Breaking

ERP Platforms Are Vulnerable

This is a guest post by the SAP security expert Juan Pablo Perez-Etchegoyen, CTO of  Onapsis. Enjoy reading:

At Onapsis we are continuously researching in the ERP security field to identify the risks that ERP systems and business-critical applications are exposed to. This way we help customers and vendors to increase their security posture and mitigate threats that may be affecting their most important platform: the one that stores and manages their business’ crown jewels.

We have been talking about SAP security in many conferences over the last years, not only showing how to detect insecure settings and vulnerabilities but also explaining how to mitigate and solve them.  However, something that is still less known is that since 2009 we have been also doing research over Oracle’s ERP systems (JD Edwards, Siebel, PeopleSoft, E-Business Suite) and reporting vulnerabilities to the vendor. In this post, I’m going to discuss some of the vulnerabilities that we reported, Oracle fixed and released patches in the latest CPU (Critical Patch Update) of January 2012. In this CPU, 8 vulnerabilities reported by Onapsis affecting JD Edwards were fixed.

What’s really important about these vulnerabilities is that most of them are highly critical, enabling a remote unauthenticated attacker to fully compromise the ERP server just having network access to it.  I’m going to analyze some these vulnerabilities to shed some light on the real status of JD Edwards’ security. Most of these vulnerabilities are exploitable through the JDENET service, which is a proprietary protocol used by JDE for connecting the different servers.

Let’s take a look at the most interesting issues:

ONAPSIS-2012-001: Oracle JD Edwards JDENET Arbitrary File Write

Sending a specific packet in the JDENET message, an attacker can basically instruct the server to write an arbitrary content in an arbitrary location, leading to an arbitrary file write condition.

ONAPSIS-2012-002: Oracle JD Edwards Security Kernel Remote Password Disclosure

Sending a packet containing key hard-coded in the kernel, an attacker can “ask for” a user’s password (!)

ONAPSIS-2012-003: Oracle JD Edwards SawKernel Arbitrary File Read

An attacker can read any file, by connecting to the JDENET service.

ONAPSIS-2012-007: Oracle JD Edwards SawKernel SET_INI Configuration Modification Modifications to the server configuration (JDE.INI) can be performed remotely and without authentication. Several attacks are possible abusing this vulnerability.

ONAPSIS-2012-006: Oracle JD Edwards JDENET Large Packets Denial of Service

If an attacker sends packets larger than a specific size, then the server’s CPU start processing at 100% of its capacity. Game over.

As a “bonus” to this guest blog post, I would like to analyze a vulnerability related to the set of  security advisories we released back on April 2011 (many of them also critical). This vulnerability is the ONAPSIS-2011-07.

The exploitation of this weakness is very straight-forward, as the only thing an attacker needs to do is to send a packet to the JDENET command service (typically UDP port 6015) with the message “SHUTDOWN”, and all JD Edwards services are powered off! Business impact? None of the hundreds/thousands of the company’s employees that need the ERP system to do their every-day work will be able to do their job.

Some people still talk about ERP security as a synonym of Segregation of Duties controls. This is just an example of a high-impact Denial of Service attack that can be performed against the technical components of these systems. No user or password. No roles or authorizations.

Even worse, as UDP connections are stateless, it’s trivial for the attacker to forge its source and exploit the vulnerability potentially bypassing firewall filters.

Hope you enjoyed our post and I’d like to thank Enno, Florian and the great ERNW team for their kind invitation.

You can get more information about our work at www.onapsis.com

BTW: Meet Mariano Nuñez Di Croce, CEO of Onapsis at TROOPERS12 in about ten days! He will give a talk and also host a dedicated workshop on SAP security.