Vulnerabilities / Threats
5/2/2011
09:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

ERP Apps Often Left Exposed

Vulnerabilities in Oracle JD Edwards ERP applications all exploitable by unauthenticated attacker.

Among Oracle's latest round of patches last month were eight flaws in its JD Edwards enterprise resource planning (ERP) applications -- underscoring how ERP apps are often forgotten when it comes to security, overshadowed by database flaws and other worries.

The JDE application flaws might represent only a small fraction of the 78 total bugs fixed in the update, but they demonstrate a growing concern among security experts of an emerging prime attack vector. Most enterprises don't consider their ERP apps as a big target for attackers, and assume segregation of duties is enough security for them.

ERP systems, which are tied in with a database platform and often contain multiple interfaces to other apps, run sensitive business processes, such as financial, sales, production, expenditures, billing, and payroll, so any such targeted attacks would be damaging financially and production-wise, experts say.

"They are becoming targets because attackers are realizing that they are not longer a black box, and that they contain the most sensitive business information. So if you are a cybercriminal, why would you attack a regular Windows server if you can just take over the systems containing the company's most valuable data?" says Mariano Nunez Di Croce, director of research and development for Onapsis, whose firm discovered the JDE flaws patched by Oracle as well as an additional 12 other flaws that the database giant has not yet fixed.

Nunez Di Croce says companies think that by specifying segregation of duties among users of these apps, they are protecting them from a breach. "However, almost none of them realize that they need to secure the technological components of these platforms, which can lead remote, anonymous attackers to break into the systems and invalidate all the existing investments into securing them," he says.

The flaws Onapsis researcher Juan Pablo Perez Etchegoyen found speak to that problem: All of the flaws can be exploited by unauthenticated attackers. They let the bad guys take control of the JDE app remotely, grab admin passwords, perform denial-of-service attacks, and disable logging for stealthier, cyberespionage-type attacks. The bugs include buffer overflows and a remote logging deactivation flaw. "All of these vulnerabilities can be exploited by unauthenticated attackers, which illustrates the fact that the vendors never expected these situations," Nunez Di Croce says. "Instead of a legitimate component connecting to the ERP, it is an attacker who can craft the requests at his will. I think this is something the vendors have never expected in the past, and now we are just starting to [see them] pop ... up."

Read the rest of this article
on Dark Reading

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.