Vulnerabilities / Threats
5/2/2011
09:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

ERP Apps Often Left Exposed

Vulnerabilities in Oracle JD Edwards ERP applications all exploitable by unauthenticated attacker.

Among Oracle's latest round of patches last month were eight flaws in its JD Edwards enterprise resource planning (ERP) applications -- underscoring how ERP apps are often forgotten when it comes to security, overshadowed by database flaws and other worries.

The JDE application flaws might represent only a small fraction of the 78 total bugs fixed in the update, but they demonstrate a growing concern among security experts of an emerging prime attack vector. Most enterprises don't consider their ERP apps as a big target for attackers, and assume segregation of duties is enough security for them.

ERP systems, which are tied in with a database platform and often contain multiple interfaces to other apps, run sensitive business processes, such as financial, sales, production, expenditures, billing, and payroll, so any such targeted attacks would be damaging financially and production-wise, experts say.

"They are becoming targets because attackers are realizing that they are not longer a black box, and that they contain the most sensitive business information. So if you are a cybercriminal, why would you attack a regular Windows server if you can just take over the systems containing the company's most valuable data?" says Mariano Nunez Di Croce, director of research and development for Onapsis, whose firm discovered the JDE flaws patched by Oracle as well as an additional 12 other flaws that the database giant has not yet fixed.

Nunez Di Croce says companies think that by specifying segregation of duties among users of these apps, they are protecting them from a breach. "However, almost none of them realize that they need to secure the technological components of these platforms, which can lead remote, anonymous attackers to break into the systems and invalidate all the existing investments into securing them," he says.

The flaws Onapsis researcher Juan Pablo Perez Etchegoyen found speak to that problem: All of the flaws can be exploited by unauthenticated attackers. They let the bad guys take control of the JDE app remotely, grab admin passwords, perform denial-of-service attacks, and disable logging for stealthier, cyberespionage-type attacks. The bugs include buffer overflows and a remote logging deactivation flaw. "All of these vulnerabilities can be exploited by unauthenticated attackers, which illustrates the fact that the vendors never expected these situations," Nunez Di Croce says. "Instead of a legitimate component connecting to the ERP, it is an attacker who can craft the requests at his will. I think this is something the vendors have never expected in the past, and now we are just starting to [see them] pop ... up."

Read the rest of this article
on Dark Reading

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web