ERP Risk Advisors Founder and CEO Jeff Hare CPS, CISA, CIA ...
Transcript of ERP Risk Advisors Founder and CEO Jeff Hare CPS, CISA, CIA ...
Session ID:
Prepared by:
Remember to complete your evaluation for this session within the app!
10710
Hackproofing and Protecting Oracle E-Business Suite
Mike Miller CISSP-ISSMP, CCSPProduct ArchitectOnapsis Inc.
Jeff Hare CPS, CISA, CIAFounder and CEOERP Risk Advisors
1
About Onapsis
2
Onapsis: Keeping Business-Critical Applications Secure & Compliant
Market LeadersFirst-movers; focused on Fortune 2000 organizations
Thought Leaders Dedicated in-house research labs; discovered over 500 vulnerabilities and attack vectors
Patented TechnologyAwarded patent covering underlying critical algorithms and capabilities
Experienced ManagementSuccessful executives from IBM, RSA, EMC, Sophos, Amazon.com
Backed by Leading Investors.406 Ventures, Schlumberger, Evolution, LLR, Arsenal, Endeavor
Board of Directors & AdvisorsCISO Schlumberger, former AVG CEO, CTO Veracode, CEO MercadoLibre
Purpose Built for ERP Security and Compliance
About ERP Risk Advisors
• Founded in 1998, we have 20 years experience in providing Oracle Application Risk Advisory Services
• Our mission: To provide companies with the best Compliance, Security, Risk Management, and Controls that reduces overall risks (and potential for fraud) in the ERP System
• U.S. based – global clients• Partner with leading software providers and provide level 1 and 2 support for installed
solutions• Extensive training and authoring experience
3
Agenda
● Oracle E-Business Suite and security bugs
● Specific examples of EBS exploits
● Recommended security best practices
4
Oracle E-Business Suite& Security Bugs
5
EBS Architecture, Size and Scope
● 30,000+ JSP, Forms, Servlets, Mobile, portlets (FND_FORM_FUNCTIONS)
● 12,000+ concurrent programs (FND_CONCURRENT_PROGRAMS)
● 3,000+ web services (FND_IREP_CLASSES)
● DMZ deployment option (URL Firewall and Web Services Firewall)
● Native REST and Mobile Interfaces with 12.2.4
● OBIEE
All software has bugsBugs should be both expected and welcomed 6
Open Web Application Security Project (OWASP) Top Ten
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Injection Broken Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using components with Known
vulnerabilities
Insufficient Logging & Monitoring
● Top Ten is a consensus built list of the most critical security risks to web applications● Does it apply to the Oracle E-Business Suite? Yes!
7
Onapsis Contribution to Oracle EBS Security Patches
8
“The security teams at Oracle and
Onapsis have worked collaboratively
for a number of years out of a shared
desire to help our customers
effectively increase their security
posture.“
Mary Ann Davidson
Chief Security Officer at Oracle
OnapsisResearch
Lab
Security Bugs - Example of a CVE
9
CVE-2018-2870 Reported by Onapsis Research - April 2018 CPUVulnerability in the Oracle Human Resources component of Oracle E-Business Suite (subcomponent: General Utilities). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data on all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVEs, CWEs and the NVD● CWE = Common Weakness
Enumeration (e.g. SQLi)● CVE = Common Vulnerability and
Exposure (e.g. a SQLi bug in a specific JSP page)
● NVD = National Vulnerability Database https://nvd.nist.gov/
● CVRF = Common Vulnerability Reporting Format
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
10
NVD Content for Oracle E-Business Suite
11
CVSS 3 CVSS 2
Critical 14
High 207 83
Medium 79 483
Low 0 55
300 621
Oracle: CVE Details
12
Oracle E-Business Suite Vulnerabilities
● E-Business Suite CVEs only as reported to the NVD/Homeland Security
● No supporting technology● Not Advanced Supply Chain● No products/modules tagged other
than E-Business
https://www.cvedetails.com/product/1479/Oracle-E-business-Suite.html?vendor_id=93
13
Examples of EBS Exploits
14
Open Source Exploit Solutions Exist● Oracle Password Auditor
http://www.secure-bytes.com/oracle-password-auditor.php
● Oracle Database Attack Tool https://github.com/quentinhardy/odat
● Oracle Application Server Scanner https://www.darknet.org.uk/2007/06/oapscan-oracle-application-server-scanner/
● Metasploit https://www.metasploit.com/
15
Metasploit Module for WebLogic CVE-2018-2628 CVSS 9.8 April 2018 CPU
WebLogic ExampleJava Deserialization CVE-2017-10271 (or others) find exploit code on Internet and turn server into a BitCoin miner due to Oracle’s “Horrible Mistake”● Mistake:https://developers.slashdot.org/story/18/05/26/0520227/oracle-calls-java-serializ
ation-a-horrible-mistake-plans-to-dump-it● Exploit code: https://github.com/c0mmand3rOpSec/CVE-2017-10271● Great summary:
https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/
16
WebLogic Example● What should you do?− Protect the proprietary T3 protocol− Don’t use the default port 7001 for
the console− Whitelist hosts that can access
the console− Use a Web Application Firewall
(WAF)− More detail here:
https://www.waratek.com/oracle-weblogic-rce-deserialization-vulnerability-cve-2018-2628-analysis/
17
Database Example99.9% of all database vulnerabilities need a connection (a session)● Get the SID?
○ NMAP or Oracle attack tool for who is talking 1521?○ EBS Diagnostics is enabled and about this page gives the SID
● Passwords?○ Default EBS (applsyspub, APPS)○ Default database○ Password guesser (Jack the Ripper?)
● Get APPS Password ○ Default in non-production○ Guest user default and and not hashing the local passwords
18
Database Example
19
OJVM Java deserialization bugs in the database○ CVE-2018-3110 CVSS 9.9○ CVE-2018-3004 CVSS 5.3 ○
http://obtruse.syfrtext.com/2018/07/oracle-privilege-escalation-via.html https://github.com/quentinhardy/odat
Hack Wrapped Pl/SQL Code● Wrap PL/SQL code to obfuscate to protect
intellectual property○ wrap iname=input_file [ oname=output_file ]
● Oracle documentation clearly states use cases○ “Not a secure method for hiding things”
● You can easily unwrap PL/SQL code○ Need a database session○ By no means an alternative for encryption○ Unwrapped solutions at Black Hat and posted
on the Internet■ SQL-Developer plug in
20
Hack EBS Application Passwords
● EBS application passwords are encrypted○ Stored in FND_USERS○ APPS password is used to encrypt them
● Encryption algorithm easily Googled○ Decrypt ALL application passwords and get the APPS password
● Risk○ If you can access FND_USER, you can get APPS (applsyspub?)○ Production vs non-production?
● Must also hash passwords○ Standard feature of EBS not enabled by default○ Follow instructions in 12.2 EBS Security GUide
21
Additional EBS Vulnerabilities ● Application role design is not based on principle of least privileges● Most organizations don’t have the ability to test for high risk functions and
concurrent programs● Most organizations haven’t looked at customizations from a risk perspective;
peer review has been weak; weak or no development standards● Most organizations don’t have a process to validate that all activities have gone
through the change management process● Oracle has 65+ functions that allow for SQL injection through the application tier;
this provides them the equivalent of full APPS-like DDL and DML privileges; there is no monitoring of activity in any of these tables
22
23
Why Do All of These Vulnerabilities Matter - ERP Risk A few key points:1. Global Average – $130K2. Global Cases – 2,690
RecommendedSecurity Best Practices
for Oracle EBS
24
Use Common Sense to Secure Oracle EBS● Think about the basics. Be curious
− Accidents and ignorance vs. gangsters and governments
● Have a program− Formal document
− Be specific (e.g. When clone Scramble PIIdat and end-date user accounts)
● Practice Defense-in-Depth
− Patch and follow Oracle’s advice and instructions
− Deploy Firewalls, enclaves and bastion-hosts
− Use Web Application Firewalls
− Enable auditing (and look at it!)
− Trust, but verify high-trust employees with background checks (annual?)
25
Be Curious - Read The DocumentationHere are a few recommendations for securing Oracle EBS
26
Apply Security Patches● Oracle Security patches are cumulative, but are separate● What needs patching - everything - the whole tech stack
○ E-Business Suite○ Fusion Middleware (WebLogic, Forms, Reports)○ Java○ Database○ Database OJVM○ OBIEE (plus its repository database)○ Linux
● Use a FMAN methodology using Oracle’s published dates using N-1 or N-2○ Oracle: January, April, July and October○ You: February, March, August and November
● Use Level 1, 2 and 3 test scripts
● Will a WAF protect me? What about virtual patching?
Oracle CPU Dates:16 April 201916 July 201915 October 201914 January 2020
27
Harden and Deploy According to How EBS is Designed● The Oracle security documentation are MUST READS
○ Checklists for EBS, database and WebLogic
● Consider the Center for Internet Security (CIS) benchmarks
○ https://www.cisecurity.org/
28
Model based on Gartner’s Adaptive Attack Protection (April 2018)
Continuous Monitoring, Measuring & Learning
Detect & Respond Prevent & Protect
Discover & Define
Remediate & Comply
Assess & Prioritize
ERP Cybersecurity Is a Continuous Process
Use Tools
● Manual reporting and analysis, patching and configuration drift is not feasible, repeatable or dependable
○ EBS support health check scripts, EBS Diagnostics, EBS Security Console
○ 3rd party vendors● Really want to read more: Security Content Automation
Protocol (SCAP) for NIST’s vision and approach○ https://csrc.nist.gov/projects/security-content-automation-protocol
30
Executive Reporting
Audit & Compliance
ApplicationSecurity
Oracle Team
IT Security
Discuss, Question and Communicate
31
Onapsis Sessions at Collaborate & Visit Booth #327Oracle E-Business Suite: Key Audit & Compliance Advantages to Running in the CloudMonday 8 Apr 3:15 PM GH 4TH FL Texas Salon D
Steps to Stay Secure with Security Configuration Console in Oracle E-Business SuiteMonday 8 Apr 4:30 PM GH 4TH FL Texas Salon B
Hackproofing and Protecting Oracle E-Business SuiteWednesday 10 April 8:00 AM GH 4TH FL Crockett D
How to Implement Oracle Critical Patch Updates for EBSThursday 11 April 10:30 AM GH 4TH FL Seguin B
32
33
ERP Risk Advisors Sessions at Collaborate & Visit Booth #816Security and Controls Foundational Concepts for Oracle ERP Cloud (Fusion) ApplicationsSunday 7 Apr 12:30 PM GH 4TH FL Seguin A
An Auditor’s Perspective on a Successful ERP Cloud ImplementationMonday 8 Apr 9:15 AM CC 3RD FL 301B
Security and Controls Best Practices for Oracle ERP CloudMonday 8 Apr 3:15 PM CC 2ND FL 221A
Developers and DBAs Can Play Vital Role in an Organization Using ERP CloudTuesday 9 April 2:00 PM CC 3RD FL 301B
GRC Best Practices Using Oracle’s Risk Management Cloud and BeyondTuesday 9 April 4:30 PM CC 2ND FL 221A
Foundational Concepts in Security and Controls in the ERP CloudWednesday 10 April 10:30 AM CC 3RD FL 301B
Role Design Best Practices for Organizations Using ERP CloudThursday 11 April 8:00 AM CC 2ND FL 217A
Questions?
Mike Miller([email protected])
Jeff Hare([email protected])
Session 10710Please remember to complete a survey
34
CVE Process
35
https://www.cvedetails.com/vulnerability-list.php?vendor_id=93&product_id=1479&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=5&cvssscoremax=0&year=2018&month=0&cweid=0&order=1&trc=12&sha=bc0be9f20a1539e9bd684de28242142586040e92
Example: EBS CVEs from 2018 with a CVSS Score
of 5 or Greater
36
100+ checks ~ 300 pages
37