SAP products may be getting a lot of the spotlight when it comes to enterprise resource planning (ERP) system vulnerabilities, but they are far from the only flavor of ERP with big flaws. Today at the Hack in the Box conference in Amsterdam, a researcher with ERPScan brought attention to Oracle PeopleSoft security by demonstrating a number of vulnerabilities on this platform that could enable theft of personally identifiable information, falsification of business-critical data, and supply-chain tampering.
Utilized by over 7,000 enterprises, including half of Fortune 100 companies, PeopleSoft can be a smorgasbord of sensitive and business-critical data. And while a few breaches caused by vulnerabilities in the platform have come to light since 2010, "there is almost no public research on the security of PeopleSoft applications," says Alexey Tyurin, head of the Oracle security department at ERPScan.
This creates a dangerous knowledge gap for defenders, as attackers are already exploiting existing security flaws, but companies have no good methodology to test their applications against these vulnerabilities, he says. Particularly risky are architectural issues that are not usually well-explained in security bulletins.
Oracle publishes basic information about vulnerabilities in their applications on a regular basis. This information can be enough for cybercriminals, as at least five public breaches prove. Unfortunately, the security community is scarcely informed about how to analyze these systems.
Today Tyurin showed how dangerous flaws in PeopleSoft systems can be. One vulnerability he demonstrated highlighted how a combination of factors can cause big problems. In it, he showed how PeopleSoft systems that are accessible online often offer up some limited availability to the system through things like job application forms or password reset windows. Access is granted through these windows via a special user with minimal rights in the system.
However, the authentication mechanism in this case gives ample opportunity for privilege escalation by brute-force attacking an authentication cookie called TokenID. That cookie is based on the SHA-1 hash algorithm, which allows an eight-character alpha-numeric password to be decrypted in a single day, using GPUs costing about $500.
This, of course is just one example of authentication flaws in the platform, says Alexander Polyakov, CTO at ERPScan.
"The number of design flaws in Oracle PeopleSoft applications could be a great basis for a book called 'How to Develop the Most Insecure Authentication Mechanism for Dummies,'" he said.
With a minimal investment, such as that $500 GPU, an attacker could put him or herself into position to steal or tamper with very valuable information. PeopleSoft is frequently used by HR departments holding tons of employee data, so social security numbers and even credit card data and bank data could be up for grabs.
Meanwhile, PeopleSoft Enterprise Service Automation often controls business process and project implementations, making it ripe for potential sabatoge scenarios, particularly in manufacturing. Similar risks face organizations that depend on PeopleSoft Asset Lifecycle Management to monitor and maintain equipment on plant floors. And, finally PeopleSoft Supplier Relationship Management contains juicy details about tenders and contracts, which would be very valuable in corporate espionage scenarios where competing suppliers hope to undercut others based on inside knowledge of proposals.
According to Tyurin and ERPScan, the interconnectedness of the platform means that the weakest part of the system puts everything else at risk. They believe more attention needs to be paid on PeopleSoft, as it is at least five years behind SAP security.