ERP Security. Myths, Problems, Solutions

Invest in security to secure investments

ERP Security. Myths, Problems, Solu6ons

Alexander Polyakov CTO ERPScan

About ERPScan

•  The only 360-‐degree SAP Security solu8on -‐ ERPScan Security Monitoring Suite for SAP

•  Leader by the number of acknowledgements from SAP ( 150+ ) •  60+ presenta6ons key security conferences worldwide •  25 Awards and nomina6ons •  Research team -‐ 20 experts with experience in different areas

of security •  Headquarters in Palo Alto (US) and Amsterdam (EU)

2

Intro

•  ERP -‐ Enterprise resource planning is an integrated computer-‐based system used to manage internal and external resources including tangible assets,

financial resources, materials, and human resource –  Wikipedia

3

Intro

Business applica8ons like ERP, CRM, SRM and others are one of the major topics within the scope of computer security as these applica8ons store business data and any vulnerability in these applica8ons can cause a significant monetary loss or even

stoppage of business.

4

Main Problems in ERP Security

Complex structure (complexity kills security)

Different vulnerabili6es At all the levels

Inside a company (closed world)

Rarely updated administrators are scared they can be

broken during updates

5

Myths

Myth 1: Business applica8ons are only available internally what means no threat from the Internet

Myth 2: ERP security is a vendor’s problem

Myth 3: Business applica8on internals are very specific and are not known for hackers

Myth 4 ERP security is all about SOD

6

Myth 1: Business Applica6ons are Only Available Internally

•  Top management point of view –  This myth is popular for internal corporate systems and people think that these systems are

only available internally

•  Real life –  Yes maybe at the mainframe era with SAP R/2 and in some implementa8ons of R/3 you can

use SAP only internally but not now in the era of global communica8ons. As a minimum you need the integra8on with:

o  Another offices

o  Customers and suppliers

o  For SAP systems you need connec8on with SAP network

Even if you do not have direct connec4on there are user worksta4ons connected to the internet

7


It is necessary to bring together people who understand ERP security, and people who understand the Internet, e-‐mail and security of WEB-‐services

8


9

Myth 2. ERP Security is a Vendor’s Problem

From the point of law:

•  Vendor is NOT responsible for the vulnerabili6es in their products •  Business applica6on security is the problem of a Client

10

Myth 2. ERP Security is a Vendor’s Problem

{{Vendor problems

Client problems

1.  Program Errors

2.  Architecture errors

3.  Implementa8on architecture errors

4.  Defaults / Misconfigura8ons

5.  Human factor

6.  Patch management

7.  Policies/ processes / etc

From technical point:

There can be so many fails even if the so\ware is secure

11

Myth 3. Business Applica6on Internals are not Known to Hackers

Current point of view:

•  Mostly installed inside a company

•  Not so popular among hackers like Windows or Apple products

•  Closed world

•  Security through obscurity

12

Myth 3. Business Applica6on Internals are not Known to Hackers

Real life:

•  Popular products are on the a_ack by hackers, and becoming more and more secure

•  Business applica8ons WERE closed but over the last 5 years they have became more and more popular on the Internet

•  And also popular for hackers and researchers (will be shown in the future sta8s8cs)

•  Unfortunately, their security level is s8ll like 3-‐5 years ago •  Now they look as a defenseless child in a big city

13

Myth 4. ERP Security is All about SOD

Current point of view:

•  Many people especially ERP people think that security is all about SOD

Real life:

•  Making AD access control dont give you secure infrastructure

•  Buying new engine for car every year will not help you if you simply puncture a wheel

•  And also remind Sachar Paulus interview that says: “other threat comes from people connec4ng their ERP systems to the Internet”

14


ERP system with secure SOD and nothing else it is much of spending all money on video systems, biometric access control and leaving the back door open for housekeepers

15


1 Lack of patch management CRITICAL REMOTE 2 Default passwords for applica8on access CRITICAL REMOTE 3 SOD conflicts CRITICAL LOCAL 4 Unnecessary enabled applica8on features HIGH REMOTE 5 Open remote management interfaces HIGH REMOTE 6 Lack of password lockout/complexity checks MEDIUM REMOTE 7 Insecure op8ons MEDIUM REMOTE 8 Unencrypted communica8ons HIGH REMOTE 9 Insecure trust rela8ons MEDIUM LOCAL 10 Guest access MEDIUM REMOTE

Top 10 Applica6on Implementa6on Problems (OWASP-‐EAS EASAI Top 10)

16

Problems

17

ERP Security Problems

Overall system security

Development: •  Architecture •  Program errors

Implementa6on: •  Architecture •  Configura6on •  Patch

management •  Policies •  Awareness

Control: Policies Security assessment Awareness SoD

18

Development Problems

SAP OWN TECHNOLOGIES (ABAP/BSP) JAVA (jsp/servlets/ejb/j2ee/rmi) WEB (html/js) Other (C/wbs/sql)

Oracle OWN TECHNOLOGIES (BPEL /PLSQL) JAVA (jsp/servlets/ejb/j2ee/rmi) WEB (html/js/cgi) Other (C/wbs/sql)

PeopleSo\ OWN TECHNOLOGIES (Peoplecode/PLSQL) JAVA (jsp/servlets/ejb/j2ee/rmi) WEB (html/js/cgi) Other (C/wbs/sql)

Languages

Technologies

Plaborms

19

Implementa6on Problems

Different Databases

Different OS Different product versions

Huge amount of customiza8on

Different Architecture

20

Different Architecture

•  Different mandates on different instances on different physical servers

•  Can be DEV TEST or PROD •  Can have different modules such as SRM/PLM/CRM/ERP

connected by different ways to itself and other systems

•  Different DMZ/ terminal server installa8ons

•  Add IM/LDAP/AD and other solu8ons to our architecture

•  And even more

21

Different OS

OS popularity for SAP

Windows NT -‐ 28%

AIX -‐ 25%

Linux -‐ 19%

SunOS -‐ 13%

HP-‐UX -‐ 11%

OS/400 -‐ 4%

22

Different Plaborms

•  ABAP or JAVA or BusinessObjects •  Only ABAP Can be:

-  SAP R/3 4.6 -  SAP R/3 4.7 Entertprise -  SAP NetWeaver 6.4

-  SAP NetWeaver 7.0



-  Also Add-‐ons -  Also industry solu8ons

23

Great Amount of Customiza6on

•  Approximately about 40-‐60% of ERP are custom code

•  With own vulnerabili8es

•  Also there can be custom many custom items –  Authoriza8on objects –  Authoriza8ons –  Roles –  Transac8ons –  Programs

–  Etc…

If you have customized the system you must have security solu4ons customized that is much more harder than checklist-‐like solu4ons

24

Solu6ons

25

How to Make Secure ERP System in 5 Steps

•  Develop secure sonware •  Implement it securely •  Teach administrators •  Increase user awareness •  Control the whole process

26

Introducing OWASP-‐EAS

•  Develop secure sonware –  OWASP-‐Enterprise Business Applica8on Security Vulnerability Tes8ng

Guide v0.1

•  Implement it securely –  Enterprise Business Applica8on Security Implementa8on Assessment

Guide •  Teach administrators

–  Our Trainings •  Increase user awareness

–  SAP Security in figures report •  Control the whole process

–  Tools

27


•  Need guides for developers and vulnerability testers to assess enterprise applica8ons

•  Sources: –  We have OWASP – good and focused mainly on WEB vulnerabili8es –  We have WASC – good but focused on WEB –  We have SANS 25 – good but not about ERP –  We have CWE – good but too big –  We have OSTMM – good but focused on assessing systems not sonware –  SAP/Oracle security guides – good but too many informa8on

•  Result: –  OWASP-‐EAS Enterprise Business Applica8on Security Vulnerability

Tes8ng Guide v.0.1

28


•  Analyze most popular vulnerabili8es in enterprise systems

•  Create TOP 10 list

•  Collect informa8on about examples, threats and countermeasures

•  Release Guide

•  Aner a year go back to step 1

29

Enterprise Applica6on Security Vulnerability Tes6ng Guide

30

Top 10

31

Examples

XSS •  There is an unlimited number of XSS in SAP •  The latest one at h_p://erpscan.com Informa6on Disclosure •  ORACLE Financials

–  /pls/DAD/find_web.ping –  /OA_HTML/jsp/fnd/fndping.jsp

•  SAP Netweaver –  /sap/public/info

32

Examples of Network Security

Improper access control / traversal (SAP Netweaver) •  RFC func8ons can be called remotely •  You need a user and a password •  ALMOST ALL SAP administrators do not change the password

for user SAPCPIC •  Using his creden8als we can call the func6on that tries to read

the file on our SMB share •  Gotcha! Hashes are stolen

33

Top 10 Frontend Vulnerabili6es

34

Examples of Frontend Vulnerabili6es

•  Buffer overflow –  Can be exploited to gain remote access to user –  Also format string and memory corrup8on –  The latest one at h_p://www.exploit-‐db.com/exploits/14416/ –  NEW vulns are being patched now. Soon at h_p://erpscan.com/ –  Also other vulnerable ERPs

35


•  Hard-‐coded passwords (some ERPs, we don’t spell names) –  Very dangerous –  Fat client with hard-‐coded passwords to database –  Checking of access rights is on the client site. They are exploited to gain

remote access to user –  Exploited simply by sniffing database connec8on and direct connec8on

with stolen password –  As a result we are DBA on database

36

Enterprise Business Applica4on Security Implementa4on Assessment

37

Enterprise Applica6on Security Implementa6on Assessment

•  Build secure applica8on is not enough •  Need to do securely

–  Install it –  Configure it –  Manage it

38


•  Analyze the most cri8cal areas of misconfigura8ons •  Group it •  Create TOP 10 list •  Collect informa8on about examples, threats and

countermeasures •  Release Guide •  Aner a year go back to step 1

39


40

Network and Architecture

41

Examples of Network Security

Capture SAP traffic tcpdump -n -i eth0 'tcp[13] & 3 != 0 and (( tcp[2:2] >= 3200 tcp[2:2] < 3300) > or 5 ( tcp[2:2] >= 3600 tcp[2:2] < > 3700))‘ •  Find a user and decode the password. A user has access to XI

system without business data •  Use the SM59 transac8on that can show all RFC connec8ons.

There was only one connec8on to HR system with hardcoded creden8als found

•  Creden8als were of the remote RFC user created for data exchange

•  This user called ALEREMOTE had SAP_ALL privileges

42

Opera6ng Systems

43

OS Vulnerabili6es: Access to Cri6cal Files

•  Database files (DATA + encrypted Oracle and SAP passwords) –  /oracle/<DBSID>/sapdata/system_1/system.data1

•  SAP config files (encrypted passwords) –  /usr/sap/<SAPSID>/<Instance ID>/sec/* –  /usr/sap/<SAPSID>/<Instance ID>/sec/sapsys.pse

•  Configtool Config files (Encrypted Database password) –  \usr\sap\DM0\SYS\global\security\data\SecStope.proper8es –  \usr\sap\DM0\SYS\global\security\data\SecStope.key

•  J2EE Trace files (Plaintext passwords) –  /usr/sap/<sapsid>/<InstanceID>/j2ee/cluster/dispatcher/log/defaultTrace.

0.trc •  ICM config files (encrypted password)

–  \usr\sap\DM0\SYS\exe\uc\NTI386\icmauth.txt There are many cri4cal files on SAP server that can be used by unprivileged user

to gain access to SAP applica4on:

44

Database vulnerabili6es

45

Examples of Database Vulnerabili6es

•  Unnecessary enabled services –  Any database have them by default

o  Oracle –  UTL_FILE, UTL_HTTP, UTL_TCP,etc

–  MSSQL o  Master..xp_dirtree ‘\\fakesmb\sharee’ o  Can be used to steal creden8als o  ! ERPs run database from the own service creden8al, not from the ‘Network Service’

46

Applica6on Vulnerabili6es

47

Examples of Applica6on Vulnerabili6es

•  Default passwords –  Any ERP installs with predefined passwords

o  For Applica8on o  For Database o  Some8mes for OS

–  Most of them are well known –  Will be published at OWASP

48

SAP default passwords

•  FOR Applica6on

•  FOR Database –  SAPR3/SAP

–  + Oracle defaults in the older versions

49

PeopleSo\ default passwords

•  FOR Applica8on (many) –  FEDTBHADMN1/ FEDTBHADMN1 –  FEDTBHADMN1/ FEDTBHMGR01 –  FEDTBHMGR02/ FEDTBHMGR02 –  HAM/HAM –  etc…

•  For Database –  Peop1e/Peop1e –  PS/PS –  Sysadm/sysadm –  + Oracle defaults in the old versions

50

Oracle EBS default passwords

•  FOR Applica8on (many) –  ANONYMOUS, APPMGR, ASGADM, ASGEST, AUTOINSTALL, FEDER

SYSTEM, GUEST, ADMIN, IBEGUEST, IEXADMIN, SYSADMIN, etc…

•  FOR Database –  OUTLN, SYSTEM, MDSYS, CTXSYS, AOLDEMO, APPLSYS, APPS,

APPLSYSPUB, OLAPSYS, SCOTT, PO

51

Examples of Applica6on Vulnerabili6es

Remote management interfaces

•  Example of SAP (other have the same problems)

•  There is web RFC access •  Google it /sap/bc/webrfc •  All RFC features are possible •  Plus something more including dos/smbrelay

•  Details later on h_p://erpscan.com

•  Remote pwnage is possible

52

Frontend Vulnerabili6es

53

Lack of encryp6on (in SAP)

54


Insecure distribu6on service

•  Example of SAP (others have the same problems)

•  SAPGUI onen distributes from corporate file server

•  Onen this share available for any user •  Configura8on files and distribu8ves can be overwri_en

–  Insert Trojan –  Redirect to fake servers

The same problems when using terminal services

55

Increase Awareness

56

Enterprise Applica6on Vulnerability Sta6s6cs 2009

“This document we will show a result of staDsDcal research in the Business ApplicaDon security area made by ERPScan and OWASP-‐EAS project. The purpose of this document is to raise awareness about Enterprise Business

ApplicaDon security by showing the current number of vulnerabiliDes found in these applicaDons and how criDcal it is can be”

•  Analyzed systems

–  ERP Systems –  Business Frontend sonware. –  Database systems –  Applica8on servers

•  Analyzed resources –  h_p://securityfocus.com , h_p://exploit-‐db.com –  h_p://cwe.mitre.org , h_p://cvedetails.com –  h_p://oracle.com , h_p://sdn.sap.com , h_p://ibm.com

57

Enterprise Applica6on vulnerability sta6s6cs

More than 150 vuln. per year 58

Enterprise Database vulnerability sta6s6cs

59

SAP Vulnerabili6es

Growing

60

Growing interest

•  Number of found vulnerabili8es grows –  gree8ngs to all companies in applica8on security area

•  Number of talks about ERP security at conferences grows –  2006(1),2007(1),2008(2),2009(3),2010(10!)

•  And also companies pay more a_en8on to this area –  SAP security response team are growing every year

This area is becoming popular. We really need automa6c tools for ERP security assessment for pentesters and for administrators

61

Need for Automa6on

What we have done •  Sapsploit and Sapscan –tools for pentes8ng and trojaning SAP

users •  ERPSCAN Online – free service for assessing SAP Frontend

security •  ERPSCAN Security scanner for SAP –enterprise applica8on for

solving full area of problems in SAP solu8ons

62

ERPSCAN –Security Scanner for SAP

•  Corporate scanner for assessing security of SAP systems •  Checking for misconfigura6ons, public vulnerabili6es, 0-‐days,

compliance with standards and metrics •  Checking both ABAP and JAVA instances, more than 400

checks •  Whitebox scanning to prevent possible damage •  Addi8onal engine for checking exis6ng vulnerabili6es without

exploi6ng them •  Extended knowledgebase for all checks with detailed

descrip6ons and countermeasures collected by ERPcan experts •  ERPSCAN.COM

63

Conclusion about ERP Security

•  ERP security is not a myth •  Becomes more popular for BlackHats and WhiteHats •  There is a need to create guidelines and increase awareness in

this area •  OWASP-‐EAS call for volunteers with background in this area •  ERP security is very complex and if you are ready to do it 24/7

then do it •  If you cannot do, leave it to professionals

64

ERP Security. Myths, Problems, Solutions

Software