ERP Apps Often Left Exposed

Vulnerabilities in Oracle JD Edwards ERP applications all exploitable by unauthenticated attacker
Among Oracle's latest round of patches last month were eight flaws in its JD Edwards enterprise resource planning (ERP) applications -- underscoring how ERP apps are often forgotten when it comes to security, overshadowed by database flaws and other worries.

The JDE application flaws might represent only a small fraction of the 78 total bugs fixed in the update, but they demonstrate a growing concern among security experts of an emerging prime attack vector. Most enterprises don't consider their ERP apps as a big target for attackers, and assume segregation of duties is enough security for them.

ERP systems, which are tied in with a database platform and often contain multiple interfaces to other apps, run sensitive business processes, such as financial, sales, production, expenditures, billing, and payroll, so any such targeted attacks would be damaging financially and production-wise, experts say.

"They are becoming targets because attackers are realizing that they are not longer a black box, and that they contain the most sensitive business information. So if you are a cybercriminal, why would you attack a regular Windows server if you can just take over the systems containing the company's most valuable data?" says Mariano Nuez Di Croce, director of research and development for Onapsis, whose firm discovered the JDE flaws patched by Oracle as well as an additional 12 other flaws that the database giant has not yet fixed.

Nunez Di Croce says companies think that by specifying segregation of duties among users of these apps, they are protecting them from a breach. "However, almost none of them realize that they need to secure the technological components of these platforms, which can lead remote, anonymous attackers to break into the systems and invalidate all the existing investments into securing them," he says.

The flaws Onapsis researcher Juan Pablo Perez Etchegoyen found speak to that problem: All of the flaws can be exploited by unauthenticated attackers. They let the bad guys take control of the JDE app remotely, grab admin passwords, perform denial-of-service attacks, and disable logging for stealthier, cyberespionage-type attacks. The bugs include buffer overflows and a remote logging deactivation flaw. "All of these vulnerabilities can be exploited by unauthenticated attackers, which illustrates the fact that the vendors never expected these situations," Nunez Di Croce says. "Instead of a legitimate component connecting to the ERP, it is an attacker who can craft the requests at his will. I think this is something the vendors have never expected in the past, and now we are just starting to [see them] pop ... up."

More than 95 percent of ERP systems Onapsis has assessed for security could be exploited for targeted, cyberespionage-type attacks, for example. "Most of them have passed compliance requirements, such as SOX, PCI, and others," he says. "This just doesn't look right."

ERP vendors haven't focused thus far on securing their apps mainly because they haven't yet really been under the microscope nor yet felt the brunt of high-profile attacks. "It is a fact that making a software product more secure generally does not help sales as would a new feature for the product. So software vendors tend to focus on new features or customer reported bugs than on security. This is true unless there is a special need for security, but ERP vendors haven't received much attention from the software security industry and they havent suffered from a massive attack as databases have with, for example, worms like Slammer," says Esteban Martinez Fayo, a security researcher with AppSecs TeamSHATTER.

Meanwhile, the bugs included in the latest Oracle Critical Patch Update last month give attackers free rein in the JDE apps. "One is a remote client execution where you can fully compromise the server and the database where the information is stored," Onapsis' Perez Etchegoyen says. "In another one, the attacker can remotely access passwords stored in a certain part of the application ... unauthenticated and remotely, [he] would be able to reconnect to the ERP and gain elevated privileges and do complex attacks."

While Oracle is fixing more bugs in its JD Edwards and PeopleSoft apps, AppSec's Martinez Fayo says they still need to patch these flaws more quickly. "The advisories released by Onapsis show nothing new or highly advanced with regards to the type of vulnerabilities, but on the contrary, these kinds of vulnerabilities are very well known and shouldnt be in a product like an ERP system," he says.

ERP applications are simpler to hack, he says, because the security is relatively weaker. "In the end, ERP systems are yet another way in which attackers can get into a database, so a company breach via ERP systems will most likely include hacking the database as well," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5