SESSION ID:

#RSAC

Roman

ERP Security 2016: Vulnerabilities, Threats and Trends. Expert Opinion

CIN-T08

Security ResearcherERPScan@0xalg

DmitryLead ERP security analyst ERPScan@_chipik

#RSAC

Agenda

Introduction

SAP Security

Oracle E-Business Suite security

Conclusion

Apply it

2

#RSAC

Introduction

#RSAC

Business application security

All business processes are generally contained in ERP systems.

Any information an attacker, be it a cybercriminal, industrial spy or competitor, might want to steal, is stored in a company’s ERP.

This information may include financial, customer or public relations, intellectual property, personally identifiable information, and so on. Industrial espionage, sabotage, fraud or insider embezzlement may be very effective, if targeted at a victim’s ERP system and cause significant damage to the business.

4

#RSAC

CISO’s responsibilities

What are the CISO’s responsibilities?

Network security

Web Application security

Endpoint security

Identity and access governance

SIEM

Business application security

Just detecting/preventinginitial intrusion

that’s where a real attack happens

5

#RSAC

Why hacking ERP?

Espionage

To steal financial or HR data, supplier and customer lists or disclose corporate secrets.

Sabotage

To cause denial of service, counterfeit financial records and accounting data, access technology network (SCADA)

Fraud

To carry out false transactions, modify master data

6

#RSAC

Who are the cybercriminals?

Malicious InsidersPrivileged users

Business partners, customers, suppliers, etc.

Third-party contractors and IT service providers

Advanced Persistent Threat AgentsExtremely organized state-sponsored groupsHacktivists

CompetitorsHead-huntersIndustrial spiesTrade secret thieves

7

#RSAC

SAP Systems SecurityIntroduction

SAP Security

#RSAC

SAP: Brief Overview

The most popular business application

More than 250 000 customers worldwide

83% Forbes 500 companies run SAP

Main system – ERP

9

#RSAC

SAP systems securityKnown Incidents

SAP Security

#RSAC

Latest news

2012

2013

2014

2015

11

#RSAC

Why are SAP landscapes insecure?

Complex

Highly customized

Risky to update

Closed nature

12

#RSAC

Why are SAP landscapes insecure?http://www.theregister.co.uk/2016/10/12/sap_resolves_authentication_bug/http://www.theregister.co.uk/2016/06/15/sap_patch_batch_fixes_3_yr_old_vuln/http://www.scmagazine.com/sap-patches-three-year-old-vulnerability-plus-20-more-flaws/article/503720/

13

#RSAC

Why are SAP landscapes insecure?

http://www.theregister.co.uk/2013/06/18/sap_users_slack_slow_and_backward_on_security/

14

#RSAC

SAP systems securityCommon vulnerability statistics

SAP Security

#RSAC

How many vulnerabilities were found?

Top 10 vulnerabilities3700+ in all SAP products

2585 in SAP NetWeaver ABAP based systems

1300+ in basic components, which are the same for every system

About 350 in ECC modules

More details here: https://goo.gl/Hr144b0 100 200 300 400 500 600 700 800

Hardcoded credentials

Other

Code injection

Denial of service

Cross-site request forgery

Information disclosure

SQL-injection

Configuration issues

Directory traversal

Missing authorization

Cross-site scripting

16

#RSAC

SAP security talks have matter?

YES!

A lot of talks about SAP Security in

U.S.

Germany

The Netherlands

These countries has more secured SAP systems

17

#RSAC

Where?

A lot of issues in different modules

Almost all types of industry can be attacked via vulnerable SAP modules

18

#RSAC

Where?

19

#RSAC

SAP systems securityArchitecture

SAP Security

#RSAC

SAP NetWeaver in details

21

#RSAC

Variety of SAP Services

ABAP

Dispatcher

Gateway

Message Server

ICM

SAProuter

JAVA

HTTP

P4

SMD

LogViewer

SDM Admin

22

#RSAC

SAP systems securityTopmost critical vulnerabilities

SAP Security

#RSAC

Topmost critical SAP Vulnerabilities

SAP Gateway Remote code execution

SAP JAVA CTC Remote code execution

SAP JAVA P4 issues

SAP HANA TREXNET Remote code execution

We compromise 10 out of 10 SAP servers using these issues during our SAP security audits

24

#RSAC

SAP systems securityGateway Remote Code Execution

SAP Security

#RSAC

SAP Gateway Security

At a glanceOne of the core SAP services

Allows interaction with remote SAP systems and with other systems

Manages communication for all RFC based functions

26

#RSAC

SAP Gateway Security

Gateway RFC (3 types)

ABAP RFC

Registered RFC Server Program

Started RFC Server Program

27

#RSAC

Started RFC programs – attacks 1

Started programs install additional functions

Extend functionality of SAP by running EXE files

Started program is executed by Gateway on a remote host using trust relationship, like RSH

28

#RSAC

Started RFC programs – attacks 2

Security is configured by secinfo fileTP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]

P|D TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]

Use a line of this format to allow the user <user> to start the <tp> program on the host <host>

Disabled by default!In latest versions SAP has profile parameter gw/acl_mode=1

An attacker can execute any OS command without passing authentication

29

#RSAC

DEMOExecution of OS command if ACL is missing

SAP Security

#RSAC

SAP Gateway: Defense

Enable Secinfo and Reginfo ACL (don’t use wildcard *)or set gw/acl_mode=1

Enable gw/logging

Patch for the latest security notes

31

#RSAC

SAP systems securityJAVA CTC Remote Code Execution

SAP Security

#RSAC

SAP NetWeaver J2EE: Overview

Additional platform

Base platform for IT stuff: SAP Portal , SAP XI, SAP Solution Manager, SAP NWDSPurpose: Integration of different systems

If compromised:Stoppage of all connected business processesFraudIndustrial espionage

33

#RSAC

SAP NetWeaver J2EE: InvokerServlet

InvokerServlet allows getting access to SAP services without a username and password

How does it work?http://sapserver.com/VeryImportantService

-> need authenticationhttp://sapserver.com/servlet/VeryImportantService

-> without authentication

What can an attacker do?GET /ctc/servlet/ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=<ANY_OS_CMD>

34

#RSAC

SAP NetWeaver JAVA: InvokerServlet

The Invoker Servlet contains a vulnerability, which was patched by SAP in 2010

500+ systems over the world still vulnerable

35

#RSAC

SAP NetWeaver JAVA: Defense

Update to the latest patch level that corresponds to your support package

Disable the vulnerable feature by changing the value of the “EnableInvokerServletGlobally” property of the JSP service on the server nodes to “false”

If you need an invoker servlet to be enabled for some applications, see SAP Security Note 1445998 for SAP NetWeaver Portal and SAP security Note 1467771

36

#RSAC

Conclusion on SAP Security

SAP Security

#RSAC

Defend your SAP

Easy steps:Restrict access to Gateway port/ implement GW ACLs

Disable Invoker Servlet

Restrict access to P4 and TREXnet ports

Restrict access to ALL unnecessary services

OK, you’ve improved your SAP servers

Make penetration testing great again!

38

#RSAC

Conclusion

Interest in SAP security is growing exponentially and the numerous attacks play a significant role in driving this interest

SAP servers can be unprotected for an extremely long time

Attackers must have SAP specific knowledge for attacking latest versions of SAP servers

Prevent financial, operational and reputational losses by identifying and fixing vulnerabilities in SAP components

39

#RSAC

Oracle E-Business Suite securityIntroduction

Oracle Security

#RSAC

Oracle E-Business Suite: Introduction

Includes: ERP, CRM, SCM, PLM

Used in:

Automotive

Aerospace and Defense

Engineering and Construction

Health Sciences and …

41

#RSAC

Oracle E-Business Suite: Introduction

More then:15000+ JSP pages

11600 OA Framework pages

4000 Oracle Forms and other Core Servlets, Web Services Servlets

Still:Complex

Risky to update

Unknown

42

#RSAC

Oracle E-Business Suite securityKnown Incidents

Oracle Security

#RSAC

Latest News

44

#RSAC

Latest News

MICROS is among the top three point-of-sale vendors globally

Malicious code was detected in certain legacy MICROS systems

VISA published Indicators of Compromise in “VISA Security Alert”

45

#RSAC

Oracle E-Business Suite security Common vulnerability statistics

Oracle Security

#RSAC

Vulnerabilities in Public resources

47

#RSAC

How many vulnerabilities were found?

460+ in Oracle EBS

0102030405060708090

April

201

1Ju

ly 2

011

Oct

ober

201

1Ja

nuar

y 20

12Ap

ril 2

012

July

201

2O

ctob

er 2

012

Janu

ary

2013

April

201

3Ju

ly 2

013

Oct

ober

201

3Ja

nuar

y 20

14Ap

ril 2

014

July

201

4O

ctob

er 2

014

Janu

ary

2015

April

201

5Ju

ly 2

015

Oct

ober

201

5Ja

nuar

y 20

16Ap

ril 2

016

July

201

6O

ctob

er 2

016

Number of EBS vulnerabilities

More information here: https://goo.gl/vyeKRX

48

#RSAC

Oracle E-Business Suite security Architecture

Oracle Security

#RSAC

Oracle E-Business Suite: Architecture

Includes such technologies as:

PL/SQL

JAVA

.NET

HTML

XML

50

#RSAC

Variety of EBS Services

Oracle Forms Server

Oracle Reports Server

Oracle Discoverer

Oracle Database Server

Oracle Forms Listener

Oracle Portal…

51

#RSAC

Oracle E-Business Suite securityWidespread security problems

Oracle Security

#RSAC

Widespread EBS security problems

Having default users

Storing user passwords in an encrypted form by default (not hashed)

"FND : Diagnostics %" profile option is enabled

53

#RSAC

Oracle E-Business Suite securityDefault Users

Oracle Security

#RSAC

Default Users: Information

Up to 300 database accounts

More than 40 seeded accounts

Number of default accounts increases along with the number of new product modules

Usually, a default password for every new account is a username

55

#RSAC

Default Users: Types

Database accounts

Business logic accounts

Accounts from business logic into database

56

#RSAC

Default Users: Example

57

#RSAC

Default users: Attack scheme #1

Desktop tier

Evil

Application tier4. Response with sensitive information

5. Sending request to the Inquirer

2. Gaining access to Applications with the access to DB

3. Sending SQL query

Database tier

5. Stealing Private date

1. Using Default Business Logic

account

58

#RSAC

Default users: Attack scheme #2

Desktop tier Evil

Application tier Database tier

2. Stealing Private date

1. Using Default Database account

Applicationssqlnet

#RSAC

Default users: Mitigation

Use Oracle’s DBA_USERS_WITH_DEFPWD

Limit the number of users

Change default passwords

Use a unique password for every account

60

#RSAC

Oracle E-Business Suite securityPassword Decryption

Oracle Security

#RSAC

Oracle EBS Password Decryption

Oracle EBS end-user application passwords stored in an encrypted form, not hashed

Account passwords are stored in `APP.FND_USER` table

Decryption procedure is well-known, documented and can be easily found in the Internet

Secure hashing of passwords is optional and must be enabled by DBA

Disabled by default

62

#RSAC

USER’s PASSWORD: `APP.FND_USER` table

USER_NAME ENCRYPTED_FOUNDATION_PASSWD ENCRYPTED_USER_PASSWD

GUEST ZG6EBD472D1208B0CDC78D7EC7730F9B249496F825E761BA3EB2FEBB54F6915FADA757EF4558CF438CF55D23FE32BE0BE52E

ZG6C08D49D524A1551A3068977328B1AFD260400FB598E799A3A8BAE573777E7EE7262D1730366E6 709524C95EC6BFA0DA06

SYSADMIN ZH39A396EDCA4CA7C8D5395D94D8C915510C0C90DA198EC9CDA15879E8B547B9CDA034575D289590968F1B 6B38A1E654DD98

ZHF57EAF37B1936C56755B134DE7C83AE40CADDD4AA83B1D7455E5533DC041773B494D2AA04644FB 5A514E5C5614F3C87888

WIZARD ZG2744DCFCCFFA381B994D2C3F7ADACF68DF433BADF59CF6C3DAB3C35A11AAAB2674C2189DCA040C4C81D2 CE41C2BB82BFC6

ZGE9AAA974FB46BC76674510456C739564546F2A0154DCF9EBF2AA49FBF58C759283C7E288CC6730 44036E284042A8FE4451

APPS password encrypted user name + user password

User password encrypted using APPS password

63

#RSAC

Oracle EBS Password Decryption: Mitigation

Implement password hashingInformation from Oracle you can find in MOS Note 457166.1 "FNDCPASS Utility New Feature: Enhance Security With Non-Reversible Hash Password"

Password policy ReviewValidate System Profile Options relative to passwords

Review application account creation and password reset workflows with administrator

64

#RSAC

Oracle E-Business Suite security"FND : Diagnostics %" profile

Oracle Security

#RSAC

When option is enabled

"FND : Diagnostics %" profile

66

#RSAC

DEMOGain Administrators privileges via"FND : Diagnostics %" profile

Oracle Security

#RSAC

"FND : Diagnostics %" profile: Mitigation

You should disable "FND : Diagnostics %" profile:For separate users

Disable fully (in case of being unnecessary)

It will be good too to:Restrict access to "FND : Diagnostics %" profile configuration

68

#RSAC

Oracle E-Business Suite securityConclusion

Oracle Security

#RSAC

Defend your Oracle EBS

Cover immediate security issues:

Change default passwords

Implement password hashing

Disable access to "FND : Diagnostics %" profile configuration

Install latest security patches from Oracle

Perform comprehensive security audit

70

#RSAC

Conclusion:

Critical corporate data stored and processed in Oracle systems is vulnerable to numerous types of attacks

New vulnerabilities appear quite frequently. Follow closely the latest security information

Comprehensive security assessment of your Oracle systems will help you determine major areas of focus to secure most critical assets from cyber-attacks

71

#RSAC

How to Improve Cyber Security Posture and Remediate Vulnerabilities?

#RSAC

ERP Security Posture

Security-related goals:Compliance with external laws and regulationsManaged business risksBusiness service continuity and availability

ERP Security Capabilities:Predict: prepare to the futurePrevent: avoid incident from occurringDetect: identify incident’s activities and potentially an intruderReact: fix, correct, recover and learn

73

#RSAC

Baseline ERP Security Capabilities

• Know your assets• Assess risksPredict

• Choose controls• Minimize attack surfacePrevent

• Monitor vulnerabilities• Recognize incidentsDetect

• Handle incidents• Remediate vulnerabilities• Report compliance

React

74

#RSAC

Heart of ERP Security

Vulnerability Management

PREDICT

PREVENT

DETECT

REACT

75

#RSAC

How to Start?

1. Develop an ERP Security Initiative

2. Assess Current Security Posture

3. Choose an ERP Security Framework

4. Implement a Vulnerability Management

5. Track Effectiveness

76

#RSAC

1. Develop an ERP Security Initiative

Goal: obtain management support

Steps:

1. Understand ERP-specific risks

2. Elicit compliance requirements

3. Measure value of information inside ERP system

4. Identify stakeholders and their needs

5. Present your security initiative and get management support

77

#RSAC

2. Assess Current Security Posture

Goal: gain insight into current state of ERP Security

Steps:

1. Conduct detailed ERP security audit

2. Assess business risks

3. Implement quick remediations

4. Identify critical areas of security

5. Outline action plan and present results to the board

78

#RSAC

3. Choose an ERP Security Framework

Goal: integrate ERP security into business

ERP Security Architecture illustrates how the controls (processes, peoples and tools) should be integrated into different layers of the current business environment

ERP Security Framework is a guidance on how to build individual architectures

Steps:

1. Use IT department experience

2. Look at Zachman, TOGAF, SABSA and other well known frameworks

3. Implement security controls

79

#RSAC

4. Implement a Vulnerability Management

Goal: break a continuous cycle of security improvement

Steps:1. Elicit requirements to the process (legal, business and compliance)2. Design the process structure, roles, interfaces, KPI’s and SLA’s3. Identify assets and schedule vulnerability assessment4. Monitor vulnerabilities5. Prioritize vulnerability remediation6. Test and deploy vulnerability remediation's7. Verify remediation

80

#RSAC

5. Track Effectiveness

Goal: improve ERP Security capabilities

Steps:1. Develop metrics for vulnerability management and

compliance

2. Collect data and report efficiency

3. Conduct a pentest

4. Review your initiative

81

#RSAC

Final Takeaways

Analyze your business sphere

Manage vulnerabilities

Handle incidents

Report compliance

Track effectiveness

82

#RSAC

Future trends and predictions

#RSAC

Future trends and predictions

Healthcare ERP Systems

POS global systems:Oracle

SAP

Cloud solutions

Internet of Things

84

#RSAC

Summary

#RSAC

Summary

ERP system is a critical InfrastructureStores valuable information

By default is not secure

Susceptible to various attacks

Tempting for attackers

Well-timed remediation will reduce different losses

86