this listener) runs on server with IP 192.168.0.99. To register with the listener on 192.168.0.66 add a remote listener entry on tnsnames.ora and register the database
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 22-FEB-2016 13:06:44
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hpc1.domain.net)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date 22-FEB-2016 13:06:41
Uptime 0 days 0 hr. 0 min. 3 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /opt/app/oracle/product/11.2.0/std4/network/admin/listener.ora
Listener Log File /opt/app/oracle/diag/tnslsnr/hpc1/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hpc1.domain.net)(PORT=1521)))
The listener supports no services
The command completed successfully
cat tnsnames.oraCheck the listener status
listener_name =
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.0.66)(PORT=1521))
)
SQL> alter system set remote_listener='listener_name' scope=both;
System altered.
SQL> alter system register;
System altered.
lsnrctl statusAbove shows that remote database has registered with the listener.
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 22-FEB-2016 13:08:51
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hpc1.domain.net)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date 22-FEB-2016 13:06:41
Uptime 0 days 0 hr. 2 min. 10 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /opt/app/oracle/product/11.2.0/std4/network/admin/listener.ora
Listener Log File /opt/app/oracle/diag/tnslsnr/hpc1/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hpc1.domain.net)(PORT=1521)))
Services Summary...
Service "fgacdb" has 1 instance(s).
Instance "fgacdb", status READY, has 1 handler(s) for this service...
Service "fgacdbXDB" has 1 instance(s).
Instance "fgacdb", status READY, has 1 handler(s) for this service...
The command completed successfully
In order to prevent this type of remote registrations enable valid node checking on the listener. To enable VNCR on 11.2.0.4 add following entry to listener.ora file In this case the listener name is "LISTENER".
VALID_NODE_CHECKING_REGISTRATION_LISTENER=1Reload the listener and check the status. The remote listener registration is blocked.
$ lsnrctl reloadAny attempt to register with the listener is blocked and the listener.log will have an entry similar to following
$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 22-FEB-2016 13:24:17
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hpc1.domain.net)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date 22-FEB-2016 13:06:41
Uptime 0 days 0 hr. 17 min. 35 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /opt/app/oracle/product/11.2.0/std4/network/admin/listener.ora
Listener Log File /opt/app/oracle/diag/tnslsnr/hpc1/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hpc1.domain.net)(PORT=1521)))
The listener supports no services
Listener(VNCR option 1) rejected Registration request from destination 192.168.0.99On 12c is VNCR is enabled by default and any attempt for remote registration is rejected and listener log will have an entry as above.
22-FEB-2016 13:31:47 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service ""
Useful metalink notes
Valid Node Checking For Registration (VNCR) [ID 1600630.1]
How to Enable VNCR on RAC Database to Register only Local Instances [ID 1914282.1]
Related Posts
Implementing Class of Secure Transport (COST) to Restrict Instance Registration in Oracle 11gR2 SE RAC (Solution mentioned in Oracle Security Alert for CVE-2012-1675)
Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle SE RAC Fails (Solution mentioned in Oracle Security Alert for CVE-2012-1675)