Today Oracle released its first Critical Patch Update of 2018, the first of four in the year (one per quarter). Included patched bugs in Oracle E-Business Suite this month are two critical vulnerabilities that were found by Onapsis Research Labs.
This Critical Patch Update (CPU) is also special because there was some news that got the attention of the general security community, regarding active exploitation of Oracle applications last week. First of all, attacks on Oracle applications have been published and we have analyzed the impact it could have to business-critical applications.
The 237 vulnerabilities released today affect 20 different Oracle groups of products and 64% of these product are business-critical applications. The following graph summarizes the Oracle business-critical applications affected in this CPU where the bars represent the CVSS average for each product, the numbers represent the count of vulnerabilities and the dots represent the maximum CVSS:
Seven vulnerabilities from this CPU were fixed in Oracle E-Business Suite (EBS), a product our team has been researching for years. The two most critical of those seven vulnerabilities were originally reported by the Onapsis Research Labs, including two SQL Injections (CVE-2018-2655 and CVE-2018-2656) tagged as critical vulnerabilities, with CVSS v3 9.1.
Both vulnerabilities are unauthenticated vulnerabilities and affect the security triad confidentiality, integrity and availability completely. Regarding confidentiality, an attacker could execute an arbitrary query in the database to get information such as credit cards, customer information, supplier information, etc. Affecting the integrity, an attacker could modify invoice prices in the database and, regarding availability, could be affected by removing some configuration table or executing a procedure that could cause the database corruption.
Previous bugs being exploited in the wild: Oracle E-Business Suite server can also be affected
A few days ago SANS Institute published a blog post about a campaign using a WebLogic exploit to deploy Monero miner. In a second blog post, it was confirmed that Oracle PeopleSoft servers were attacked and it gives more details about the miner and the attack itself: there is an estimation that attackers could have made $250,000 dollars through crypto mining. The vulnerability CVE-2017-10271, that was patched in an Oracle 2017 CPU (it was a second version of CVE 2017-3506 patched in April 2017), exists in SOAP services which receive some XML payload without the proper sanitization. While a vulnerability is the lack of control or absence of protection, an exploit is the piece of code that actually takes advantage of the vulnerability. According to SANS, the attack used a public exploit that was published in December 2017. When properly executed, it allows an unauthenticated attacker to perform a Remote Command Execution in WebLogic Servers.
Oracle mentions the SANS publication in the CPU release:
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”
Because Weblogic, as a part of middleware stack, is used in several Oracle applications, we thought it would be a good idea to confirm how other applications might be affected by the same exploit. Based on our experience, and the fact that it is one of Oracle’s applications that host the most critical information, our team researched how this vulnerability behaves in Oracle E-Business Suite (EBS). Onapsis Research Labs has confirmed that Oracle E-Business Suite can be affected with the same vulnerability/exploit of this specific attack.
What could an attacker do after a successful exploitation? Once properly executed, the exploit gives the attacker full operating system command, with a high privileged user (APPLMGR), so several attacks can be performed that can affect all confidentiality, integrity and availability of information.
For example, in the following image an attacker can read a report through a console with a successful exploitation:
Any report can be read once the server is accessed. As can be seen, the same report can be read through the application by a valid user in the system:
Once into the server, an attacker has full access to a remote console and can execute files, including installation of malicious code, such as Crypto Miners (as demonstrated in the SANS article), but also rootkits or even ransomware files. Though it is not common, in some companies with bad practices or dev/testing servers, the presence of a database in the same server could lead to higher risks if a ransomware attack is performed in a server with the database installed (for example, well-known ransomware Petya encrypts .dbf files if found).
In the following image you can see how an attacker can delete a file. Using another command (such as rm -rf), the whole application can be deleted causing a full Denial Of Service attack. Speaking with an EBS App DBA consultant, he told us that in that case, based on most of the implementations he has seen, he “could have restored a daily backup after a few hours”. The thing is that, “the offline time impact and lost information since last backup could have been huge in some scenarios.”
Even if a company has the OS Authentication enabled, an attacker can directly access the database without the need of any other post-exploitation attack. If that’s not the case, an attacker can easily get database user and passwords by simply taking a look at the bash history. It will be highly probable that some script has included the username and password in the past (in that case, both “apps”).
Also, an attacker with full access to the system can modify both HTML or Forms, being able to change application behaviour or adding spying, rootkit or even failure to the affected system. In the latter cases, integrity would be fully compromised, opening up more options for an attacker to compromise a company’s information.
What does a Crypto Miner say about business-critical application security?
After reading the SANS Institute article, there were a few questions in our heads. What is this attack telling us? What does a crypto miner say about cybercriminals? We think there’s a few interesting conclusions that can be made.
We all know cyberattackers are mostly looking for money (directly or indirectly). Once a business-critical application is compromised, is a crypto miner the best decision in order to gain more money? Initially, we would say “no”. Despite that a server should have good resource for crypto mining, usually this kind of application stores the ‘crown jewels’ of the company. If PeopleSoft stores all HR information, what about EBS, that can also store business, sales and financial data, among others? Initially, we can say that some attackers are still touching the ground in terms of attacking this kind of application. Despite targeted attacks or advanced persistent threats that have been made against these applications for a while, it seems that less experienced attacks are used to abuse using public exploits but attackers are still not fully aware of the damage that can be made against a business-critical application.
This type of attacks confirms how easy it could be for a company to suffer an incident like this one and it is imperative that companies aim to improve security before attackers can improve their techniques and impact.
While Cryptocurrency Mining is a hot topic, the even bigger issue is that this exploit allows an attacker to get access to an Oracle ERP system, which could have more significant impacts and data loss than Crypto Coins.
If you are an Oracle user, be sure you install the last patches as soon as possible. Read the Oracle E-Business Suite Critical Patch Update Knowledge Document and implement the following patches for versions 12 through adop or adpatch commands:
- Patch 27040860: ORACLE APPLICATIONS RELEASE 12.2: CPU PATCH FOR JAN 2018
- Patch 27040859: ORACLE APPLICATIONS RELEASE 12.1:CPU PATCH FOR JAN 2018
For each Critical Patch Update for EBS, Oracle provides two patches, one for its version 12.1 and the other for version 12.2. Customers need to download the file that matches the installed version. By installing the last patch, this will include fixes for the previous critical bugs that were also described both here and in the SANS Institute publication.
Business-critical application security is getting more attention from cyber criminals, so stay tuned to our blog for further details, news and analysis. The next CPU is scheduled for April and as always we will publish our summary and comments to keep you as safe as possible.