PeopleSoft Authentication Vulnerabilities Affect Higher Ed Apps
A researcher from Palo Alto-based ERPScan found numerous critical issues in PeopleSoft software, including issues with authentication protocols, default server credentials and the single sign-on process, as Threatpost.com reported. The vulnerabilities were presented at a Hack in the Box conference in Amsterdam last week.
Oracle’s PeopleSoft applications provides several different business management solutions, including:
- Human Resource Management Systems (HRMS)
- Financial Management Solutions (FMS)
- Supply Chain Management (SCM)
- Customer Relationship Management (CRM)
- Enterprise Performance Management (EPM)
The apps largely support the education, computing and IT and manufacturing sectors.
The single sign-on (SSO) issue proved to be the most serious. SSO refers to the ability for a user to access other applications after authenticating only once. After a user is authenticated by one PeopleSoft app, an in-memory value is set in the browser (the PS_TOKEN cookie) that the next app uses for a user credential, according to Oracle.
But the researcher found that every user can escalate their account privileges to administrator by locally brute forcing a Node password located in the cookie token, and creating a new token. The researcher found that the password could be brute forced using an inexpensive GPU card. And apparently, the Node password is hashed using the SHA-1 algorithm, with a slightly different salt size.
That’s right, it’s the cryptographic hash algorithm that’s known to be considerably weaker than when it was designed nine years ago, in 2005. Certificate authorities (CAs) have begun to issue SHA-2 certificates to replace SHA-1. Google Chrome is also supporting the migration, stating that SHA-1’s use on the Internet has deprecated since 2011, including NIST deprecating the algorithm for government use in 2010.
PeopleSoft has yet to patch the SSO issue.
Another issue includes a weak authentication protocol that allows a local user to escalate privileges and get access to the application and database, which has been patched by Oracle. The researcher acknowledges that patching both client and server apps can be challenging, particularly in larger organizations with thousands of client apps.
Yet another issue is related to the use of default credentials in PeopleSoft and its Weblogic application server. Oracle has since removed default passwords from new versions of their software.
Default credentials and the ability to escalate privileges are problematic when it comes to access security, obviously. But using an independent authentication system can help prevent attackers from gaining access via brute force. Two-factor authentication reduces the value of a password, and requires the use of a physical device to log in, offering greater protection to PeopleSoft apps that rely on credentials alone for access.
Used with a firewall plugin that filters traffic to PeopleSoft apps, two-factor authentication challenges users to authenticate using their smartphones or a token. Learn more about how Duo Security pairs with GreyHeller’s ERP firewall to protect PeopleSoft Apps for higher education and commercial companies in Two-Factor Authentication for PeopleSoft Apps & Higher Education.