The international conference called ZeroNights was held in Moscow on November 19 and 20, organized by ERPScan and Careerlab. One of the main highlights of the conference was the security of enterprise applications, which store and process confidential corporate data. ERP systems, which store the information about finances, employees, materials, wages, and so on, are rightfully considered to be the most critical of such systems. Unauthorized access to those systems can lead to espionage, sabotage, or fraud.
Other examples of the systems which are critical to companies in terms of security are Single Sign-On solutions, reported by Andrey Petukhov, and ESB (Enterprise Service Bus) solutions, described by Alexander Polyakov, CTO of ERPScan.
Andrey described various threats to Identity Management applications. If they are compromised, the attacker can get access to critical applications integrated in this system. The researcher used the example of OpenAM to demonstrate a range of vulnerabilities which provide complete control over the authentication system, including the currently popular attack vector: SSRF. Besides the vulnerabilities themselves, the researcher presented a utility which significantly simplifies SSRF attacks and thus is very useful for penetration tests.
Alexander Polyakov explained in his talk called “How I will break your enterprise” that ESBs are implemented in all but every large enterprise to support data exchange between various business applications. But the catch is that they also connect the company’s network to those of contractors, partners, banks, tax offices, and other companies. One of the possible attack vectors, which was presented at the conference, is a hack of the network of a small unprotected company followed by an attack on the ESB of a large partner corporation to penetrate its allegedly protected network.
The talk featured the known problems of WebSphere MQ and SAP PI as well as new information about Microsoft Biztalk bus.
“Microsoft Biztalk got a lot of attention because this solution is frequent in the banking sector. Service buses have a lot of peculiarities in terms of security assessment because they have more custom code and settings and much less default settings than standard business applications like ERP systems. An Enterprise Service Bus is basically a framework for individually developed integrating system. If restrictions are set improperly or if there are development errors related to document conversion, then route forgery attacks are possible, resulting in unauthorized access to trusted resources, as well as a range of SSRF attacks. Moreover, the complexity of integration can lead to, for example, lack of encryption so that critical data is transmitted in clear text. It is crucial to understand that, due to the great amount of customization and small amount of default settings, efficient assessment of such an application can only be conducted manually, because the system itself does not have a lot of vulnerabilities so patch management or third-party security solutions can protect the basic system at best but not the custom code”, - Alexander notes.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.
Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.