Attacking and Securing Oracle PeopleSoft
Oracle is the second largest vendor in the ERP market, and its PeopleSoft system is used in more than 7000 companies including about 50% of Fortune 100. Unfortunately, Oracle applications such as Oracle PeopleSoft have multiple vulnerabilities that can be exploited by hackers.
The research shows that 549 PeopleSoft systems are exposed on the internet including systems implemented in Government, Universities, Healthcare, Banks, Manufacturing and Retail enterprises. Moreover, slightly less than half of PeopleSoft systems available online are vulnerable to TokenChpoken attack presented at HackInParis Conference. Effective hacking of Oracle PeopleSoft applications can lead to
- Theft of Social Security Number, also known as identity theft.
- Access to Employees’ and clients’ credit card data (cardholder name, PAN, expiration date, and CVV code)
- Forging business-critical information about the stage of project implementation
- Forging equipment health information
- Manipulation with tenders in SRM
PeopleSoft issues are not limited only to TokenChpoken attack. Our research team has identified many other issues that include Information disclosure, XSS, XXE, and authentication bypass. Their criticality ranks rather high, and most of these issues stay unresolved for years!
This presentation showed you the latest information about Oracle PeopleSoft vulnerabilities including TokenChpoken attack and other important issues. At the end of presentation, we showed you how ERPScan Security Monitoring Suite for PeopleSoft could help you to Assess and Monitor PeopleSoft vulnerabilities, misconfigurations and access control issues as well as prevent from 0-day attacks.
Alexey Tyurin – Director, Oracle Security Services, ERPScan
Alexander Polyakov – CTO, ERPScan