Embed Size (px)
Citation preview
Top Oracle E-Business Suite Security Vulnerabilities
Christeen Russell, Crowe Horwath
Christeen Russell
• Senior Manager in the Technology Risk Group at Crowe Horwath• Technology audit and implementation capabilities include:
• Oracle E-Business Suite 11i & R12• Great Plains 10• Microsoft CRM 4.0 & 2011
• Certified Public Accountant (CPA) - Illinois & New York• Certified Information Systems Auditor (CISA)
Crowe Risk Consulting
We have more than 1,100 experienced practitioners with geographic, functional, and industry expertise.
Crowe Horwath Global Risk Consulting has been named a “Challenger” by Gartner, Inc., in the “Magic Quadrant for Global Risk Management Consulting Services”, by Jacqueline Heng and John A. Wheeler. The full report can be reviewed at www.crowehorwath.com/gartner
Objectives
1. Amplify the participants’ overall Oracle EBS security awareness
2. Share knowledge and experiences in securing Oracle EBS
3. Provide a detailed list of commonly overlooked Oracle EBS security vulnerabilities, risks each pose, and how to fix or mitigate each
Top Security Concerns
• Seeded (default/generic) application accounts with known passwords (30+)• Seeded database accounts with known passwords (200+)• AZN menus • Seeded responsibilities and menus • Delegation authority and proxy users• Direct database access through the application• Defense against cross-site scripting (XSS), HTML injection attacks, and parameter and
URL tampering• Weak default password settings • Password setting “overrides”• Protecting sensitive information• Sensitive administrative pages
Why are These Top Security Concerns?
• Issues commonly seen in Oracle EBS environments• Most are free and/or not complex to address• Relevant to various releases• Not well known
What are the Risks?
• Unauthorized access (to data and configuration settings), adversely affecting transaction processing and data integrity
• Data exfiltration and leakage• Non-compliance with regulations (SOX, PCI DSS/PA DSS, HIPPA, etc.)• Non-compliance with company policy • Potential to commit fraud • Reputational harm
Privileged & Generic IDs
ID Overview
+30 seeded “generic” user ids: i.e. APPSMGR, IBEGUEST, GUEST, SYSADMIN, WIZARDOracle EBS
Oracle EBS creates 200+ db accounts: i.e. APPS, APPLSYS, SYS, SYSTEM, 100+ schema accountsOracle Database
oracle, applmgrOperating System
Oracle ships seeded accounts with widely known default passwords!
Privileged & Generic IDs
• Passwords are published on the internet and are typically “welcome”, “Oracle”, or is the same as the id; i.e.
• MOBADM password is MOBADM• ASGADM password is welcome
• Some IDs have privileged access• New accounts are automatically added during upgrades, i.e.:
• 12.2.2 – GHG, APPS_NE• 12.1.0 – DDR, DPP, INL, MTH, QPR, RRS• 12.0.4 – IZU• 12.0.0 – DNA, GMO, IBW, IPM, JMF
•2.2.2 –GHG, APPS_NE
•2.1.0 –DDR, DPP, INL, MTH, QPR, RRS
•2.0.4 –IZU
•2.0.0 –DNA, GMO, IBW, IPM, JMF
•2.2.2 –GHG, APPS_NE
•2.1.0 –DDR, DPP, INL, MTH, QPR, RRS
•2.0.4 –IZU
•2.0.0 –DNA, GMO, IBW, IPM, JMF
Seeded ID’s – Application LevelID Purpose Change Password Disable Account
AME_INVALID_APPROVER AME workflow migration 11.5.9 to 11.5.10
Yes Yes
ANONYMOUS FND/AOL - Anonymous for non-loggedusers
Yes Yes
APPSMGR Routine maintenance via concurrent requests
No^ Yes
ASADMIN Application Server Administrator No^ Yes
ASGADM Mobile gateway related products Yes Yes*
ASGUEST Sales Application guest user Yes Yes*
AUTOINSTALL AD Yes Yes
CONCURRENT MANAGER FND/AOL: Concurrent Manager Yes Yes
FEEDER SYSTEM AD - Supports data from feeder system Yes Yes
^ it is not possible to login as this user unless you change the password
* Required for Mobile Sales, Service, and Mobile Core Gateway components. Or required for Sales Application. Or required for iStore.
Seeded ID’s – Application LevelID Purpose Change Password Disable Account
GUEST Guest application user Yes No
IBE_ADMIN iStore Admin user Yes Yes*
IBE_GUEST iStore Guest user Yes Yes*
IBEGUEST iStore Guest user Yes Yes*
IEXADMIN Internet Expenses Admin Yes Yes
INDUSTRY DATA Used for PCI Security Demo No^ Yes
INITIAL SETUP AD Yes Yes
IRC_EMP_GUEST iRecruitment Employee Guest Login Yes Yes
IRC_EXT_GUEST iRecruitment External Guest Login Yes Yes
MOBADM Mobile Applications Development Yes Yes
MOBILEADM Mobile Applications Admin Yes Yes
MOBILEDEV Mobile Applications Development Yes Yes
Do not disable the GUEST account.
Seeded ID’s – Application LevelID Purpose Change Password Disable Account
OP_CUST_CARE_ADMIN Customer Care Admin for Oracle Provisioning
Yes Yes
OP_SYSADMIN OP (Process Manufacturing) Admin User Yes Yes
ORACLE12.0.0 to ORACLE12.9.0
Owner for release specific seed data No^ No
PORTAL30 Oracle Portal and Portal Single Sign On (desupported)
Yes Yes
PORTAL30_SSO Oracle Portal and Portal Single Sign On (desupported)
Yes Yes
STANDALONE BATCH PROCESS FND/AOL Yes Yes
SYSADMIN Application Systems Admin Yes No
WIZARD AD Application Implementation Wizard Yes Yes
XML_USER Gateway Yes Yes
Do not disable the SYSADMIN account.
Other Generic ID’s – Application Level
• Search for other generic ID’s from the users table (fnd_users)• SQL statement to identify users with:
• no “end_date”• no “employee_id” and/or • “last_logon_date” greater than a certain date
• Greatly narrow down your search through the user list
Seeded ID’s – Database LevelSchema Purpose Change Password
SYS Initial schema in any Oracle database Yes
SYSTEM Initial DBA User Yes
DBSNMP, SYSMAN, MGMT_VIEW Used for database status monitoring Yes
SCOTT Oracle db demo account Yes and lock the account
SSOSDK Single Sign On SDK Yes
JUNK_PS, MDSYS, ODM_MTR, OLAPSYS, ORDPLUGINS, ORDSYS, OUTLN, OWAPUB, MGDSYS
Yes
PORTAL30_DEMO, PORTAL30_PUBLIC, PORTAL30_SSO_PS, & PORTAL30_SSO_PUBLIC
Oracle Login Server and Portal 3.0.9 with E-Business Suite 11i
Yes and lock PORTAL30_DEMO if using 11i; otherwise lock all
PORTAL30, PORTAL30_SSO Oracle Login Server and Portal 3.0.9 with E-Business Suite 11i
Yes and lock the schemas if not using 11i
CTXSYS Used by Online Help and CRM service products for indexing knowledge base data
Yes
Seeded ID’s – Database LevelSchema Purpose Change Password
EDWREP Embedded Data Warehouse MetadataRepository
Yes, but if not using Embedded Data Warehouse, then lock and expire EDWREP
ODM Oracle Data Manager Yes
APPLSYSPUB Verifies the username/password combination and the records the success or failure of a login attempt. R12 only
Yes (must be all upper case)
APPLSYS Contains shared APPS objects Yes, use a long secure password
APPS Runtime user for E-Business Suite.Owns all of the applications code in thedatabase
Yes, use a long secure password
APPS_mrc Obsolete account Yes, use a long secure password
AD_MONITOREM_MONITOR
Oracle Applications Manager uses this schema to monitor running patches. Although the default password forAD_MONITOR is 'lizard', the schema is created locked and expired.
Yes
Seeded ID’s – Database LevelABM AHL AHM AK ALR AMF AMS AMV AMW AP AR ASF
ASG ASL ASN ASO ASP AST AX AZ BEN BIC BIL BIM BIS BIV
BIX BNE BOM BSC CCT CE CLN CN CRP CS CSC CSD CSE CSF
CSI CSL CSM CSP CSR CSS CUA CUE CUF CUG CUI CUN CUP
CUS CZ DDD DDR DNA DOM DPP EAA EAM EC ECX EDR EGO
ENG ENI EVM FA FEM FII FLM FPA FPT FRM FTE FTP FUN FV
GCS GL GHG GMA GMD GME GMF GMI GML GMO GMP GMS GR
HR HRI HXC HXT IA IBA IBC IBE IBP IBU IBW IBY ICX IEB
IEC IEM IEO IES IEU IEX IGC IGF IGI IGS IGW IMC IMT INL
INV IPA IPD IPM ISC ITA ITG IZU JA JE JG JL JMF JTF JTM JTS
LNS ME MFG MRP MSC MSD MSO MSR MST MTH MWA OE
OKB OKC OKE OKI OKL OKO OKR OKS OKX ONT OPI OSM
OTA OZF OZP OZS PA PFT PJI PJM PMI PN PO POA POM PON
POS PRP PSA PSB PSP PV QA QOT QP QPR QRM RG RHX RLA
RLM RRS SSP VEA VEH WIP WMS WPS WSH WSM XDO XDP
XLA XLE XNB XNC XNI XNM XNP XNS XTR ZFA ZPB ZSA ZX
• By default the password is the same as the SCHEMA name• Change all of these schema passwords
200+DB schemas shipped
with Oracle EBSNew schemas are created
during upgrades
Control Seeded ID’s
• Change the password and disable the account where recommended• Changed passwords should be “sealed”• For accounts where the password cannot be changed and/or disabled
log activity performed using the accounts (manual logins)• Setup alerts or have periodic reviews of activity• Consult Oracle Metalink Note 403537.1.
Restricted Access & Segregation of Duties
Restricted Access & Segregation of Duties
• Defined as users with too much or conflicting access• Risk:
• Unauthorized transactions, erroneous transactions, or fraudulent activity• Users with combined access privileges to modify system configuration settings along
with business transaction execution access increases the risk that application controls dependent upon configuration settings will be circumvented
• Data leakage or exfiltration• So let’s discuss:
• AZN’s• Seeded menus and responsibilities• Delegation authority• Proxy users
Process Tab / AZN
• Click an icon to gain immediate access to the associated form• In this example, the user most likely has “end-to-end” access in the purchase to payments process
Traditional way to access functions Process tab access
Process Tab / AZN - continued
• Potential Segregation of Duties Conflicts!!
• NOTE: Many do not know this additional access exists.
Example of a menu with an AZN submenu (menus are assigned to responsibilities):
Exclude AZN Submenus
However…..Lets consider the next topic
AZN Menus
Exists for GL, AP, AR, Inventory, PO, Order Management menus
Seeded Menus & Responsibilities
• Should not be used nor copied and renamed• These are not “perfect” and also may contain AZN menus, leading to:
• Excessive access• Segregation of duties conflicts
• Example: Seeded Receivables Inquiry is not limited to view only• Create auto adjustments• Write off receipts• Open and close periods
• May re-introduce the aforementioned issues during upgrades/patches if using standard menus
User Management - UMX
• Delivers Role Based Access Control (RBAC)• Groups responsibilities, permission sets, and data security rules
• Common user registration workflow• Forgotten password functionality• Security decentralization• Proxies
Delegated Administration
• Delegate local admins to perform system administration for a subset of users and roles
• Risks: • The “users” form in the User Management screen (UMX) does not allow one
to establish a password expiration• How do you ensure any remote locations are compliant with corporate
security policies
Password Expiration
• Set at the User level• Can set the “Password Expiration”
to either:• Days• Accesses• None
• By default user passwords do not periodically expire
• Create a personalization• Periodic review or alert
Manage Proxies
• Allows a user to determine who can act their behalf for a time• Equivalent to sharing your username and password
• Activity performed by another is logged under the delegator’s username• R12.2 introduced
• “Designate proxy” to all users as a default• “All or nothing is gone”, can now select certain responsibilities and workflows to delegate
• This should not be used without a business case and compensating controls• User’s access does not appear in the system administrator module• Run script to see if proxies exist
Proxy
• The delegate can't view what s/he did as someone’s proxy• Periodically review the proxy report which shows all navigation
completed by the proxy user:
Profile Options
Profile Options
• Affects security, processes, controls• 8000+ profile options• Set at one or more levels.
• User takes precedence over the other levels
• Site level has the lowest priority• Some maintained by users, most
maintained by the SA responsibility
User
Responsibility
Application(module)
Site
Takes Precedence
Profile Options – Diagnostics
• Utilities: Diagnostic & FND: Diagnostics• These profile options should be set to “No” at all levels• Risk: Allows users to change individual database records
• Hide Diagnostics Menu Entry • Hides the diagnostic menu from users• Profile option should be set to “Yes”• The default is "No" or NOT hidden
Profile Options – Diagnostics – 12.1.3+ only
• Assign the “FND Diagnostics menu Examine Read Only” function to a Menu
• Ensure the profile option “Hide Menu Entry” is set to No
• Grant the seeded permission set to a role
• Assign the role to a user• APPS password not required in
read-only mode
Profile Options – Information Leakage
• Set of profile options that can defend against:
• Cross-site scripting (XSS)• HTML injection attacks• Parameter and URL
tampering
• Can lead to data leaks
Profile Option^ Default Recommended
FND Validation Level Error (as of R12) Error*
FND Function Validation Level
Error (as of 11.5.10) Error*
Framework Validation Level
Error (as of 11.5.10) Error*
Restrict Text Input Yes Yes
IRC: XSS Filter Null Enabled
FND: Fixed Key Enabled Null Yes
FND: Fixed Key None Yes, only at User level
*R12.2 does not allow the profile option value to be changed^ at Site level unless otherwise stated
Profile Options – Others
Profile Option^ Purpose Default Recommended
Concurrent:ReportAccess Level
Determines access privileges to report output files and log files generated by a concurrent program
User User
Sign-On:Notification Warns users of key events such as failed concurrent requests, failed login attempts, and incorrect default printer settings
No Yes
Personalize Self-Service Defn
Enables or disables the global Personalize Page link that appears on each self-service web application page
No No – Site levelYes – User level for approved individuals only
FND: Developer Mode Enables the Edit Region global button. Also enables Developer Test Mode diagnostics.
Null NoYes – User level for approved individuals only
^ at Site level unless otherwise stated
Profile Options – Password Settings
• By default Oracle does not set strong password parameters
• Different studies have shown that passwords of 10 characters with a symbol can take “years” to break by high powered computers
Profile Oracle Default Recommended (Site)
Sign-on Password Case None Sensitive
Sign-on Password Failure Limit None 3 (attempts)
Sign-on Password Hard to Guess No Yes
Sign-on Password Length 5 8 to 10 (characters)
Sign-on Password No Reuse None 180+ (days)
Functional Administrator
Best way to view profile option settings at each level
Profile Option – Security
Most profile options should not be updateable by users
Profile Option – Control
• Monitor profile options• Regular reports• Alerts
• Changes to profile options should be requested, tested, & approved• Follow a change management procedure
Sensitive Data
Sensitive Information
• PII: Name, SSN, DOB, Address, Salary, etc.• Payroll deductions• Credit card numbers• Bank accounts• Financial data• Reports (AP, PO)
Sensitive Information - Example Report
Sensitive Information
• Challenge: Finding the sensitive data• 11 modules consisting of 20 known tables that display credit card data• Are CCN, SSN, etc. stored in other non-designated fields (i.e. misc. fields)?
• Encrypt, restrict access• Options include:
• SQL scripts• EBSCheckCCEncryption.sql - Checks whether credit cards are encrypted in ‘Immediate’
mode• Third party products• Oracle AMP Data Scrambling• Oracle OEM Data Masking
Non-Production / Cloning
• When environments are cloned from production sometimes users access increases (additional users, additional privileged) and configuration settings get changed
• Controls:• Change passwords of privileged ids when cloning to the app and db levels
• Metalink No. 419475.1 “Removing Credentials from a Cloned EBS Production Database”• Scramble key data:
• Employee name, address, social security number, compensation details• Customer name, address, credit card data
• Risks:• Data confidentiality is breached• Data is exfiltrated• Privileged access to production
Sensitive Administrative Pages
Sensitive Administrative Pages
• Some Oracle forms and pages allow for modification of the application:
• Oracle Forms Controlled by Function Security (~47)• HTML Pages Controlled by Function Security (~21)• Functionality Controlled by Profile Options (3)• Pages Controlled by JTF Permissions and Roles (3)
• Most of these are accessible only from SA menus and responsibilities, where access should already be limited
• Eliminate or minimize access to these screens in a production system• Oracle has published an SQL query to who has access to the forms
and pages, see MOS Note 1334930.1
Example SQL Excerpt
Recap
Best Practices
• On going monitoring of:• Privileged IDs• Generic IDs• Key configuration (i.e. responsibilities, menus, profile options)• Users without password expirations• Proxies
• Approval processes are in place when making changes to configuration and users
Questions
Reminder
Please complete the session and overall meeting evaluations
Thank You!
For more information, contact:
Christeen Russell, CPA, CISACrowe Horwath LLPDirect: 212-750-4195Christeen.Russell@crowehorwath.comwww.crowehorwath.com
