Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:19 PM
Connect Directly

Oracle PeopleSoft In The Crosshairs

Presenter at Hack In The Box says PeopleSoft is in worse security shape than SAP was five years ago.

SAP products may be getting a lot of the spotlight when it comes to enterprise resource planning (ERP) system vulnerabilities, but they are far from the only flavor of ERP with big flaws. Today at the Hack in the Box conference in Amsterdam, a researcher with ERPScan brought attention to Oracle PeopleSoft security by demonstrating a number of vulnerabilities on this platform that could enable theft of personally identifiable information, falsification of business-critical data, and supply-chain tampering.

Utilized by over 7,000 enterprises, including half of Fortune 100 companies, PeopleSoft can be a smorgasbord of sensitive and business-critical data. And while a few breaches caused by vulnerabilities in the platform have come to light since 2010, "there is almost no public research on the security of PeopleSoft applications," says Alexey Tyurin, head of the Oracle security department at ERPScan.

This creates a dangerous knowledge gap for defenders, as attackers are already exploiting existing security flaws, but companies have no good methodology to test their applications against these vulnerabilities, he says. Particularly risky are architectural issues that are not usually well-explained in security bulletins.

Oracle publishes basic information about vulnerabilities in their applications on a regular basis. This information can be enough for cybercriminals, as at least five public breaches prove. Unfortunately, the security community is scarcely informed about how to analyze these systems.

Today Tyurin showed how dangerous flaws in PeopleSoft systems can be. One vulnerability he demonstrated highlighted how a combination of factors can cause big problems. In it, he showed how PeopleSoft systems that are accessible online often offer up some limited availability to the system through things like job application forms or password reset windows. Access is granted through these windows via a special user with minimal rights in the system.

However, the authentication mechanism in this case gives ample opportunity for privilege escalation by brute-force attacking an authentication cookie called TokenID. That cookie is based on the SHA-1 hash algorithm, which allows an eight-character alpha-numeric password to be decrypted in a single day, using GPUs costing about $500.

This, of course is just one example of authentication flaws in the platform, says Alexander Polyakov, CTO at ERPScan.

"The number of design flaws in Oracle PeopleSoft applications could be a great basis for a book called 'How to Develop the Most Insecure Authentication Mechanism for Dummies,'" he said.

With a minimal investment, such as that $500 GPU, an attacker could put him or herself into position to steal or tamper with very valuable information. PeopleSoft is frequently used by HR departments holding tons of employee data, so social security numbers and even credit card data and bank data could be up for grabs.

Meanwhile, PeopleSoft Enterprise Service Automation often controls business process and project implementations, making it ripe for potential sabatoge scenarios, particularly in manufacturing. Similar risks face organizations that depend on PeopleSoft Asset Lifecycle Management to monitor and maintain equipment on plant floors. And, finally PeopleSoft Supplier Relationship Management contains juicy details about tenders and contracts, which would be very valuable in corporate espionage scenarios where competing suppliers hope to undercut others based on inside knowledge of proposals.

According to Tyurin and ERPScan, the interconnectedness of the platform means that the weakest part of the system puts everything else at risk. They believe more attention needs to be paid on PeopleSoft, as it is at least five years behind SAP security.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/29/2015 | 8:59:54 AM
Re: "Tester" did not state PeopleSoft releases that were tested. Non-Issue with current releases.
Agree. Another approach to get rid of SAP, PeopleSoft and all other ERP systems and start thinking a cloud approaches. :--))
User Rank: Ninja
5/29/2015 | 8:56:55 AM
Re: should not run on public facing net
Agree. They were not designed security in mind. They need to be kept deep inside the secure network.
User Rank: Apprentice
5/28/2015 | 5:14:51 PM
"Tester" did not state PeopleSoft releases that were tested. Non-Issue with current releases.
Note that only SHA-2 is used on all currently supported and availble releases of PeopleSoft. So this is a non-issue, or better stated, it is the same issue that anyone would experience if they are still running old applications that are still using the SHA-1 method. Lastly, as a prior commenter stated, Enterprise Systems should not be hosted on open-access networks.  These apps should be behind a VPN and other corporate firewalls.  Much ado about nothing!  The columnist is shouting fire in an occupied Theater.  Next time, cite application releases and system configurations before spouting mis-leading nonsense.
User Rank: Ninja
5/28/2015 | 7:42:38 AM
should not run on public facing net
Peoplesoft should not be running on a public-facing network
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177