Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

PeopleSoft has security flaws that allow hackers to easily get admin passwords

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

May 28, 2015

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

SAP hackers Alexander Polyakov and Alexey Tyurin have revealed today that Oracle's PeopleSoft software contains critical and unpatched security vulnerabilities and weaknesses that can easily allow attackers to obtain root admin passwords, among other mischiefs.

Overall, the hackers say the PeopleSoft's credentials can be easily taken from the TokenID contained within password recovery sites and cracked using a low-cost graphical processing unit within less than a day.

That feat is possible because of poor key generation standards, forcing system admins to use very long passwords unless they are running the latest PeopleSoft installations, Polyakov says.

Oracle has been contacted for comment, but so far we are still waiting for a response from the company.

"There are already multiple default credentials in PeopleSoft's software itself and Weblogic Application server," Polyakov added.

"While Oracle has told us in the past that this issue is only for a demo system, we disagree with the company as we saw several production implementations during our penetration tests where those default passwords still exist out in the wild."

"However, not every implementation is vulnerable, but some of them are definitely exposed to risks of attacks, and those are not only demo installations," he added.

Polyakov added that any potential attacker could easily gain root administrator privileges by simply brute-forcing the special node-password which uses SHA-1.

"Worse, attackers in some cases don't even need to have a user account to get a cookie-token since some public web pages such as password recovery or job forums' pages generate tokens automatically," he says.

Other PeopleSoft installations contain unchanged and universal default passwords making cracking unnecessary, however.

"The only way now to get around these security issues is to set very strong passwords for the affected node, or to simply change it to certificate authentication instead of password authentication. Those changes will require some configuration, especially if the customer uses multiple nodes, and of course they will still need to turn off systems for some time to reconfigure it," he says.

To some observers in the enterprise IT segment, those security holes indicate that the general state of security of Oracle's PeopleSoft software is in the worst shape in the past five to six years, and that Oracle needs to address these security issues real soon.

Polyakov points out that more than 7,000 companies use PeopleSoft including about 51.4 percent of the Fortune 100 companies globally.

Tyurin and Polyakov work as professional penetration testers with a focus on SAP software. The former says the scant research on the platform is leaving several companies in the dark regarding their ability to ascertain their general state of security.

“While cyber criminals are busy exploiting existing security flaws, companies don’t know the methodology for testing their PeopleSoft applications against security vulnerabilities, especially architectural ones," Tyurin added.

He says the SAP platform can often grant easy access to connected applications, and that is one of the many critical security issues that can greatly affect companies and their related departments.

Source: Alexander Polyakov and Alexey Tyurin.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer