Exposing the vulnerabilities in Oracle PeopleSoft applications
During his talk at the Hack in the Box conference, Alexey Tyurin, Head of the Oracle Security Department at ERPScan, spotlighted several vulnerabilities in Oracle PeopleSoft applications.
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100.
PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or “Forgot your password?” forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $500.
The optimal attack vector depends on the hacker’s goal. The impact of different attacks can involve espionage, sabotage, and fraud. We highlight the five most serious consequences of these attacks, but they should not be considered the only possible ones:
- Theft of Social Security Number, also known as identity theft. Employees’ SSNs are stored in Human Resource Management Systems. A malicious person can use the victim’s SSN to get other personal information or apply for a loan on their behalf. Getting a new number instead of the compromised one is not easy, and it’s entirely up to the Social Security Administration. All companies using PeopleSoft HRMS are at risk, especially Government.
- Employees’ and clients’ credit card data (card holder name, PAN, expiration date, and CVV code) are stored in many PeopleSoft applications. If an application has a breach in security, it puts this information at the risk of stealing. Every enterprise can be a victim of this attack, but it is primarily relevant for the Retail industry.
- Having access to PeopleSoft Enterprise Service Automation, an attacker can forge business-critical information about the stage of project implementation, so leaders can make a wrong decision that results in the waste of resources, commitment failure, and reputational losses. This sabotage scenario is especially dangerous for Manufacturing companies.
- The operating assets of an organization, from facilities and equipment to rolling stock and production machinery, are central to accomplishing the enterprise’s objectives. PeopleSoft Asset Lifecycle Management provides the ability to monitor and optimally maintain those assets. Asset Lifecycle Management is usually connected to the plant floor. If an attacker has access to this application, it gives them an opportunity to forge equipment health information. There are two scenarios. First, a malicious person can forge a message that a new detail is going to be worn out soon, so the company spends more money without any need. Second, an attacker can make the system lie that a long-exploited detail is new, which can lead to a manufacturing disaster. This sabotage attack is more likely to be performed against Manufacturing companies.
- Oracle PeopleSoft Supplier Relationship Management application keeps information about tenders and contracts. If an attacker gets to know a supplier’s proposal, they can use this information in their own proposal. It can result in reputational and financial losses for the company holding the tender.
The situation with Oracle PeopleSoft Applications is even worse than it was with SAP five years ago. There is now awareness (100+ presentations at security conferences in 5 years), security specialists, products, and real examples of attacks such as the recent USIS breach in SAP security market. In terms of possible attacks, the situation with PeopleSoft Security is five times more critical, judging by the number of just the public and confirmed incidents.
Alexey has found multiple issues in PeopleSoft applications from all kind of potential attackers: insiders, developers, or even cybercriminals from the Internet. The criticality and amount of these issues combine the impact from the top 3 most critical bugs that we found in SAP applications in the last five years, and most of these issues stay unresolved for years!
It is notable that Oracle PeopleSoft applications usually work as a complex system comprised by several applications. So once an attacker gets access to the weakest part of the system, they can get access to connected applications easily.