SANS ISC: Cyber Security Awareness Month - Day 16 - Port 1521 - Oracle TNS Listener - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

By default when you install Oracle the TNS Listener is on tcp port 1521. It handles network requests to be passed to a database instance. If it not appropriately secured commands can be sent to the listener, the listener can be shut down, or the databases can be queried. There have been a number of vulnerabilities over the years that have been actively exploited specific to the TNS Listener.

If you check the Dshield database for the last while port 1521 has appeared in the 'top 10' a number of times. It would appear as though if you install Oracle it is highly recommended not to expose it to the Internet (or any untrusted network). Obviously a number of people are actively looking for Oracle instances. http://www.dshield.org/port.html?port=1521

Some best practices for the TNS listener:

• Restrict access to this port
• Assign a password to the listener
• Install patches

Some examples of CVE entries that involve the TNS Listener:
CVE-2008-2625, CVE-2007-5507, CVE-2007-2120, CVE-2006-0265, CVE-2005-3206, CVE-2005-3207, CVE-2004-1369, CVE-2003-1116, CVE-2002-1118, CVE-2002-0965, CVE-2002-0509, CVE-2002-0567, CVE-2001-0498, CVE-2001-0499, CVE-1999-0784, CVE-2000-0986

Some recommended reading: the Oracle Database Listener Security Guide http://www.scribd.com/doc/22455/Oracle-Database-Listener-Security-Guide

Please contact us if you have any comments or would like to add to this diary entry.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.