ERP Apps Often Left Exposed

  /     /     /  
Publicated : 22/11/2024   Category : security


ERP Apps Often Left Exposed


Vulnerabilities in Oracle JD Edwards ERP applications all exploitable by unauthenticated attacker



Among Oracles latest round of patches last month were eight flaws in its JD Edwards enterprise resource planning (ERP) applications -- underscoring how ERP apps are often forgotten when it comes to security, overshadowed by database flaws and other worries.
The JDE application flaws might represent only a small fraction of the 78 total bugs fixed in the update, but they demonstrate a growing concern among security experts of an emerging prime attack vector. Most enterprises dont consider their ERP apps as a big target for attackers, and assume segregation of duties is enough security for them.
ERP systems, which are tied in with a database platform and often contain multiple interfaces to other apps, run sensitive business processes, such as financial, sales, production, expenditures, billing, and payroll, so any such targeted attacks would be damaging financially and production-wise, experts say.
They are becoming targets because attackers are realizing that they are not longer a black box, and that they contain the most sensitive business information. So if you are a cybercriminal, why would you attack a regular Windows server if you can just take over the systems containing the companys most valuable data? says Mariano Nuez Di Croce, director of research and development for Onapsis, whose firm discovered the JDE flaws patched by Oracle as well as an additional 12 other flaws that the database giant has not yet fixed.
Nunez Di Croce says companies think that by specifying segregation of duties among users of these apps, they are protecting them from a breach. However, almost none of them realize that they need to secure the technological components of these platforms, which can lead remote, anonymous attackers to break into the systems and invalidate all the existing investments into securing them, he says.
The flaws Onapsis researcher Juan Pablo Perez Etchegoyen found speak to that problem:
All of the flaws
can be exploited by unauthenticated attackers. They let the bad guys take control of the JDE app remotely, grab admin passwords, perform denial-of-service attacks, and disable logging for stealthier, cyberespionage-type attacks. The bugs include buffer overflows and a remote logging deactivation flaw. All of these vulnerabilities can be exploited by unauthenticated attackers, which illustrates the fact that the vendors never expected these situations, Nunez Di Croce says. Instead of a legitimate component connecting to the ERP, it is an attacker who can craft the requests at his will. I think this is something the vendors have never expected in the past, and now we are just starting to [see them] pop ... up.
More than 95 percent of ERP systems Onapsis has assessed for security could be exploited for targeted, cyberespionage-type attacks, for example. Most of them have passed compliance requirements, such as SOX, PCI, and others, he says. This just doesnt look right.
ERP vendors havent focused thus far on securing their apps mainly because they havent yet really been under the microscope nor yet felt the brunt of high-profile attacks. It is a fact that making a software product more secure generally does not help sales as would a new feature for the product. So software vendors tend to focus on new features or customer reported bugs than on security. This is true unless there is a special need for security, but ERP vendors havent received much attention from the software security industry and they havent suffered from a massive attack as databases have with, for example, worms like Slammer, says Esteban Martinez Fayo, a security researcher with AppSecs TeamSHATTER.
Meanwhile, the bugs included in the latest Oracle Critical Patch Update last month give attackers free rein in the JDE apps. One is a remote client execution where you can fully compromise the server and the database where the information is stored, Onapsis Perez Etchegoyen says. In another one, the attacker can remotely access passwords stored in a certain part of the application ... unauthenticated and remotely, [he] would be able to reconnect to the ERP and gain elevated privileges and do complex attacks.
While Oracle is fixing more bugs in its JD Edwards and PeopleSoft apps, AppSecs Martinez Fayo says they still need to patch these flaws more quickly. The advisories released by Onapsis show nothing new or highly advanced with regards to the type of vulnerabilities, but on the contrary, these kinds of vulnerabilities are very well known and shouldnt be in a product like an ERP system, he says.
ERP applications are simpler to hack, he says, because the security is relatively weaker. In the end, ERP systems are yet another way in which attackers can get into a database, so a company breach via ERP systems will most likely include hacking the database as well, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
ERP Apps Often Left Exposed