Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/2/2011
04:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

ERP Apps Often Left Exposed

Vulnerabilities in Oracle JD Edwards ERP applications all exploitable by unauthenticated attacker

Among Oracle's latest round of patches last month were eight flaws in its JD Edwards enterprise resource planning (ERP) applications -- underscoring how ERP apps are often forgotten when it comes to security, overshadowed by database flaws and other worries.

The JDE application flaws might represent only a small fraction of the 78 total bugs fixed in the update, but they demonstrate a growing concern among security experts of an emerging prime attack vector. Most enterprises don't consider their ERP apps as a big target for attackers, and assume segregation of duties is enough security for them.

ERP systems, which are tied in with a database platform and often contain multiple interfaces to other apps, run sensitive business processes, such as financial, sales, production, expenditures, billing, and payroll, so any such targeted attacks would be damaging financially and production-wise, experts say.

"They are becoming targets because attackers are realizing that they are not longer a black box, and that they contain the most sensitive business information. So if you are a cybercriminal, why would you attack a regular Windows server if you can just take over the systems containing the company's most valuable data?" says Mariano Nuez Di Croce, director of research and development for Onapsis, whose firm discovered the JDE flaws patched by Oracle as well as an additional 12 other flaws that the database giant has not yet fixed.

Nunez Di Croce says companies think that by specifying segregation of duties among users of these apps, they are protecting them from a breach. "However, almost none of them realize that they need to secure the technological components of these platforms, which can lead remote, anonymous attackers to break into the systems and invalidate all the existing investments into securing them," he says.

The flaws Onapsis researcher Juan Pablo Perez Etchegoyen found speak to that problem: All of the flaws can be exploited by unauthenticated attackers. They let the bad guys take control of the JDE app remotely, grab admin passwords, perform denial-of-service attacks, and disable logging for stealthier, cyberespionage-type attacks. The bugs include buffer overflows and a remote logging deactivation flaw. "All of these vulnerabilities can be exploited by unauthenticated attackers, which illustrates the fact that the vendors never expected these situations," Nunez Di Croce says. "Instead of a legitimate component connecting to the ERP, it is an attacker who can craft the requests at his will. I think this is something the vendors have never expected in the past, and now we are just starting to [see them] pop ... up."

More than 95 percent of ERP systems Onapsis has assessed for security could be exploited for targeted, cyberespionage-type attacks, for example. "Most of them have passed compliance requirements, such as SOX, PCI, and others," he says. "This just doesn't look right."

ERP vendors haven't focused thus far on securing their apps mainly because they haven't yet really been under the microscope nor yet felt the brunt of high-profile attacks. "It is a fact that making a software product more secure generally does not help sales as would a new feature for the product. So software vendors tend to focus on new features or customer reported bugs than on security. This is true unless there is a special need for security, but ERP vendors haven't received much attention from the software security industry and they havent suffered from a massive attack as databases have with, for example, worms like Slammer," says Esteban Martinez Fayo, a security researcher with AppSecs TeamSHATTER.

Meanwhile, the bugs included in the latest Oracle Critical Patch Update last month give attackers free rein in the JDE apps. "One is a remote client execution where you can fully compromise the server and the database where the information is stored," Onapsis' Perez Etchegoyen says. "In another one, the attacker can remotely access passwords stored in a certain part of the application ... unauthenticated and remotely, [he] would be able to reconnect to the ERP and gain elevated privileges and do complex attacks."

While Oracle is fixing more bugs in its JD Edwards and PeopleSoft apps, AppSec's Martinez Fayo says they still need to patch these flaws more quickly. "The advisories released by Onapsis show nothing new or highly advanced with regards to the type of vulnerabilities, but on the contrary, these kinds of vulnerabilities are very well known and shouldnt be in a product like an ERP system," he says.

ERP applications are simpler to hack, he says, because the security is relatively weaker. "In the end, ERP systems are yet another way in which attackers can get into a database, so a company breach via ERP systems will most likely include hacking the database as well," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16974
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.