Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Oracle PeopleSoft Applications are Under Attack, Says ERPScan Researcher

May 2015 by ERPScan

On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented his talk called Oracle PeopleSoft Applications are Under Attack! at the Hack In The Box security conference (HITB), an annual event for researchers and security professionals around the world.

Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA. They are usually considered a solution mostly used in higher education, but it is not completely true. Oracle does not give official statistics of PeopleSoft customers, however, according to PeopleSoft users lists provided by third parties, the Educational sector makes up only about 36% of all customers, which is more than 1900 companies. They are also widely used in Manufacturing (22%, about 1160 companies), Computing & IT (18%, about 1000 companies), Retail (8%, more than 440 companies), and Government.

Several cases of data breaches related to vulnerabilities in Oracle PeopleSoft applications have been published in the media since 2010. For example, in March 2013, Salem State University in Massachusetts alerted 25000 students and staff that their Social Security Numbers may have been compromised in a database breach. If the pattern of the last few years repeats itself, expect higher education institutions to experience another half dozen major security breaches.

Not only universities, but all enterprises using Oracle PeopleSoft applications are potentially under attack because they have the same vulnerabilities, according to Alexey’s research presented at the HITB conference.

“Nevertheless, there is almost no public research on the security of PeopleSoft applications. While cybercriminals are exploiting existing security flaws, companies don’t know the methodology for testing their PeopleSoft applications against vulnerabilities, especially architectural ones. Oracle publishes basic information about vulnerabilities in their applications on a regular basis. This information can be enough for cybercriminals, as at least 5 public breaches prove. Unfortunately, the security community is scarcely informed about how to analyze these systems. So, our mission is to help clients and security companies to assess and secure their business-critical systems properly”, said Alexey Tyurin.

In his research, Alexey Tyurin has spotlighted several vulnerabilities in PeopleSoft systems. Let’s look at the most dangerous one. PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or “Forgot your password?” forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $ 500.

“The number of design flaws in Oracle PeopleSoft applications can be a great basis for a book called How to Develop the Most Insecure Authentication Mechanism for Dummies”, adds Alexander Polyakov, CTO, ERPScan.

The optimal attack vector depends on the hacker’s goal. The impact of different attacks can involve espionage, sabotage, and fraud. We highlight the five most serious consequences of these attacks, but they should not be considered the only possible ones:
 Theft of Social Security Number, also known as identity theft. Employees’ SSNs are stored in Human Resource Management Systems. A malicious person can use the victim’s SSN to get other personal information or apply for a loan on their behalf. Getting a new number instead of the compromised one is not easy, and it’s entirely up to the Social Security Administration. All companies using PeopleSoft HRMS are at risk, especially Government.
 Employees’ and clients’ credit card data (card holder name, PAN, expiration date, and CVV code) are stored in many PeopleSoft applications. If an application has a breach in security, it puts this information at the risk of stealing. Every enterprise can be a victim of this attack, but it is primarily relevant for the Retail industry.
 Having access to PeopleSoft Enterprise Service Automation, an attacker can forge business-critical information about the stage of project implementation, so leaders can make a wrong decision that results in the waste of resources, commitment failure, and reputational losses. This sabotage scenario is especially dangerous for Manufacturing companies.
 The operating assets of an organization, from facilities and equipment to rolling stock and production machinery, are central to accomplishing the enterprise’s objectives. PeopleSoft Asset Lifecycle Management provides the ability to monitor and optimally maintain those assets. Asset Lifecycle Management is usually connected to the plant floor. If an attacker has access to this application, it gives them an opportunity to forge equipment health information. There are two scenarios. First, a malicious person can forge a message that a new detail is going to be worn out soon, so the company spends more money without any need. Second, an attacker can make the system lie that a long-exploited detail is new, which can lead to a manufacturing disaster. This sabotage attack is more likely to be performed against Manufacturing companies.
 Oracle PeopleSoft Supplier Relationship Management application keeps information about tenders and contracts. If an attacker gets to know a supplier’s proposal, they can use this information in their own proposal. It can result in reputational and financial losses for the company holding the tender.

The situation with Oracle PeopleSoft Applications is even worse than it was with SAP five years ago. There is now awareness (100+ presentations at security conferences in 5 years), security specialists, products, and real examples of attacks such as the recent USIS breach in SAP security market. In terms of possible attacks, the situation with PeopleSoft Security is five times more critical, judging by the number of just the public and confirmed incidents.

Alexey has found multiple issues in PeopleSoft applications from all kind of potential attackers: insiders, developers, or even cybercriminals from the Internet. The criticality and amount of these issues combine the impact from the top 3 most critical bugs that we found in SAP applications in the last five years, and most of these issues stay unresolved for years!

It is notable that Oracle PeopleSoft applications usually work as a complex system comprised by several applications. So once an attacker gets access to the weakest part of the system, they can get access to connected applications easily.


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts