PeopleSoft JOLTandBLEED Vulnerability
As a matter of urgency, Oracle has released 5 patches addressing severe vulnerabilities identified by the ERPScan team. The most critical of them have the highest CVSS base score of 9.9 and even 10.0 and may be exploited over a network without the need for a valid username and password. The issues affect the Jolt server within Oracle Tuxedo as the main component of numerous Oracle’s products. One of the products that use this component is Oracle PeopleSoft. By exploiting these vulnerabilities, an attacker can gain full access to all data stored in the following ERP systems:
- Oracle PeopleSoft Campus Solutions
- Oracle PeopleSoft Human Capital Management
- Oracle PeopleSoft Financial Management
- Oracle PeopleSoft Supply Chain Management, etc.
- CVE-2017-10272 is a vulnerability of memory disclosure; its exploitation gives an attacker a chance to remotely read the memory of the server.
- CVE-2017-10267 is a vulneralility of stack overflows.
- CVE-2017-10278 is a vulneralility of heap overflows.
- CVE-2017-10266 is a vulnerability that makes it possible for a malicious actor to bruteforce passwords of DomainPWD which is used for the Jolt Protocol authentication.
- CVE-2017-10269 is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system.
This error is originated with that how Jolt Handler (JSH) processes a command with opcode 0x32. If the package structure is incorrect, a programmer has to provide a Jolt client with a certain Jolt response indicating there is an error in the communication process.
During this message engineering, a programmer, that wrote the code, made a mistake in a function call responsible for packing data to transmit. The confusion was between 2 functions, jtohi and htoji. Consequently, packing of a constant package length that must be 0x40 bytes is actually 0x40000000.
Then a client initiates the transmission of 0x40000000 bytes of data. Manipulating the communication with the client, an attacker can achieve a stable work of a server side and sensitive data leakage. Initiating a mass of connections, the hacker passively collects the internal memory of the Jolt server. It leads to the leakage of credentials when a user is entering them through the web interface of a PeopleSoft system.
On November 16, at the DeepSec conference, the technical details as well as the information on how to close these vulnerabilities were revealed.
For those who are interested in more technical information, ERPScan uploaded a video on YouTube.