You are on page 1of 86

SESSION ID: CIN-T08

Dmitry
ERP Security 2016: Lead ERP security analyst
ERPScan
Vulnerabilities, Threats and @_chipik

Trends. Expert Opinion Roman


Security Researcher
ERPScan
@0xalg

#RSAC
#RSAC

Agenda

Introduction
SAP Security
Oracle E-Business Suite security
Conclusion
Apply it

2
#RSAC

Introduction
#RSAC

Business application security

All business processes are generally contained in ERP systems.


Any information an attacker, be it a cybercriminal, industrial spy
or competitor, might want to steal, is stored in a companys ERP.
This information may include financial, customer or public
relations, intellectual property, personally identifiable
information, and so on. Industrial espionage, sabotage, fraud or
insider embezzlement may be very effective, if targeted at a
victims ERP system and cause significant damage to the
business.

4
#RSAC

CISOs responsibilities

What are the CISOs responsibilities?


Network security
Web Application security
Endpoint security Just detecting/preventing
initial intrusion
Identity and access governance
SIEM
Business application security thats where a real attack happens

5
#RSAC

Why hacking ERP?

Espionage
To steal financial or HR data, supplier and
customer lists or disclose corporate secrets.

Sabotage
To cause denial of service, counterfeit
financial records and accounting data, access
technology network (SCADA)

Fraud
To carry out false transactions, modify master
data

6
#RSAC

Who are the cybercriminals?


Malicious Insiders
Privileged users
Business partners, customers, suppliers, etc.
Third-party contractors and IT service providers

Advanced Persistent Threat Agents


Extremely organized state-sponsored groups
Hacktivists

Competitors
Head-hunters
Industrial spies
Trade secret thieves

7
#RSAC

SAP Systems Security


Introduction

SAP Security
#RSAC

SAP: Brief Overview

The most popular business


application

More than 250 000 customers


worldwide

83% Forbes 500 companies run SAP

Main system ERP

9
#RSAC

SAP systems security


Known Incidents

SAP Security
#RSAC

Latest news

2012

2013

2014

2015

11
#RSAC

Why are SAP landscapes insecure?

Complex

Highly customized

Risky to update

Closed nature

12
#RSAC

Why are SAP landscapes insecure?


http://www.theregister.co.uk/2016/10/12/sap_resolves_authentication_bug/
http://www.theregister.co.uk/2016/06/15/sap_patch_batch_fixes_3_yr_old_vuln/
http://www.scmagazine.com/sap-patches-three-year-old-vulnerability-plus-20-more-flaws/article/503720/

13
#RSAC

Why are SAP landscapes insecure?

http://www.theregister.co.uk/2013/06/18/sap_users_slack_slow_and_backward_on_security/

14
#RSAC

SAP systems security


Common vulnerability statistics

SAP Security
#RSAC

How many vulnerabilities were found?

Top 10 vulnerabilities
Cross-site scripting
3700+ in all SAP products
Missing authorization

Directory traversal 2585 in SAP NetWeaver ABAP based systems


Configuration issues

SQL-injection

Information disclosure
1300+ in basic components, which are the
Cross-site request forgery same for every system
Denial of service

Code injection
About 350 in ECC modules
Other

Hardcoded credentials

0 100 200 300 400 500 600 700 800 More details here: https://goo.gl/Hr144b

16
#RSAC

SAP security talks have matter?

YES!

A lot of talks about SAP Security in


U.S.

Germany

The Netherlands

These countries has more secured SAP


systems

17
#RSAC

Where?

A lot of issues in different modules

Almost all types of industry can be


attacked via vulnerable SAP
modules

18
#RSAC

Where?

19
#RSAC

SAP systems security


Architecture

SAP Security
#RSAC

SAP NetWeaver in details

21
#RSAC

Variety of SAP Services

ABAP JAVA
Dispatcher HTTP

Gateway P4

Message Server SMD

ICM LogViewer

SAProuter SDM Admin

22
#RSAC

SAP systems security


Topmost critical vulnerabilities

SAP Security
#RSAC

Topmost critical SAP Vulnerabilities

SAP Gateway Remote code execution

SAP JAVA CTC Remote code execution

SAP JAVA P4 issues

SAP HANA TREXNET Remote code


execution

We compromise 10 out of 10 SAP servers using these issues during our SAP security
audits

24
#RSAC

SAP systems security


Gateway Remote Code Execution

SAP Security
#RSAC

SAP Gateway Security

At a glance
One of the core SAP services

Allows interaction with remote SAP


systems and with other systems

Manages communication for all RFC


based functions

26
#RSAC

SAP Gateway Security

Gateway RFC (3 types)


ABAP RFC

Registered RFC Server Program

Started RFC Server Program

27
#RSAC

Started RFC programs attacks 1

Started programs install additional functions


Extend functionality of SAP by running EXE files
Started program is executed by Gateway on a remote host using
trust relationship, like RSH

28
#RSAC

Started RFC programs attacks 2


Security is configured by secinfo file
TP=<tp>, USER=<user>, HOST=<host>, [USER-
HOST=<user_host>]
P|D TP=<tp>, USER=<user>, HOST=<host>, [USER-
HOST=<user_host>]
Use a line of this format to allow the user <user> to start the <tp> program
on the host <host>

Disabled by default!
In latest versions SAP has profile parameter gw/acl_mode=1

An attacker can execute any OS command without passing authentication

29
#RSAC

DEMO
Execution of OS command if ACL is missing

SAP Security
#RSAC

SAP Gateway: Defense

Enable Secinfo and Reginfo ACL (dont use wildcard *)


or set gw/acl_mode=1

Enable gw/logging
Patch for the latest security notes

31
#RSAC

SAP systems security


JAVA CTC Remote Code Execution

SAP Security
#RSAC

SAP NetWeaver J2EE: Overview

Additional platform
Base platform for IT stuff:
SAP Portal , SAP XI, SAP Solution Manager, SAP NWDS
Purpose: Integration of different systems
If compromised:
Stoppage of all connected business processes
Fraud
Industrial espionage

33
#RSAC

SAP NetWeaver J2EE: InvokerServlet


InvokerServlet allows getting access to SAP services without a username
and password
How does it work?
http://sapserver.com/VeryImportantService
-> need authentication
http://sapserver.com/servlet/VeryImportantService
-> without authentication
What can an attacker do?
GET
/ctc/servlet/ConfigServlet?param=com.sap.ctc.util.File
SystemConfig;EXECUTE_CMD;CMDLINE=<ANY_OS_CMD>

34
#RSAC

SAP NetWeaver JAVA: InvokerServlet

The Invoker Servlet contains a vulnerability, which was patched by


SAP in 2010
500+ systems over the world still vulnerable

35
#RSAC

SAP NetWeaver JAVA: Defense

Update to the latest patch level that corresponds to your support


package
Disable the vulnerable feature by changing the value of the
EnableInvokerServletGlobally property of the JSP
service on the server nodes to false
If you need an invoker servlet to be enabled for some
applications, see SAP Security Note 1445998 for SAP NetWeaver
Portal and SAP security Note 1467771

36
#RSAC

Conclusion on SAP Security

SAP Security
#RSAC

Defend your SAP

Easy steps:
Restrict access to Gateway port/ implement GW ACLs
Disable Invoker Servlet
Restrict access to P4 and TREXnet ports
Restrict access to ALL unnecessary services

OK, youve improved your SAP servers


Make penetration testing great again!

38
#RSAC

Conclusion

Interest in SAP security is growing exponentially and the


numerous attacks play a significant role in driving this interest
SAP servers can be unprotected for an extremely long time
Attackers must have SAP specific knowledge for attacking latest
versions of SAP servers
Prevent financial, operational and reputational losses by
identifying and fixing vulnerabilities in SAP components

39
#RSAC

Oracle E-Business Suite security


Introduction

Oracle Security
#RSAC

Oracle E-Business Suite: Introduction

Includes: ERP, CRM, SCM, PLM

Used in:
Automotive

Aerospace and Defense

Engineering and Construction

Health Sciences and

41
#RSAC

Oracle E-Business Suite: Introduction

More then:
15000+ JSP pages
11600 OA Framework pages
4000 Oracle Forms and other Core Servlets, Web Services Servlets

Still:
Complex
Risky to update
Unknown

42
#RSAC

Oracle E-Business Suite security


Known Incidents

Oracle Security
#RSAC

Latest News

44
#RSAC

Latest News

MICROS is among the top three point-


of-sale vendors globally

Malicious code was detected in


certain legacy MICROS systems

VISA published Indicators of


Compromise in VISA Security Alert

45
#RSAC

Oracle E-Business Suite security


Common vulnerability statistics

Oracle Security
#RSAC

Vulnerabilities in Public resources

47
0
10
20
30
40
50
60
70
80
90
April 2011
July 2011
October 2011
January 2012
April 2012
July 2012
October 2012
January 2013
April 2013
July 2013
October 2013
January 2014
April 2014
July 2014
October 2014
January 2015
April 2015
July 2015
October 2015
Number of EBS vulnerabilities

January 2016
April 2016
July 2016
October 2016

48
How many vulnerabilities were found?

460+ in Oracle EBS

More information here: https://goo.gl/vyeKRX


#RSAC
#RSAC

Oracle E-Business Suite security


Architecture

Oracle Security
#RSAC

Oracle E-Business Suite: Architecture

Includes such technologies as:


PL/SQL

JAVA

.NET

HTML

XML

50
#RSAC

Variety of EBS Services

Oracle Forms Server


Oracle Reports Server
Oracle Discoverer
Oracle Database Server
Oracle Forms Listener
Oracle Portal

51
#RSAC

Oracle E-Business Suite security


Widespread security problems

Oracle Security
#RSAC

Widespread EBS security problems

Having default users

Storing user passwords in an encrypted form by default (not


hashed)

"FND : Diagnostics %" profile option is enabled

53
#RSAC

Oracle E-Business Suite security


Default Users

Oracle Security
#RSAC

Default Users: Information

Up to 300 database accounts


More than 40 seeded accounts
Number of default accounts increases along with the number of
new product modules
Usually, a default password for every new account is a username

55
#RSAC

Default Users: Types


5
6

Database accounts

Business logic accounts

Accounts from business logic into database


#RSAC

Default Users: Example

57
#RSAC

Default users: Attack scheme #1

1. Using Default
Business Logic
account

Evil
5. Stealing
Desktop tier Private date
2. Gaining access to
Applications with
the access to DB
5. Sending request to the Inquirer

4. Response with sensitive information


Application tier Database tier
3. Sending SQL query

58
#RSAC

Default users: Attack scheme #2

1. Using Default
Desktop tier Database account Evil
2. Stealing
Private date

Applications
Application tier sqlnet Database tier
#RSAC

Default users: Mitigation

Use Oracles DBA_USERS_WITH_DEFPWD


Limit the number of users
Change default passwords
Use a unique password for every account

60
#RSAC

Oracle E-Business Suite security


Password Decryption

Oracle Security
#RSAC

Oracle EBS Password Decryption

Oracle EBS end-user application passwords stored in an


encrypted form, not hashed
Account passwords are stored in `APP.FND_USER` table
Decryption procedure is well-known, documented and can be easily
found in the Internet

Secure hashing of passwords is optional and must be enabled by


DBA
Disabled by default

62
#RSAC

USERs PASSWORD: `APP.FND_USER` table

USER_NAME ENCRYPTED_FOUNDATION_PASSWD ENCRYPTED_USER_PASSWD


GUEST ZG6EBD472D1208B0CDC78D7EC7730F9B249496F825E
761BA3EB2FEBB54F6915FADA757EF4558CF438CF55D2
ZG6C08D49D524A1551A3068977328B1AFD2
60400FB598E799A3A8BAE573777E7EE7262
3FE32BE0BE52E D1730366E6 709524C95EC6BFA0DA06

SYSADMIN ZH39A396EDCA4CA7C8D5395D94D8C915510C0C90DA
198EC9CDA15879E8B547B9CDA034575D289590968F1
ZHF57EAF37B1936C56755B134DE7C83AE40
CADDD4AA83B1D7455E5533DC041773B494
B 6B38A1E654DD98 D2AA04644FB 5A514E5C5614F3C87888

WIZARD ZG2744DCFCCFFA381B994D2C3F7ADACF68DF433BADF
59CF6C3DAB3C35A11AAAB2674C2189DCA040C4C81D2
ZGE9AAA974FB46BC76674510456C7395645
46F2A0154DCF9EBF2AA49FBF58C759283C7
CE41C2BB82BFC6 E288CC6730 44036E284042A8FE4451

APPS password encrypted User password encrypted


user name + user password using APPS password

63
#RSAC

Oracle EBS Password Decryption: Mitigation

Implement password hashing


Information from Oracle you can find in MOS Note 457166.1
"FNDCPASS Utility New Feature: Enhance Security With Non-
Reversible Hash Password"

Password policy Review


Validate System Profile Options relative to passwords
Review application account creation and password reset workflows
with administrator

64
#RSAC

Oracle E-Business Suite security


"FND : Diagnostics %" profile

Oracle Security
#RSAC

"FND : Diagnostics %" profile

When option is enabled

66
#RSAC

DEMO
Gain Administrators privileges via
"FND : Diagnostics %" profile
Oracle Security
#RSAC

"FND : Diagnostics %" profile: Mitigation

You should disable "FND : Diagnostics %" profile:


For separate users
Disable fully (in case of being unnecessary)

It will be good too to:


Restrict access to "FND : Diagnostics %" profile configuration

68
#RSAC

Oracle E-Business Suite security


Conclusion

Oracle Security
#RSAC

Defend your Oracle EBS

Cover immediate security issues:


Change default passwords

Implement password hashing

Disable access to "FND : Diagnostics %" profile configuration

Install latest security patches from Oracle

Perform comprehensive security audit

70
#RSAC

Conclusion:

Critical corporate data stored and processed in Oracle systems is


vulnerable to numerous types of attacks
New vulnerabilities appear quite frequently. Follow closely the
latest security information
Comprehensive security assessment of your Oracle systems will
help you determine major areas of focus to secure most critical
assets from cyber-attacks

71
#RSAC

How to Improve Cyber Security Posture


and Remediate Vulnerabilities?
#RSAC

ERP Security Posture

Security-related goals:
Compliance with external laws and regulations
Managed business risks
Business service continuity and availability
ERP Security Capabilities:
Predict: prepare to the future
Prevent: avoid incident from occurring
Detect: identify incidents activities and potentially an intruder
React: fix, correct, recover and learn

73
#RSAC

Baseline ERP Security Capabilities


Know your assets
Predict Assess risks

Choose controls
Prevent Minimize attack surface

Monitor vulnerabilities
Detect Recognize incidents

Handle incidents
React Remediate vulnerabilities
Report compliance

74
#RSAC

Heart of ERP Security

PREDICT

REACT
Vulnerability PREVENT
Management

DETECT

75
#RSAC

How to Start?

1. Develop an ERP Security Initiative


2. Assess Current Security Posture
3. Choose an ERP Security Framework
4. Implement a Vulnerability Management
5. Track Effectiveness

76
#RSAC

1. Develop an ERP Security Initiative

Goal: obtain management support


Steps:
1. Understand ERP-specific risks
2. Elicit compliance requirements
3. Measure value of information inside ERP system
4. Identify stakeholders and their needs
5. Present your security initiative and get management support

77
#RSAC

2. Assess Current Security Posture


Goal: gain insight into current state of ERP Security
Steps:
1. Conduct detailed ERP security audit
2. Assess business risks
3. Implement quick remediations
4. Identify critical areas of security
5. Outline action plan and present results to the board

78
#RSAC

3. Choose an ERP Security Framework

Goal: integrate ERP security into business


ERP Security Architecture illustrates how the controls (processes, peoples and tools)
should be integrated into different layers of the current business environment
ERP Security Framework is a guidance on how to build individual architectures
Steps:
1. Use IT department experience
2. Look at Zachman, TOGAF, SABSA and other well known frameworks
3. Implement security controls

79
#RSAC

4. Implement a Vulnerability Management


Goal: break a continuous cycle of security improvement
Steps:
1. Elicit requirements to the process (legal, business and compliance)
2. Design the process structure, roles, interfaces, KPIs and SLAs
3. Identify assets and schedule vulnerability assessment
4. Monitor vulnerabilities
5. Prioritize vulnerability remediation
6. Test and deploy vulnerability remediation's
7. Verify remediation

80
#RSAC

5. Track Effectiveness

Goal: improve ERP Security capabilities


Steps:
1. Develop metrics for vulnerability management and
compliance
2. Collect data and report efficiency
3. Conduct a pentest
4. Review your initiative

81
#RSAC

Final Takeaways

Analyze your business sphere


Manage vulnerabilities
Handle incidents
Report compliance
Track effectiveness

82
#RSAC

Future trends and predictions


#RSAC

Future trends and predictions

Healthcare ERP Systems


POS global systems:
Oracle
SAP
Cloud solutions
Internet of Things

84
#RSAC

Summary
#RSAC

Summary

ERP system is a critical Infrastructure


Stores valuable information
By default is not secure
Susceptible to various attacks
Tempting for attackers

Well-timed remediation will reduce different losses

86