ERP System Attacks and the BlackHat DC Conference

Monday, February 14, 2011

Alexander Polyakov


Secure Your Business: About Attacks on ERP Systems an the BlackHat DC Conference

During the BlackHat DC conference, DSecRG experts talked about attacks on corporate business-applications which can be used by cybercriminals for espionage, sabotage and fraudulent actions concerning competitors.

At the conference, unknown earlier methods of attacks were presented on popular ERP-systems such as SAP, JD Edwards, and also on RDBMS Open Edge, which is a universal platform for development of custom business-applications.

Despite the fact, companies like SAP and Oracle regularly release security updates in their products that are still subject to attacks pointed at architectural vulnerabilities and configuration errors.

In his talk, Alexander Polyakov, Head of DSecRG, focused on the architectural vulnerabilities of the listed systems and different methods of exploitation of these vulnerabilities were shown. Given vulnerabilities in the majority are hard to patch, and it leaves open the possibility of their exploitation in future.

“Very few administrators of SAP-systems install updates regularly, and extremely few people who deeply understand technical details of ERP-systems, in the best limiting by SOD problems. That is why we see insecurely configured systems as the result of security assessments” , - stated Alexander Polyakov.

There is an example in his report: during an audit there was a JD Edwards system found with an architectural vulnerability allowing any user to get access to all business-critical data. This vulnerability still exists in a 2-tier installation with a major client.

Another example of an architectural vulnerability was found in RDBMS “Open Edge”, which is used by many “Fortune TOP 100 companies”. In this application, the trivial error takes place during authentication. Verification of a password’s hash was implemented on the client side, therefore authentication in the system is possible without knowing the password or even user name.

The problem is that such vulnerability won’t be corrected by the manufacturer because of the necessity of rewriting all of the architecture, and the only countermeasure is to use external authentication

Another example is the SAP SRM, which is used by others for the organization of a tenders’ system. As a result of one possible architectural misconfiguration, any supplier can get access to tenders of other suppliers and also upload the Trojan program to a competitor network, and that may be used for an industrial espionage.

“The majority of the examples considered in the report tells us that security of ERP-applications is at level of one decade’s prescription and with the trend to post business-applications on the Internet for exchanging data between branches of companies or suppliers all these systems became accessible to a wide range of people seeking to use these loopholes for personal purpose. Till now the companies spent millions of dollars, eliminating SOD conflicts, and though it is an integral part of the ERP security, the amount of technical vulnerabilities is growing exponentially, as an interest of attackers to these systems”, ” – noted Alexander Polyakov.

Possibly Related Articles:
Network Access Control
Patching Authentication Vulnerabilities Architecture Black Hat
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.