<<< Date Index >>>     <<< Thread Index >>>

CVE-2008-4000: Oracle PeopleTools – Authentication Weakness



PeopleSoft Enterprise applications architecture is built around the proprietary 
PeopleTools technology. PeopleTools user authentication mechanism requires a 
user to provide the correct credentials in order to gain access through the web 
interface. An account lockout policy disables a user account if an incorrect 
password is entered a specified number of times over a specified period. 


Scope

Imperva?s Application Defense Center conducts extensive research on enterprise 
applications on behalf of its customers, including research on applications 
like PeopleSoft, SAP and Oracle EBS. During its research, the team has 
identified a security flaw related to PeopleTools authentication mechanism and 
account lock-out policy. 


Findings

By observing the system?s response to repeated authentication attempts, an 
attacker can brute force valid user credentials even though the account 
lock-out mechanism is enabled. The attacker could use the compromised 
credentials once the account is unlocked by an administrator. 


Details

Upon a false login attempt, the message ?Your User ID and/or Password are 
invalid? is returned to the user. When the correct password is entered, and the 
account has been locked, the message ?Your account has been disabled? is 
returned. Therefore an attacker can conduct a brute force attack even after the 
account has been locked. 

Once the account is unlocked, PeopleTools does not enforce password changing. 
Therefore the compromised set of credentials can be used to break into the 
unlocked account. 


Exploit

Brute force login to the application until the correct password is detected. 


Vulnerability ID

CVE-2008-4000 


Tested Versions

Vulnerable
PeopleTools 8.49 (8.4x) 


Vendor's Status

Vendor notified on August 4, 2008. Patch released by vendor on October 14, 
2008. 


Workaround


Within PeopleSoft, select the ?Enable password controls? checkbox and then 
define the number of days that a password is valid. The actual number of days 
does not matter for this purpose.
When an account is locked because of too many login attempts, the administrator 
can unlock the account and then manually set the status of the password for the 
account to ?expired?. This will force the user to change the password during 
the next login.
An alternative workaround is to create a custom Web application policy in the 
SecureSphere Web Application Firewall. The policy match criteria would include 
the URL prefix of the PeopleSoft login page (the action URL for the 
authentication form) and the number of occurrences within a specified period of 
time.


Discovered by:

Yaniv Azaria of Imperva?s ADC 

Disclaimer
The information within this advisory is subject to change without notice. Use 
of this information constitutes acceptance for use in an AS IS condition. Any 
use of this information is at the user?s own risk. There are no warranties, 
implied or expressed, with regard to this information. In no event shall the 
author be liable for any direct or indirect damages whatsoever arising out of 
or in connection with the use or spread of this information.

Copyright © 2007 Imperva, Inc.
Redistribution of this alert electronically is allowed as long as it is not 
edited in any way. To reprint this alert, in whole or in part, in any medium 
other than electronic medium, adc@xxxxxxxxxxx for permission. Sections
ADC Security Advisories