Amsterdam, Netherlands - May 28, 2015 On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented his talk called Oracle PeopleSoft Applications are Under Attack! at the Hack In The Box security conference (HITB), an annual event for researchers and security professionals around the world.
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA. They are usually considered a solution mostly used in higher education, but it is not completely true. Oracle does not give official statistics of PeopleSoft customers, however, according to PeopleSoft users lists provided by third parties, the Educational sector makes up only about 36% of all customers, which is more than 1900 companies. They are also widely used in Manufacturing (22%, about 1160 companies), Computing & IT (18%, about 1000 companies), Retail (8%, more than 440 companies), and Government.
Several cases of data breaches related to vulnerabilities in Oracle PeopleSoft applications have been published in the media since 2010. For example, in March 2013, Salem State University in Massachusetts alerted 25000 students and staff that their Social Security Numbers may have been compromised in a database breach. If the pattern of the last few years repeats itself, expect higher education institutions to experience another half dozen major security breaches.
Not only universities, but all enterprises using Oracle PeopleSoft applications are potentially under attack because they have the same vulnerabilities, according to Alexey's research presented at the HITB conference.
Nevertheless, there is almost no public research on the security of PeopleSoft applications. While cybercriminals are exploiting existing security flaws, companies don't know the methodology for testing their PeopleSoft applications against vulnerabilities, especially architectural ones. Oracle publishes basic information about vulnerabilities in their applications on a regular basis. This information can be enough for cybercriminals, as at least 5 public breaches prove. Unfortunately, the security community is scarcely informed about how to analyze these systems. So, our mission is to help clients and security companies to assess and secure their business-critical systems properly,
- said Alexey Tyurin.
In his research, Alexey Tyurin has spotlighted several vulnerabilities in PeopleSoft systems. Let's look at the most dangerous one. PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or "Forgot your password?" forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $ 500.
"The number of design flaws in Oracle PeopleSoft applications can be a great basis for a book called How to Develop the Most Insecure Authentication Mechanism for Dummies,"
- adds Alexander Polyakov, CTO, ERPScan.
The optimal attack vector depends on the hacker's goal. The impact of different attacks can involve espionage, sabotage, and fraud. We highlight the five most serious consequences of these attacks, but they should not be considered the only possible ones:
- Theft of Social Security Number, also known as identity theft. Employees' SSNs are stored in Human Resource Management Systems. A malicious person can use the victim's SSN to get other personal information or apply for a loan on their behalf. Getting a new number instead of the compromised one is not easy, and it's entirely up to the Social Security Administration. All companies using PeopleSoft HRMS are at risk, especially Government.
- Employees' and clients' credit card data (cardholder name, PAN, expiration date, and CVV code) are stored in many PeopleSoft applications. If an application has a breach in security, it puts this information at the risk of stealing. Every enterprise can be a victim of this attack, but it is primarily relevant for the Retail industry.
- Having access to PeopleSoft Enterprise Service Automation, an attacker can forge business-critical information about the stage of project implementation, so leaders can make a wrong decision that results in the waste of resources, commitment failure, and reputational losses. This sabotage scenario is especially dangerous for Manufacturing companies.
- The operating assets of an organization, from facilities and equipment to rolling stock and production machinery, are central to accomplishing the enterprise's objectives. PeopleSoft Asset Lifecycle Management provides the ability to monitor and optimally maintain those assets. Asset Lifecycle Management is usually connected to the plant floor. If an attacker has access to this application, it gives them an opportunity to forge equipment health information. There are two scenarios. First, a malicious person can forge a message that a new detail is going to be worn out soon, so the company spends more money without any need. Second, an attacker can make the system lie that a long-exploited detail is new, which can lead to a manufacturing disaster. This sabotage attack is more likely to be performed against Manufacturing companies.
- Oracle PeopleSoft Supplier Relationship Management application keeps information about tenders and contracts. If an attacker gets to know a supplier's proposal, they can use this information in their own proposal. It can result in reputational and financial losses for the company holding the tender.
The situation with Oracle PeopleSoft Applications is even worse than it was with SAP five years ago. There is now awareness (100+ presentations at security conferences in 5 years), security specialists, products, and real examples of attacks such as the recent USIS breach in SAP security market. In terms of possible attacks, the situation with PeopleSoft Security is five times more critical, judging by the number of just the public and confirmed incidents.
Alexey has found multiple issues in PeopleSoft applications from all kind of potential attackers: insiders, developers, or even cybercriminals from the Internet. The criticality and amount of these issues combine the impact from the top 3 most critical bugs that we found in SAP applications in the last five years, and most of these issues stay unresolved for years!
It is notable that Oracle PeopleSoft applications usually work as a complex system comprised by several applications. So once an attacker gets access to the weakest part of the system, they can get access to connected applications easily.
ERPScan is the most respected and credible Business Application Security provider. Founded in 2010, the company operates globally and enables large Oil and Gas, Financial and Retail organizations to secure their mission-critical processes. Named an Emerging Vendor in Security by CRN, listed among Top 100 SAP Solution Providers and distinguished by 30+ other awards, ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to assist in improving the security of their latest solutions.
ERPScan's primary mission is to close the gap between technical and business security, and provide solutions to evaluate and secure SAP and Oracle ERP systems and business-critical applications from both cyber-attacks and internal fraud. Usually, our clients are large enterprises, Fortune 2000 companies and managed service providers whose requirements are to actively monitor and manage the security of vast SAP landscapes on a global scale.
We ‘follow the sun' and function in two hubs, located in Palo Alto and Amsterdam to provide threat intelligence services, agile support and operate local offices and partner network spanning 20+ countries around the globe.