EAS-SEC. Oracle PeopleSoft Security Configuration. Part 4: Unnecessary Functionality
Likewise many other ERP systems, PeopleSoft provides numerous additional functions, which are enabled by default but unnecessary in particular cases. They may serve the purpose of facilitating deployment and cross-system integrations.
The more functionality is available, the higher is the probability of vulnerabilities – all of the additional services can be input points that increase attack surface, especially if the unnecessary functionality is misconfigured and performs critical actions in the system.
Furthermore, HTTP(S) is the most commonly used protocol for intersystem connections management through the Internet, therefore, functions can often be available via the Internet to low-privileged or even anonymous users.
Business Interlinks [EASSEC-PVAG-PS-07]
The PeopleSoft Business Interlink framework provides a gateway /PSINTERLINKS/BusInterlinkServLet/ for PeopleSoft applications to the services of any external system. This framework enables any PeopleSoft component (that is, a page, an Application Engine program, etc.) to integrate with any external system in near real-time and batch modes.
In case this resource is enabled, it allows a malicious person to reveal the operation system of the server that hosts PeopleSoft.
An attacker can get an unauthorized update, insert or delete access to some PeopleSoft Enterprise PeopleTools accessible data as well as read access to a subset of PeopleSoft Enterprise PeopleTools accessible data (CVE-2013-3800, CVSS Base Score 6.4).
In addition, a user with any set of privileges can perform a DoS attack with an incorrect XML request (CVE-2013-3820, CVSS Base Score 5.0).
PeopleSoft Business Interlinks is a deprecated product. The Business Interlinks class currently exists for backward compatibility only. For the new integrations, use Integration Broker instead.
While using the /PSINTERLINKS/BusInterlinkServLet/ service, existing user authorizations to access it are recommended to be checked for adequate restriction. If the service is not required, disable it. To do so, you can remove/comment the BusInterlinkServLet servlet in web.xml, located in the [PIA_HOME]\webserv\[DOMAIN]\applications\peoplesoft\PSINTERLINKS.war\WEB-INF directory.
PeopleSoft Integration Gateways [EASSEC-PVAG-PS-08]
Integration Gateway is a platform that manages the receipt and delivery of messages passed among systems through PeopleSoft Integration Broker. Integrations in PeopleSoft applications can expose sensitive information such as financial data. PeopleSoft Integration Broker facilitates the information transfer between systems.
PeopleSoft delivers several listening connectors with PeopleSoft Integration Broker that enables integration participants to communicate with the PeopleSoft system using a number of communication formats:
On PeopleSoft Integration Gateway (PSIGW), there are some services, that can be a starting point for attacks:
- PSIGW supports remote configuration. There are opportunities to read and write an Integration Gateway configuration file via special XML requests. An authentication is required, but no defense against a brute force attack is in place.
- Old PeopleTools versions use “password” as a default password for different services. New PeopleTools versions use PS’s password as a default password for different services.
- The DES/3DES-encrypted PSIGW’ password is stored in a config file, which is readable via XXE. Therefore, a malicious person can change a path of Java classes location or set an XSL transformation and RCE.
- Anyone can read the message and error logs by default if it is not restricted.
Best practice is to disable unnecessary listening connectors and services. To do so, you can remove/comment unnecessary servlet in web.xml, located in the [PIA_HOME]\webserv\[DOMAIN]\applications\peoplesoft\PSIGW.war\WEB-INF directory. If this is not possible, it is recommended to set a complex password for the services, which is changed regularly.
The access to used functionality should be appropriately restricted. A security analyst must evaluate security requirements for each individual integration. PeopleSoft Integration Broker allows securing each individual integration to the required level of security as well as all integration data flowing over the wire.
Set up message and error logging by using the integrationGateway.properties file. Use the Logging Setting section to change default settings, such as the level of gateway logging, where the system writes log files, the maximum size of the log file, and the number of file backups or archives to keep.
To protect against vulnerabilities such as XXE, it is recommended that you update the PeopleTools to the latest version (XXE in Integration Broker is fixed in Oracle Critical Patch Updates July 2013 and April 2017).
It is recommended to use the WS-Security that enables applications to construct secure SOAP message exchanges. It also provides a means for associating security tokens with messages.
PeopleSoft Online Library [EASSEC-PVAG-PS-09]
The PeopleSoft Online Library is an HTML-based website that contains the comprehensive documentation for Oracle’s PeopleSoft Enterprise applications and tools.
The PeopleSoft Online Library is organized hierarchically, resembling a traditional library. The home page (index.htm) displays links to all installed documentation types, including PeopleBooks.
This functionality has a lot of input forms, therefore, a malicious person can use XSS or SQL injections. For example, numerous XSS vulnerabilities exist in /PSOL/servlet/FullTextSearch, if this issues does not fixed by a patch.
An attacker can use an Information disclosure vulnerability in PeopleSoft PSOL – psolmanager.htm for revealing additional information (system data, debugging information, etc.).
To disable it, comment out or remove the servlet-mapping and servlet element for unnecessary servlets (FullTextSearch, PSOL manager) by adding tags in web.xml file, located in [PIA_HOME]\webserv\[DOMAIN]\applications\peoplesoft\PSOL.war\WEB-INF directory. Then restart Web Server.
PeopleSoft Synchronization Server [EASSEC-PVAG-PS-10]
The synchronization server events control the synchronization of mobile data with the PeopleSoft database. The SyncServer class methods and properties are used for a data selection and validation during synchronization.
This functionality is available before PeopleTools version 8.53.06 with a patch. Since PeopleTools 8.53.06 synchronization server is deleted from PeopleSoft.
An attacker can reveal additional information about PeopleSoft Synchronization Server and use an XML external entity (XXE) vulnerability for getting unauthorized access to the OS filesystem.
It is recommended to disable this service. To do so, comment out or remove the servlet-mapping and servlet element for the SyncServer servlet in web.xml file, located in [PIA_HOME]\webserv\[DOMAIN]\applications\peoplesoft\PORTAL.war\WEB-INF directory. Then restart Web Server.
PeopleSoft delivers a number of various web services available remotely. Some of them are accessible to anonymous users. Immediately implement the main checks, disable all services accessible to anonymous users, analyze which of the installed services you need, and additionally restrict the access to them by implementing authorization checks. After analyzing PeopleSoft services, it is recommended to disable or restrict access to Web Server Services, for instance, UDDI Explorer and WebLogic web services. Each of these subsystems can be used as another escalation point, or it can have vulnerabilities to exploit.