Documente Academic
Documente Profesional
Documente Cultură
Dmitry
ERP Security 2016: Lead ERP security analyst
ERPScan
Vulnerabilities, Threats and @_chipik
#RSAC
#RSAC
Agenda
Introduction
SAP Security
Oracle E-Business Suite security
Conclusion
Apply it
2
#RSAC
Introduction
#RSAC
4
#RSAC
CISOs responsibilities
5
#RSAC
Espionage
To steal financial or HR data, supplier and
customer lists or disclose corporate secrets.
Sabotage
To cause denial of service, counterfeit
financial records and accounting data, access
technology network (SCADA)
Fraud
To carry out false transactions, modify master
data
6
#RSAC
Competitors
Head-hunters
Industrial spies
Trade secret thieves
7
#RSAC
SAP Security
#RSAC
9
#RSAC
SAP Security
#RSAC
Latest news
2012
2013
2014
2015
11
#RSAC
Complex
Highly customized
Risky to update
Closed nature
12
#RSAC
13
#RSAC
http://www.theregister.co.uk/2013/06/18/sap_users_slack_slow_and_backward_on_security/
14
#RSAC
SAP Security
#RSAC
Top 10 vulnerabilities
Cross-site scripting
3700+ in all SAP products
Missing authorization
SQL-injection
Information disclosure
1300+ in basic components, which are the
Cross-site request forgery same for every system
Denial of service
Code injection
About 350 in ECC modules
Other
Hardcoded credentials
0 100 200 300 400 500 600 700 800 More details here: https://goo.gl/Hr144b
16
#RSAC
YES!
Germany
The Netherlands
17
#RSAC
Where?
18
#RSAC
Where?
19
#RSAC
SAP Security
#RSAC
21
#RSAC
ABAP JAVA
Dispatcher HTTP
Gateway P4
ICM LogViewer
22
#RSAC
SAP Security
#RSAC
We compromise 10 out of 10 SAP servers using these issues during our SAP security
audits
24
#RSAC
SAP Security
#RSAC
At a glance
One of the core SAP services
26
#RSAC
27
#RSAC
28
#RSAC
Disabled by default!
In latest versions SAP has profile parameter gw/acl_mode=1
29
#RSAC
DEMO
Execution of OS command if ACL is missing
SAP Security
#RSAC
Enable gw/logging
Patch for the latest security notes
31
#RSAC
SAP Security
#RSAC
Additional platform
Base platform for IT stuff:
SAP Portal , SAP XI, SAP Solution Manager, SAP NWDS
Purpose: Integration of different systems
If compromised:
Stoppage of all connected business processes
Fraud
Industrial espionage
33
#RSAC
34
#RSAC
35
#RSAC
36
#RSAC
SAP Security
#RSAC
Easy steps:
Restrict access to Gateway port/ implement GW ACLs
Disable Invoker Servlet
Restrict access to P4 and TREXnet ports
Restrict access to ALL unnecessary services
38
#RSAC
Conclusion
39
#RSAC
Oracle Security
#RSAC
Used in:
Automotive
41
#RSAC
More then:
15000+ JSP pages
11600 OA Framework pages
4000 Oracle Forms and other Core Servlets, Web Services Servlets
Still:
Complex
Risky to update
Unknown
42
#RSAC
Oracle Security
#RSAC
Latest News
44
#RSAC
Latest News
45
#RSAC
Oracle Security
#RSAC
47
0
10
20
30
40
50
60
70
80
90
April 2011
July 2011
October 2011
January 2012
April 2012
July 2012
October 2012
January 2013
April 2013
July 2013
October 2013
January 2014
April 2014
July 2014
October 2014
January 2015
April 2015
July 2015
October 2015
Number of EBS vulnerabilities
January 2016
April 2016
July 2016
October 2016
48
How many vulnerabilities were found?
Oracle Security
#RSAC
JAVA
.NET
HTML
XML
50
#RSAC
51
#RSAC
Oracle Security
#RSAC
53
#RSAC
Oracle Security
#RSAC
55
#RSAC
Database accounts
57
#RSAC
1. Using Default
Business Logic
account
Evil
5. Stealing
Desktop tier Private date
2. Gaining access to
Applications with
the access to DB
5. Sending request to the Inquirer
58
#RSAC
1. Using Default
Desktop tier Database account Evil
2. Stealing
Private date
Applications
Application tier sqlnet Database tier
#RSAC
60
#RSAC
Oracle Security
#RSAC
62
#RSAC
SYSADMIN ZH39A396EDCA4CA7C8D5395D94D8C915510C0C90DA
198EC9CDA15879E8B547B9CDA034575D289590968F1
ZHF57EAF37B1936C56755B134DE7C83AE40
CADDD4AA83B1D7455E5533DC041773B494
B 6B38A1E654DD98 D2AA04644FB 5A514E5C5614F3C87888
WIZARD ZG2744DCFCCFFA381B994D2C3F7ADACF68DF433BADF
59CF6C3DAB3C35A11AAAB2674C2189DCA040C4C81D2
ZGE9AAA974FB46BC76674510456C7395645
46F2A0154DCF9EBF2AA49FBF58C759283C7
CE41C2BB82BFC6 E288CC6730 44036E284042A8FE4451
63
#RSAC
64
#RSAC
Oracle Security
#RSAC
66
#RSAC
DEMO
Gain Administrators privileges via
"FND : Diagnostics %" profile
Oracle Security
#RSAC
68
#RSAC
Oracle Security
#RSAC
70
#RSAC
Conclusion:
71
#RSAC
Security-related goals:
Compliance with external laws and regulations
Managed business risks
Business service continuity and availability
ERP Security Capabilities:
Predict: prepare to the future
Prevent: avoid incident from occurring
Detect: identify incidents activities and potentially an intruder
React: fix, correct, recover and learn
73
#RSAC
Choose controls
Prevent Minimize attack surface
Monitor vulnerabilities
Detect Recognize incidents
Handle incidents
React Remediate vulnerabilities
Report compliance
74
#RSAC
PREDICT
REACT
Vulnerability PREVENT
Management
DETECT
75
#RSAC
How to Start?
76
#RSAC
77
#RSAC
78
#RSAC
79
#RSAC
80
#RSAC
5. Track Effectiveness
81
#RSAC
Final Takeaways
82
#RSAC
84
#RSAC
Summary
#RSAC
Summary
86