Pierluigi Paganini May 28, 2015

SAP Security experts discovered a number of unpatched vulnerabilities and weaknesses in Oracle PeopleSoft that could be exploited to obtain admin passwords.

The SAP security experts, Alexander Polyakov and Alexey Tyurin, revealed that Oracle PeopleSoft contains unpatched vulnerabilities and weaknesses that could be exploited by attackers to obtain admin passwords. The impact of such vulnerabilities is serious, more than 7000 companies use PeopleSoft solutions according the experts that highlighted that about half of the Fortune 100 are among the customers of the company.unpatched vulnerabilities and weaknesses that could be exploited by attackers to obtain admin passwords. The impact of such vulnerabilities is serious, more than 7000 companies use PeopleSoft solutions according the experts that highlighted that about half of the Fortune 100 are among the customers of the company.

The hackers discovered that PeopleSoft encrypted credential can be extracted from the TokenID used by the password recovery sites, anyway broke the encryption used to protect them is quite easy by using a cheap graphical processing unit.

Oracle admitted the existence of the bug only in its demo system excluding any problem in production systems, but the experts explained that the flaws affects also a number of PeopleSoft production implementations.

“There are multiple default credentials in PeopleSoft itself and Weblogic Application server,” Polyakov says. “While Oracle telling us that this problem is only for a demo system, we disagree as we saw production implementations during our penetration tests where those default passwords exist.” “Not every implementation is vulnerable, but some of them definitely vulnerable, and those are not only demo installations.”

An attacker could obtain administrator privileges by brute-forcing the special node-password which uses SHA1.

“What’s more, attackers in some cases don’t need to have a user account to get a cookie-token since some public web pages such as password recovery or job forms pages generate tokens automatically forms,” he says.

Some PeopleSoft installations use standard default settings, really too easy for attackers!

“The only way now is set very strong password for the node, or change it to certificate authentication instead of password authentication. Those changes will require some configuration especially if customer use multiple nodes, and of course they will need to turn off systems for some time to reconfigure it,” he says.

Another disconcerting aspect of the vulnerabilities affecting the PeopleSoft solutions is that they could be exploited in order to hack connected applications

Tyurin remarked the poor state of security for PeopleSoft solutions and explained the importance to have people involved in vulnerability assessment and penetration testing to evaluate the level of security for the applications.

“While cyber criminals are exploiting existing security flaws, companies don’t know the methodology for testing their PeopleSoft applications against vulnerabilities, especially architectural ones,” Tyurin says.

Pierluigi Paganini

(Security Affairs – PeopleSoft , security)