Nearly half of the organizations using Oracle’s PeopleSoft applications are vulnerable to cyberattacks, according to a report from ERPScan, a company that specializes in securing business-critical enterprise resource planning (ERP) solutions from SAP and Oracle.
Earlier this year at the Hack In The Box and Hack In Paris conferences, ERPScan researcher Alexey Tyurin detailed several security issues that put organizations using PeopleSoft applications at risk.
ERPScan has reported several PeopleSoft vulnerabilities to Oracle, including information disclosure, XML external entity (XXE), cross-site scripting (XSS), and authentication bypass bugs. Experts have also uncovered configuration-related issues and the existence of default credentials that can be exploited by malicious actors in their operations.
One serious configuration issue, dubbed by researchers “TokenChpoken,” allows an attacker to breach PeopleSoft systems that are accessible via the Internet. Attackers can leverage the weakness to log in under any account and get full access to vulnerable systems.
Using a special Google search, ERPScan has determined that there are 549 PeopleSoft systems accessible through the Internet. These servers belong to government and military organizations (64 servers), commercial enterprises (249 servers), and universities (236 servers).
Of these 549 servers, 231 of them, representing 42 percent, are vulnerable to TokenChpoken attacks, ERPScan said. The list of affected organizations includes 18 Fortune 500 companies, and 25 enterprises included in Forbes’ Global 2000 list. One of the world’s largest pharmaceutical companies is also at risk.
The TokenChpoken attack, which affects systems that use Single Sign-On (SSO), is possible because an authentication cookie (PS_TOKEN) used by PeopleSoft applications can be forged.
The PS_TOKEN cookie is generated when a user first signs in to a PeopleSoft application. When users log in to a different server, the browser sends this cookie for authentication so that the user doesn’t have to enter his/her credentials again.
This authentication cookie contains data such as user ID, interface language, token issuing date, node name, and a signature. This signature is an SHA1 hash generated based on the user ID, language, node name, date and time, and the user’s password. During the authentication process, the server decodes the PS_TOKEN, generates an SHA1 hash based on the information from the cookie, and compares it to the signature. If the signature matches the SHA1 hash, the user is authenticated.
Researchers discovered that an attacker can log in to the system as any user by brute forcing this hash. According to ERPScan, the token can be decrypted within one day using a GPU that costs roughly $500.
“Taking into account that organizations using PeopleSoft systems have about 5000 employees, the cost of getting personal data of one of them is only 10 cents! In addition, on the black market the average cost of these data is about $200, so, this attack seems to be a rather profitable business,” ERPScan said.
ERPScan CTO Alexander Polyakov told SecurityWeek that the best way for organizations to mitigate potential TokenChpoken attacks is to set very strong passwords for PeopleSoft nodes, the term used for the systems enrolled in SSO. Organizations can also protect themselves by using certificate authentication instead of password authentication.
On the other hand, Polyakov has pointed out that such changes are not always easy to make, especially if multiple nodes are used. Organizations might need to shut down the systems in order to reconfigure them, which can result in interruptions of the business process and even financial loss.
ERPScan has warned that the use of default credentials in PeopleSoft applications is also problematic. However, the company says it has been informed by Oracle that newer versions of PeopleSoft don’t include any default credentials. In the case of older versions, customers will have to manually check and change default passwords, Polyakov said.
Oracle PeopleSoft solutions are used by many public and private organizations worldwide for human capital, financial, supplier relationship, and supply chain management. The popularity of applications such as PeopleSoft Human Resource Management Systems (HRMS), reportedly used by more than 7,000 companies, makes them an attractive target for cybercriminals.
The security firm says charity organizations have the highest percentage of vulnerable servers (85%), followed by enterprises in the food and agriculture (83%), insurance (67%), manufacturing (59%), retail (58%), transport (55%), and government (53%) sectors.
Vulnerabilities and configuration issues in various PeopleSoft applications can be exploited by malicious actors for espionage, sabotage, and fraud, experts noted.
Oracle has been contacted for comment.