Oracle PeopleSoft HRMS was broken at BlackHat Las Vegas

Las Vegas, CA – August 1, 2013 Recently at the BlackHat security conference in Las Vegas, where the latest unique research is published every year, researchers from ERPScan – innovative provider of SAP and business application security software and services – presented the first and only report on vulnerabilities in Oracle PeopleSoft.

ERPScan CTO Alexander Polyakov and Director of Consulting Dr. Alexey Tyurin presented a workshop which included new techniques of security assessment for business systems including Oracle PeopleSoft, which is used in many big companies.  Some of these customers are: AARP, Caterpillar Inc., Daimler, Franklin Templeton Investments, Washington University in St. Louis, Westfield, and Verizon.

This software is a combination of supply chain, human resources, supplier relationship management and much more. This software is installed by 6000+ customers (57 % of Fortune 100 list) and serves 20 million employees worldwide. Providing an attacker with an opportunity to steal the personal data of more than 20 million people is very easy because most PeopleSoft applications are connected to the Internet for providing access to suppliers. Simple Google search strings can find about 500 internet-enabled PeopleSoft applications. Shodan requests will show much more.

Vulnerabilities that were found in this system can allow third parties to get full access to the system and obtain critical HR or supplier data, social security numbers and maybe also credit card data. Moreover, it is not only possible to steal data but also to make a denial of service attack on competitors or modify financial information such as bank account numbers. Most of the issues that will be presented were quickly patched by Oracle in less than 3 weeks when we informed them that they will be presented at BlackHat. However, our research was a high-level one rather than focused on finding every issue. The idea was to look at the system security in common and reveal where problems can be. Additionally, according to our statistics of patching business applications, for example, SAP, the presented issues can be active for years until somebody will close them.

We are focused on the security on business critical applications where companies store all of the data that they need to make their business work. Mostly, we do security assessment and sell security software for SAP systems, being a major player in this niche. But sometimes we get assessment requests for other applications, and we are happy to share this information,”

– mentioned Alexander Polyakov, the CTO of ERPScan.

In our workshop “Practical Pentesting of ERP systems and business applications”, we showed how the process of security assessment of critical and huge applications should look like with the examples of SAP, Oracle and Microsoft applications. This research is a part of a big project called EAS-SEC (previously OWASP-EAS), which is focused on the security of different business applications including provision of guidelines for analyzing them. The workshop described 9 big areas that should be covered during a security assessment such as vulnerability patching, default accounts, critical services, access control and so on, as well as demonstrations of recently found critical vulnerabilities.

“We have presented both old and new issues. The old one was very critical and we have not shared the details for 4 years. The issue was patched in January 2011 and allowed conducting a denial of service attack within one HTTP request on the login page of PeopleSoft application. It is very critical due to the fact that PeopleSoft applications usually can be found on the Internet using simple Google search strings”, – mentioned Alexander Polyakov, the CTO of ERPScan.

“New issues were found during one of our pentest engagements and reported to Oracle just 3 weeks before their patch release. Surprisingly, all of them were closed by the patch release date after we revealed that we are planning to publish them at BlackHat. Those issues in web services, which include XML vulnerabilities in combination with architecture problems and such configuration as storage of passwords in cleartext, would allow full remote access to the system”, –

mentioned Alexey Tyurin, the director of consulting at ERPScan.

A tool and guidelines for pentesting Oracle PeopleSoft applications were released at the BlackHat conference in Las Vegas.