ERP: Bulletproof No More

By Larry Barrett  |  Posted 2003-04-07

Chuck Moore is too busy ironing out the installation of an upgrade to his company's human resources software to worry about network security.

That's what makes the discovery of a security flaw in PeopleSoft software alarming. Moore is vice president of human resources information and administration at WellPoint Health Networks, which is in the process of putting in place PeopleSoft 8.3 for HR.

Internet Security Systems Inc., a software security and analysis firm based in Atlanta, reported a flaw in March on PeopleSoft's Web server that could be exploited by hackers looking to gain access to the databases of a company like WellPoint, one of the nation's largest health care networks.

The flaw was found in a feature that handled the transfer of PeopleSoft reports to and from a repository on a Web server. "We always are on the watch for issues surrounding documents on our Web server," says Moore. "In this case, this particular feature wasn't something we use so I just passed it on to my security team. But it was the first (problem) I'd ever seen regarding network security" and a piece of enterprise software.

Technology executives better get used to it. Although security flaws in desktop operating systems get a lot of attention, security experts predict holes in key corporate applications, such as enterprise resource planning software, will become increasingly exposed. The PeopleSoft discovery represents only the first widely reported example of vulnerabilities that reside within enterprise applications that store, transport and update critical data that is accessed in some fashion from the Internet, says Gartner Inc. analyst Chad Eschinger.

In the PeopleSoft incident, the security hole was found within the code used for a small program called "SchedulerTransfer" that resides on the PeopleSoft Web server. The small program, also called a servlet, is used to move reports back and forth from a report directory on the server. Since the servlet sits on a server, the server and its contents can be vulnerable to access through the hole.

The hole wouldn't have been such a security issue had the program not been configured to run by default. That means the flawed servlet is up and running, unless a system administrator specifically turns it off.

Worse, the servlet did not require any user authentication to access or upload report files, according to ISS. PeopleSoft officials say no customer files were compromised, but ISS engineers asserted that hackers could have easily gained access. From there, the intruder could:

  • Order other applications or "executables" be transferred from the company's server, download them and then put them to use
  • Create and overwrite files elsewhere on the server.
  • Replace legitimate servlets with illegitimate versions
  • Add other programs that would allow them to execute commands and controls remotely

Bottom line: The most sensitive data in a company's enterprise servers could be available to anyone with a keyboard, a browser and a Web connection.

"We were notified by PeopleSoft about this problem and we were very concerned," says one information systems manager at a PeopleSoft account who spoke on the condition of anonymity. "It's disturbing to know this vulnerability existed, but it's not terribly surprising."

The vulnerability was found in several iterations of PeopleTools, including versions 8.1 to 8.18, version 8.40 and version 8.41. PeopleTools are used to develop, enhance and compliment applications.

Within a month of finding this particular flaw, PeopleSoft developed a patch customers could download from their Customer Connection Web site. PeopleSoft officials said none of the customers who were vulnerable to the attack reported any intruders to their files or servers.?">

Caveat Customers?

Vendors contend it's up to individual customers to secure their systems and disable the functions—which could provide openings to would-be hackers—that they aren't going to use.

"We found that nobody had called our customer service center about this particular problem," says Paola Lubet, vice president of technology marketing at PeopleSoft. "In any case, we offered the information to our customers. But it was pretty much like, 'If you don't want to be burnt, don't pour hot coffee on your knees.' "

That's easier said than done. By tying together supply chain, human resources, finance and customer relationship management functions across an organization, an enterprise's resource planning (ERP) system provides increasingly fertile ground for hackers to try to compromise.

"We believe there are going to be many more examples like this with other ERP applications in the near future," says John Pescatore, a security analyst at Gartner. "Now that the ISSs and other security consultants are turning their attention away from operating systems and to more business applications, I'm sure we'll see more. As more and more applications are getting exposed on the Internet, this is likely to become a much more serious issue."

Neel Mehta, a research engineer at X-Force, Internet Security's research arm, says his group has increased its scrutiny of ERP applications in the wake of the PeopleSoft discovery.

"We can't comment on the specific vendors we're looking into for similar security problems," he says. "But it's safe to say ERP is an area of concern."

X-Force's database of potential security vulnerabilities reported 164 references for Oracle and 10 for SAP in the past year. The common thread: unlocked gateways to data on a server that provides services to Web users; and, functions that aren't turned off when not in use.

Oracle and SAP officials weren't available for comment on how they are addressing security of enterprise software that they market.?">

More ERP Problems Ahead?

"I'm wondering just how much we'll hear about other ERP security problems down the road mainly because they're not as widely deployed as, for example, a Windows operating system," says Johannes Ullrich, a data specialist for Bethesda, Md.-based System Administration and Network Security (SANS). "A lot of these exploitations will be handled under wraps. If a competitor has access to your ERP applications, they pretty much know everything about your company."

In February, the British security firm Next-Generation Security Software discovered significant flaws in Oracle's latest database software release, including four critical buffer overflows in its Oracle 9i Release 2. Buffer overflows occur when an application does not handle memory correctly. By causing a buffer overflow, a hacker can edit or add code into the execution of an application.

Mehta says ISS will be posting notices of other vulnerabilities in other enterprise applications. In the meantime, technology executives should look at their applications and identify functions that run either by default and or can be accessed from the Internet. Information systems administrators also face the challenge of "bulletproofing" the system against default settings that could expose their data in the highly likely event that other coding flaws exist on software that interacts with their Web server.

Pescatore says the software vendor is largely to blame. "It's really a case of sloppy programming by the vendor," says Pescatore. "As we've seen with Microsoft, if customers do enough complaining the vendor will have no choice but to improve the security by eliminating some of these default settings."

Microsoft, which has long been berated for buggy code and security flaws in both its operating system software and servers, has already announced that its next version of its SQL data server, "Yukon," will by default disable all public access to "tables," where rows and columns of information are kept.

"This is the type of thing Oracle and PeopleSoft and SAP are going to have to start doing if they're ever going to get companies to spend the money on upgrades or to invest in an ERP system in the first place," Pescatore says.

Rick Beers, director of supply chain technology at Corning Inc., says the complexity of installing, maintaining and securing enterprisewide applications across his company's technology architecture makes the process of discovering and patching security holes daunting.

"We have 19 different production incidents of PeopleSoft running here and while we've seen some improvement in the way PeopleSoft informs us about these issues, there's a lot of room for improvement," Beers says. "It's no secret that there are still fundamental flaws in the delivery of software in the ERP industry."

Companies will now have to get vigilant about protecting their enterprises from infiltration, as they conduct more and more business with customers and partners over the Web. SANS' Ullrich notes that "anytime you take code written for a semi-controlled internal environment and expose it to the public at large, you're going to get hackers trying to attack it."

But even alert organizations won't be able to anticipate each and every contingency created when a company integrates and manages all of its crucial business processes over the Internet.

"As we deploy, we're going to find out," what the holes are, says Ben Golub, senior vice president, security division, at Verisign in Mountain View, Calif. "We don't find out until we deploy."