Session ID:

Prepared by:

Remember to complete your evaluation for this session within the app!

10710

Hackproofing and Protecting Oracle E-Business Suite

Mike Miller CISSP-ISSMP, CCSPProduct ArchitectOnapsis Inc.

Jeff Hare CPS, CISA, CIAFounder and CEOERP Risk Advisors

1

About Onapsis

2

Onapsis: Keeping Business-Critical Applications Secure & Compliant

Market LeadersFirst-movers; focused on Fortune 2000 organizations

Thought Leaders Dedicated in-house research labs; discovered over 500 vulnerabilities and attack vectors

Patented TechnologyAwarded patent covering underlying critical algorithms and capabilities

Experienced ManagementSuccessful executives from IBM, RSA, EMC, Sophos, Amazon.com

Backed by Leading Investors.406 Ventures, Schlumberger, Evolution, LLR, Arsenal, Endeavor

Board of Directors & AdvisorsCISO Schlumberger, former AVG CEO, CTO Veracode, CEO MercadoLibre

Purpose Built for ERP Security and Compliance

About ERP Risk Advisors

• Founded in 1998, we have 20 years experience in providing Oracle Application Risk Advisory Services

• Our mission: To provide companies with the best Compliance, Security, Risk Management, and Controls that reduces overall risks (and potential for fraud) in the ERP System

• U.S. based – global clients• Partner with leading software providers and provide level 1 and 2 support for installed

solutions• Extensive training and authoring experience

3

Agenda

● Oracle E-Business Suite and security bugs

● Specific examples of EBS exploits

● Recommended security best practices

4

Oracle E-Business Suite& Security Bugs

5

EBS Architecture, Size and Scope

● 30,000+ JSP, Forms, Servlets, Mobile, portlets (FND_FORM_FUNCTIONS)

● 12,000+ concurrent programs (FND_CONCURRENT_PROGRAMS)

● 3,000+ web services (FND_IREP_CLASSES)

● DMZ deployment option (URL Firewall and Web Services Firewall)

● Native REST and Mobile Interfaces with 12.2.4

● OBIEE

All software has bugsBugs should be both expected and welcomed 6

Open Web Application Security Project (OWASP) Top Ten

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Injection Broken Authentication

Sensitive Data Exposure

XML External Entities (XXE)

Broken Access Control

Security Misconfiguration

Cross-Site Scripting (XSS)

Insecure Deserialization

Using components with Known

vulnerabilities

Insufficient Logging & Monitoring

● Top Ten is a consensus built list of the most critical security risks to web applications● Does it apply to the Oracle E-Business Suite? Yes!

7

Onapsis Contribution to Oracle EBS Security Patches

8

“The security teams at Oracle and

Onapsis have worked collaboratively

for a number of years out of a shared

desire to help our customers

effectively increase their security

posture.“

Mary Ann Davidson

Chief Security Officer at Oracle

OnapsisResearch

Lab

Security Bugs - Example of a CVE

9

CVE-2018-2870 Reported by Onapsis Research - April 2018 CPUVulnerability in the Oracle Human Resources component of Oracle E-Business Suite (subcomponent: General Utilities). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data on all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

CVEs, CWEs and the NVD● CWE = Common Weakness

Enumeration (e.g. SQLi)● CVE = Common Vulnerability and

Exposure (e.g. a SQLi bug in a specific JSP page)

● NVD = National Vulnerability Database https://nvd.nist.gov/

● CVRF = Common Vulnerability Reporting Format

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

10

NVD Content for Oracle E-Business Suite

11

CVSS 3 CVSS 2

Critical 14

High 207 83

Medium 79 483

Low 0 55

300 621

Oracle: CVE Details

12

Oracle E-Business Suite Vulnerabilities

● E-Business Suite CVEs only as reported to the NVD/Homeland Security

● No supporting technology● Not Advanced Supply Chain● No products/modules tagged other

than E-Business

https://www.cvedetails.com/product/1479/Oracle-E-business-Suite.html?vendor_id=93

13

Examples of EBS Exploits

14

Open Source Exploit Solutions Exist● Oracle Password Auditor

http://www.secure-bytes.com/oracle-password-auditor.php

● Oracle Database Attack Tool https://github.com/quentinhardy/odat

● Oracle Application Server Scanner https://www.darknet.org.uk/2007/06/oapscan-oracle-application-server-scanner/

● Metasploit https://www.metasploit.com/

15

Metasploit Module for WebLogic CVE-2018-2628 CVSS 9.8 April 2018 CPU

WebLogic ExampleJava Deserialization CVE-2017-10271 (or others) find exploit code on Internet and turn server into a BitCoin miner due to Oracle’s “Horrible Mistake”● Mistake:https://developers.slashdot.org/story/18/05/26/0520227/oracle-calls-java-serializ

ation-a-horrible-mistake-plans-to-dump-it● Exploit code: https://github.com/c0mmand3rOpSec/CVE-2017-10271● Great summary:

https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/

16

WebLogic Example● What should you do?− Protect the proprietary T3 protocol− Don’t use the default port 7001 for

the console− Whitelist hosts that can access

the console− Use a Web Application Firewall

(WAF)− More detail here:

https://www.waratek.com/oracle-weblogic-rce-deserialization-vulnerability-cve-2018-2628-analysis/

17

Database Example99.9% of all database vulnerabilities need a connection (a session)● Get the SID?

○ NMAP or Oracle attack tool for who is talking 1521?○ EBS Diagnostics is enabled and about this page gives the SID

● Passwords?○ Default EBS (applsyspub, APPS)○ Default database○ Password guesser (Jack the Ripper?)

● Get APPS Password ○ Default in non-production○ Guest user default and and not hashing the local passwords

18

Database Example

19

OJVM Java deserialization bugs in the database○ CVE-2018-3110 CVSS 9.9○ CVE-2018-3004 CVSS 5.3 ○

http://obtruse.syfrtext.com/2018/07/oracle-privilege-escalation-via.html https://github.com/quentinhardy/odat

Hack Wrapped Pl/SQL Code● Wrap PL/SQL code to obfuscate to protect

intellectual property○ wrap iname=input_file [ oname=output_file ]

● Oracle documentation clearly states use cases○ “Not a secure method for hiding things”

● You can easily unwrap PL/SQL code○ Need a database session○ By no means an alternative for encryption○ Unwrapped solutions at Black Hat and posted

on the Internet■ SQL-Developer plug in

20

Hack EBS Application Passwords

● EBS application passwords are encrypted○ Stored in FND_USERS○ APPS password is used to encrypt them

● Encryption algorithm easily Googled○ Decrypt ALL application passwords and get the APPS password

● Risk○ If you can access FND_USER, you can get APPS (applsyspub?)○ Production vs non-production?

● Must also hash passwords○ Standard feature of EBS not enabled by default○ Follow instructions in 12.2 EBS Security GUide

21

Additional EBS Vulnerabilities ● Application role design is not based on principle of least privileges● Most organizations don’t have the ability to test for high risk functions and

concurrent programs● Most organizations haven’t looked at customizations from a risk perspective;

peer review has been weak; weak or no development standards● Most organizations don’t have a process to validate that all activities have gone

through the change management process● Oracle has 65+ functions that allow for SQL injection through the application tier;

this provides them the equivalent of full APPS-like DDL and DML privileges; there is no monitoring of activity in any of these tables

22

23

Why Do All of These Vulnerabilities Matter - ERP Risk A few key points:1. Global Average – $130K2. Global Cases – 2,690

RecommendedSecurity Best Practices

for Oracle EBS

24

Use Common Sense to Secure Oracle EBS● Think about the basics. Be curious

− Accidents and ignorance vs. gangsters and governments

● Have a program− Formal document

− Be specific (e.g. When clone Scramble PIIdat and end-date user accounts)

● Practice Defense-in-Depth

− Patch and follow Oracle’s advice and instructions

− Deploy Firewalls, enclaves and bastion-hosts

− Use Web Application Firewalls

− Enable auditing (and look at it!)

− Trust, but verify high-trust employees with background checks (annual?)

25

Be Curious - Read The DocumentationHere are a few recommendations for securing Oracle EBS

26

Apply Security Patches● Oracle Security patches are cumulative, but are separate● What needs patching - everything - the whole tech stack

○ E-Business Suite○ Fusion Middleware (WebLogic, Forms, Reports)○ Java○ Database○ Database OJVM○ OBIEE (plus its repository database)○ Linux

● Use a FMAN methodology using Oracle’s published dates using N-1 or N-2○ Oracle: January, April, July and October○ You: February, March, August and November

● Use Level 1, 2 and 3 test scripts

● Will a WAF protect me? What about virtual patching?

Oracle CPU Dates:16 April 201916 July 201915 October 201914 January 2020

27

Harden and Deploy According to How EBS is Designed● The Oracle security documentation are MUST READS

○ Checklists for EBS, database and WebLogic

● Consider the Center for Internet Security (CIS) benchmarks

○ https://www.cisecurity.org/

28

Model based on Gartner’s Adaptive Attack Protection (April 2018)

Continuous Monitoring, Measuring & Learning

Detect & Respond Prevent & Protect

Discover & Define

Remediate & Comply

Assess & Prioritize

ERP Cybersecurity Is a Continuous Process

Use Tools

● Manual reporting and analysis, patching and configuration drift is not feasible, repeatable or dependable

○ EBS support health check scripts, EBS Diagnostics, EBS Security Console

○ 3rd party vendors● Really want to read more: Security Content Automation

Protocol (SCAP) for NIST’s vision and approach○ https://csrc.nist.gov/projects/security-content-automation-protocol

30

Executive Reporting

Audit & Compliance

ApplicationSecurity

Oracle Team

IT Security

Discuss, Question and Communicate

31

Onapsis Sessions at Collaborate & Visit Booth #327Oracle E-Business Suite: Key Audit & Compliance Advantages to Running in the CloudMonday 8 Apr 3:15 PM GH 4TH FL Texas Salon D

Steps to Stay Secure with Security Configuration Console in Oracle E-Business SuiteMonday 8 Apr 4:30 PM GH 4TH FL Texas Salon B

Hackproofing and Protecting Oracle E-Business SuiteWednesday 10 April 8:00 AM GH 4TH FL Crockett D

How to Implement Oracle Critical Patch Updates for EBSThursday 11 April 10:30 AM GH 4TH FL Seguin B

32

33

ERP Risk Advisors Sessions at Collaborate & Visit Booth #816Security and Controls Foundational Concepts for Oracle ERP Cloud (Fusion) ApplicationsSunday 7 Apr 12:30 PM GH 4TH FL Seguin A

An Auditor’s Perspective on a Successful ERP Cloud ImplementationMonday 8 Apr 9:15 AM CC 3RD FL 301B

Security and Controls Best Practices for Oracle ERP CloudMonday 8 Apr 3:15 PM CC 2ND FL 221A

Developers and DBAs Can Play Vital Role in an Organization Using ERP CloudTuesday 9 April 2:00 PM CC 3RD FL 301B

GRC Best Practices Using Oracle’s Risk Management Cloud and BeyondTuesday 9 April 4:30 PM CC 2ND FL 221A

Foundational Concepts in Security and Controls in the ERP CloudWednesday 10 April 10:30 AM CC 3RD FL 301B

Role Design Best Practices for Organizations Using ERP CloudThursday 11 April 8:00 AM CC 2ND FL 217A

Questions?

Mike Miller(mmiller@onapsis.com)

Jeff Hare(jhare@erpa.net)

Session 10710Please remember to complete a survey

34

CVE Process

35

https://www.cvedetails.com/vulnerability-list.php?vendor_id=93&product_id=1479&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=5&cvssscoremax=0&year=2018&month=0&cweid=0&order=1&trc=12&sha=bc0be9f20a1539e9bd684de28242142586040e92

Example: EBS CVEs from 2018 with a CVSS Score

of 5 or Greater

36

100+ checks ~ 300 pages

37