cin-t08 dmitry erp security 2016: lead erp security ... · pdf filesession id: #rsac roman....
TRANSCRIPT
SESSION ID:
#RSAC
Roman
ERP Security 2016: Vulnerabilities, Threats and Trends. Expert Opinion
CIN-T08
Security ResearcherERPScan@0xalg
DmitryLead ERP security analyst ERPScan@_chipik
#RSAC
Agenda
Introduction
SAP Security
Oracle E-Business Suite security
Conclusion
Apply it
2
#RSAC
Introduction
#RSAC
Business application security
All business processes are generally contained in ERP systems.
Any information an attacker, be it a cybercriminal, industrial spy or competitor, might want to steal, is stored in a company’s ERP.
This information may include financial, customer or public relations, intellectual property, personally identifiable information, and so on. Industrial espionage, sabotage, fraud or insider embezzlement may be very effective, if targeted at a victim’s ERP system and cause significant damage to the business.
4
#RSAC
CISO’s responsibilities
What are the CISO’s responsibilities?
Network security
Web Application security
Endpoint security
Identity and access governance
SIEM
Business application security
Just detecting/preventinginitial intrusion
that’s where a real attack happens
5
#RSAC
Why hacking ERP?
Espionage
To steal financial or HR data, supplier and customer lists or disclose corporate secrets.
Sabotage
To cause denial of service, counterfeit financial records and accounting data, access technology network (SCADA)
Fraud
To carry out false transactions, modify master data
6
#RSAC
Who are the cybercriminals?
Malicious InsidersPrivileged users
Business partners, customers, suppliers, etc.
Third-party contractors and IT service providers
Advanced Persistent Threat AgentsExtremely organized state-sponsored groupsHacktivists
CompetitorsHead-huntersIndustrial spiesTrade secret thieves
7
#RSAC
SAP Systems SecurityIntroduction
SAP Security
#RSAC
SAP: Brief Overview
The most popular business application
More than 250 000 customers worldwide
83% Forbes 500 companies run SAP
Main system – ERP
9
#RSAC
SAP systems securityKnown Incidents
SAP Security
#RSAC
Latest news
2012
2013
2014
2015
11
#RSAC
Why are SAP landscapes insecure?
Complex
Highly customized
Risky to update
Closed nature
12
#RSAC
Why are SAP landscapes insecure?http://www.theregister.co.uk/2016/10/12/sap_resolves_authentication_bug/http://www.theregister.co.uk/2016/06/15/sap_patch_batch_fixes_3_yr_old_vuln/http://www.scmagazine.com/sap-patches-three-year-old-vulnerability-plus-20-more-flaws/article/503720/
13
#RSAC
Why are SAP landscapes insecure?
http://www.theregister.co.uk/2013/06/18/sap_users_slack_slow_and_backward_on_security/
14
#RSAC
SAP systems securityCommon vulnerability statistics
SAP Security
#RSAC
How many vulnerabilities were found?
Top 10 vulnerabilities3700+ in all SAP products
2585 in SAP NetWeaver ABAP based systems
1300+ in basic components, which are the same for every system
About 350 in ECC modules
More details here: https://goo.gl/Hr144b0 100 200 300 400 500 600 700 800
Hardcoded credentials
Other
Code injection
Denial of service
Cross-site request forgery
Information disclosure
SQL-injection
Configuration issues
Directory traversal
Missing authorization
Cross-site scripting
16
#RSAC
SAP security talks have matter?
YES!
A lot of talks about SAP Security in
U.S.
Germany
The Netherlands
These countries has more secured SAP systems
17
#RSAC
Where?
A lot of issues in different modules
Almost all types of industry can be attacked via vulnerable SAP modules
18
#RSAC
Where?
19
#RSAC
SAP systems securityArchitecture
SAP Security
#RSAC
SAP NetWeaver in details
21
#RSAC
Variety of SAP Services
ABAP
Dispatcher
Gateway
Message Server
ICM
SAProuter
JAVA
HTTP
P4
SMD
LogViewer
SDM Admin
22
#RSAC
SAP systems securityTopmost critical vulnerabilities
SAP Security
#RSAC
Topmost critical SAP Vulnerabilities
SAP Gateway Remote code execution
SAP JAVA CTC Remote code execution
SAP JAVA P4 issues
SAP HANA TREXNET Remote code execution
We compromise 10 out of 10 SAP servers using these issues during our SAP security audits
24
#RSAC
SAP systems securityGateway Remote Code Execution
SAP Security
#RSAC
SAP Gateway Security
At a glanceOne of the core SAP services
Allows interaction with remote SAP systems and with other systems
Manages communication for all RFC based functions
26
#RSAC
SAP Gateway Security
Gateway RFC (3 types)
ABAP RFC
Registered RFC Server Program
Started RFC Server Program
27
#RSAC
Started RFC programs – attacks 1
Started programs install additional functions
Extend functionality of SAP by running EXE files
Started program is executed by Gateway on a remote host using trust relationship, like RSH
28
#RSAC
Started RFC programs – attacks 2
Security is configured by secinfo fileTP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
P|D TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
Use a line of this format to allow the user <user> to start the <tp> program on the host <host>
Disabled by default!In latest versions SAP has profile parameter gw/acl_mode=1
An attacker can execute any OS command without passing authentication
29
#RSAC
DEMOExecution of OS command if ACL is missing
SAP Security
#RSAC
SAP Gateway: Defense
Enable Secinfo and Reginfo ACL (don’t use wildcard *)or set gw/acl_mode=1
Enable gw/logging
Patch for the latest security notes
31
#RSAC
SAP systems securityJAVA CTC Remote Code Execution
SAP Security
#RSAC
SAP NetWeaver J2EE: Overview
Additional platform
Base platform for IT stuff: SAP Portal , SAP XI, SAP Solution Manager, SAP NWDSPurpose: Integration of different systems
If compromised:Stoppage of all connected business processesFraudIndustrial espionage
33
#RSAC
SAP NetWeaver J2EE: InvokerServlet
InvokerServlet allows getting access to SAP services without a username and password
How does it work?http://sapserver.com/VeryImportantService
-> need authenticationhttp://sapserver.com/servlet/VeryImportantService
-> without authentication
What can an attacker do?GET /ctc/servlet/ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=<ANY_OS_CMD>
34
#RSAC
SAP NetWeaver JAVA: InvokerServlet
The Invoker Servlet contains a vulnerability, which was patched by SAP in 2010
500+ systems over the world still vulnerable
35
#RSAC
SAP NetWeaver JAVA: Defense
Update to the latest patch level that corresponds to your support package
Disable the vulnerable feature by changing the value of the “EnableInvokerServletGlobally” property of the JSP service on the server nodes to “false”
If you need an invoker servlet to be enabled for some applications, see SAP Security Note 1445998 for SAP NetWeaver Portal and SAP security Note 1467771
36
#RSAC
Conclusion on SAP Security
SAP Security
#RSAC
Defend your SAP
Easy steps:Restrict access to Gateway port/ implement GW ACLs
Disable Invoker Servlet
Restrict access to P4 and TREXnet ports
Restrict access to ALL unnecessary services
OK, you’ve improved your SAP servers
Make penetration testing great again!
38
#RSAC
Conclusion
Interest in SAP security is growing exponentially and the numerous attacks play a significant role in driving this interest
SAP servers can be unprotected for an extremely long time
Attackers must have SAP specific knowledge for attacking latest versions of SAP servers
Prevent financial, operational and reputational losses by identifying and fixing vulnerabilities in SAP components
39
#RSAC
Oracle E-Business Suite securityIntroduction
Oracle Security
#RSAC
Oracle E-Business Suite: Introduction
Includes: ERP, CRM, SCM, PLM
Used in:
Automotive
Aerospace and Defense
Engineering and Construction
Health Sciences and …
41
#RSAC
Oracle E-Business Suite: Introduction
More then:15000+ JSP pages
11600 OA Framework pages
4000 Oracle Forms and other Core Servlets, Web Services Servlets
Still:Complex
Risky to update
Unknown
42
#RSAC
Oracle E-Business Suite securityKnown Incidents
Oracle Security
#RSAC
Latest News
44
#RSAC
Latest News
MICROS is among the top three point-of-sale vendors globally
Malicious code was detected in certain legacy MICROS systems
VISA published Indicators of Compromise in “VISA Security Alert”
45
#RSAC
Oracle E-Business Suite security Common vulnerability statistics
Oracle Security
#RSAC
Vulnerabilities in Public resources
47
#RSAC
How many vulnerabilities were found?
460+ in Oracle EBS
0102030405060708090
April
201
1Ju
ly 2
011
Oct
ober
201
1Ja
nuar
y 20
12Ap
ril 2
012
July
201
2O
ctob
er 2
012
Janu
ary
2013
April
201
3Ju
ly 2
013
Oct
ober
201
3Ja
nuar
y 20
14Ap
ril 2
014
July
201
4O
ctob
er 2
014
Janu
ary
2015
April
201
5Ju
ly 2
015
Oct
ober
201
5Ja
nuar
y 20
16Ap
ril 2
016
July
201
6O
ctob
er 2
016
Number of EBS vulnerabilities
More information here: https://goo.gl/vyeKRX
48
#RSAC
Oracle E-Business Suite security Architecture
Oracle Security
#RSAC
Oracle E-Business Suite: Architecture
Includes such technologies as:
PL/SQL
JAVA
.NET
HTML
XML
50
#RSAC
Variety of EBS Services
Oracle Forms Server
Oracle Reports Server
Oracle Discoverer
Oracle Database Server
Oracle Forms Listener
Oracle Portal…
51
#RSAC
Oracle E-Business Suite securityWidespread security problems
Oracle Security
#RSAC
Widespread EBS security problems
Having default users
Storing user passwords in an encrypted form by default (not hashed)
"FND : Diagnostics %" profile option is enabled
53
#RSAC
Oracle E-Business Suite securityDefault Users
Oracle Security
#RSAC
Default Users: Information
Up to 300 database accounts
More than 40 seeded accounts
Number of default accounts increases along with the number of new product modules
Usually, a default password for every new account is a username
55
#RSAC
Default Users: Types
Database accounts
Business logic accounts
Accounts from business logic into database
56
#RSAC
Default Users: Example
57
#RSAC
Default users: Attack scheme #1
Desktop tier
Evil
Application tier4. Response with sensitive information
5. Sending request to the Inquirer
2. Gaining access to Applications with the access to DB
3. Sending SQL query
Database tier
5. Stealing Private date
1. Using Default Business Logic
account
58
#RSAC
Default users: Attack scheme #2
Desktop tier Evil
Application tier Database tier
2. Stealing Private date
1. Using Default Database account
Applicationssqlnet
#RSAC
Default users: Mitigation
Use Oracle’s DBA_USERS_WITH_DEFPWD
Limit the number of users
Change default passwords
Use a unique password for every account
60
#RSAC
Oracle E-Business Suite securityPassword Decryption
Oracle Security
#RSAC
Oracle EBS Password Decryption
Oracle EBS end-user application passwords stored in an encrypted form, not hashed
Account passwords are stored in `APP.FND_USER` table
Decryption procedure is well-known, documented and can be easily found in the Internet
Secure hashing of passwords is optional and must be enabled by DBA
Disabled by default
62
#RSAC
USER’s PASSWORD: `APP.FND_USER` table
USER_NAME ENCRYPTED_FOUNDATION_PASSWD ENCRYPTED_USER_PASSWD
GUEST ZG6EBD472D1208B0CDC78D7EC7730F9B249496F825E761BA3EB2FEBB54F6915FADA757EF4558CF438CF55D23FE32BE0BE52E
ZG6C08D49D524A1551A3068977328B1AFD260400FB598E799A3A8BAE573777E7EE7262D1730366E6 709524C95EC6BFA0DA06
SYSADMIN ZH39A396EDCA4CA7C8D5395D94D8C915510C0C90DA198EC9CDA15879E8B547B9CDA034575D289590968F1B 6B38A1E654DD98
ZHF57EAF37B1936C56755B134DE7C83AE40CADDD4AA83B1D7455E5533DC041773B494D2AA04644FB 5A514E5C5614F3C87888
WIZARD ZG2744DCFCCFFA381B994D2C3F7ADACF68DF433BADF59CF6C3DAB3C35A11AAAB2674C2189DCA040C4C81D2 CE41C2BB82BFC6
ZGE9AAA974FB46BC76674510456C739564546F2A0154DCF9EBF2AA49FBF58C759283C7E288CC6730 44036E284042A8FE4451
APPS password encrypted user name + user password
User password encrypted using APPS password
63
#RSAC
Oracle EBS Password Decryption: Mitigation
Implement password hashingInformation from Oracle you can find in MOS Note 457166.1 "FNDCPASS Utility New Feature: Enhance Security With Non-Reversible Hash Password"
Password policy ReviewValidate System Profile Options relative to passwords
Review application account creation and password reset workflows with administrator
64
#RSAC
Oracle E-Business Suite security"FND : Diagnostics %" profile
Oracle Security
#RSAC
When option is enabled
"FND : Diagnostics %" profile
66
#RSAC
DEMOGain Administrators privileges via"FND : Diagnostics %" profile
Oracle Security
#RSAC
"FND : Diagnostics %" profile: Mitigation
You should disable "FND : Diagnostics %" profile:For separate users
Disable fully (in case of being unnecessary)
It will be good too to:Restrict access to "FND : Diagnostics %" profile configuration
68
#RSAC
Oracle E-Business Suite securityConclusion
Oracle Security
#RSAC
Defend your Oracle EBS
Cover immediate security issues:
Change default passwords
Implement password hashing
Disable access to "FND : Diagnostics %" profile configuration
Install latest security patches from Oracle
Perform comprehensive security audit
70
#RSAC
Conclusion:
Critical corporate data stored and processed in Oracle systems is vulnerable to numerous types of attacks
New vulnerabilities appear quite frequently. Follow closely the latest security information
Comprehensive security assessment of your Oracle systems will help you determine major areas of focus to secure most critical assets from cyber-attacks
71
#RSAC
How to Improve Cyber Security Posture and Remediate Vulnerabilities?
#RSAC
ERP Security Posture
Security-related goals:Compliance with external laws and regulationsManaged business risksBusiness service continuity and availability
ERP Security Capabilities:Predict: prepare to the futurePrevent: avoid incident from occurringDetect: identify incident’s activities and potentially an intruderReact: fix, correct, recover and learn
73
#RSAC
Baseline ERP Security Capabilities
• Know your assets• Assess risksPredict
• Choose controls• Minimize attack surfacePrevent
• Monitor vulnerabilities• Recognize incidentsDetect
• Handle incidents• Remediate vulnerabilities• Report compliance
React
74
#RSAC
Heart of ERP Security
Vulnerability Management
PREDICT
PREVENT
DETECT
REACT
75
#RSAC
How to Start?
1. Develop an ERP Security Initiative
2. Assess Current Security Posture
3. Choose an ERP Security Framework
4. Implement a Vulnerability Management
5. Track Effectiveness
76
#RSAC
1. Develop an ERP Security Initiative
Goal: obtain management support
Steps:
1. Understand ERP-specific risks
2. Elicit compliance requirements
3. Measure value of information inside ERP system
4. Identify stakeholders and their needs
5. Present your security initiative and get management support
77
#RSAC
2. Assess Current Security Posture
Goal: gain insight into current state of ERP Security
Steps:
1. Conduct detailed ERP security audit
2. Assess business risks
3. Implement quick remediations
4. Identify critical areas of security
5. Outline action plan and present results to the board
78
#RSAC
3. Choose an ERP Security Framework
Goal: integrate ERP security into business
ERP Security Architecture illustrates how the controls (processes, peoples and tools) should be integrated into different layers of the current business environment
ERP Security Framework is a guidance on how to build individual architectures
Steps:
1. Use IT department experience
2. Look at Zachman, TOGAF, SABSA and other well known frameworks
3. Implement security controls
79
#RSAC
4. Implement a Vulnerability Management
Goal: break a continuous cycle of security improvement
Steps:1. Elicit requirements to the process (legal, business and compliance)2. Design the process structure, roles, interfaces, KPI’s and SLA’s3. Identify assets and schedule vulnerability assessment4. Monitor vulnerabilities5. Prioritize vulnerability remediation6. Test and deploy vulnerability remediation's7. Verify remediation
80
#RSAC
5. Track Effectiveness
Goal: improve ERP Security capabilities
Steps:1. Develop metrics for vulnerability management and
compliance
2. Collect data and report efficiency
3. Conduct a pentest
4. Review your initiative
81
#RSAC
Final Takeaways
Analyze your business sphere
Manage vulnerabilities
Handle incidents
Report compliance
Track effectiveness
82
#RSAC
Future trends and predictions
#RSAC
Future trends and predictions
Healthcare ERP Systems
POS global systems:Oracle
SAP
Cloud solutions
Internet of Things
84
#RSAC
Summary
#RSAC
Summary
ERP system is a critical InfrastructureStores valuable information
By default is not secure
Susceptible to various attacks
Tempting for attackers
Well-timed remediation will reduce different losses
86