By now, just about everybody knows about the Capital One breach. But what InfoSec and ERP admin teams may not know is just how vulnerable their most critical business applications might be to the same attack.
Both SAP and the Oracle E-Business Suite (EBS) can be susceptible to the same vulnerability that recently caused the Capital One breach if previously released patches are not applied. According to Brian Krebs in his recent blog post, “What We Can Learn from the Capital One Hack,” one of the primary causes of the breach was a misconfigured Web Application Firewall (WAF). The WAF, identified by Brian Krebs as the Open Source WAF ModSecurity, did not have rules enabled for Server Side Request Forgery (SSRF).
SSRF is a well-known tactic for exploiting Web Applications. The Onapsis Research Labs has been credited by Oracle with several SSRF CVEs specifically for Oracle EBS. The most recent CVE was in Oracle’s July 2019 CPU. CVE-2019-2828 was found by Onapsis and has a CVSS score of 9.6 (9.6 out of 10 which is critical). More details about this CVE can be found here on our blog for Oracle’s July CPU.
Oracle EBS is not the only ERP system with SSRF vulnerabilities—CVE-2018-2445 is an example of a critical CVSS 9.6 SSRF vulnerability in SAP (BusinessObjects). There were a total of three SSRF CVEs in 2018 for SAP. SAP has addressed these vulnerabilities in previous SAP Notes, SAP Note 2655250 and SAP Note 2680834.
In Brian Kebs’ article, he quotes Evan Johnson, Manager of the Product Security Team at Cloudfare, stating “SSRF has become the most serious vulnerability facing organizations that use public clouds.” SSRF represents a serious issue to any organization that has deployed Oracle EBS or SAP in the cloud and it is your responsibility to immediately apply the security patches supplied by both Oracle and SAP.
Furthermore, ModSecurity, the same WAF that Capital One was using, is encouraged by Oracle to be enabled for Oracle EBS. As with all security tools, ModSecurity when properly configured and used can be an excellent contribution to an overall defense-in-depth solution for Oracle EBS.
What should Oracle EBS and SAP Users Do Now?
For organizations using Oracle EBS and SAP, especially those with ERP modules deployed on the Internet and/or are hosted in private or public clouds, the Capital One breach warrants immediate attention. It should be fully expected that the success of the Capital One breach will encourage other threat actors to attempt the same exploits. InfoSec and ERP admin teams should verify if they are using a WAF and if the WAF has rules for SSRF. More importantly, clients should verify that all vendor patches are applied—especially SSRF vulnerabilities.
How can Onapsis Help?
The Onapsis platform protects your ERP systems from SSRF attacks by verifying patches are installed, ensuring secure configuration baselines meet recommended best practices and monitoring systems to detect suspicious activity.
To find out if your Oracle EBS or SAP systems are vulnerable to SSRF, contact Onapsis about a Business Risk Illustration, a complimentary risk assessment identifies critical vulnerabilities in your ERP systems that can impact security and compliance. Also, if you are attending Black Hat 2019, stop and see us at booth #700 and at Oracle Open World, booth #408!