In the first part, we discussed the top 9 areas to be taken for security assessment of the PeopleSoft systems. Eventually, we covered patch management flaws, the first critical category in our list. As you may have guessed, today we will take a closer look at the next item – PeopleSoft default accounts.
Default accounts with known passwords are one of the most common, severe, and frequently exploited software vulnerabilities, mainly due to low knowledge requirements and almost absolute efficiency.
Let’s consider the user types in PeopleSoft.
While PeopleSoft database installation, it is required to select Admin User, PeopleSoft Access ID, PeopleSoft Connect ID, AppServer User, and Web Server User (PTWEBSERVER by default) and their passwords. It is also necessary to disable other default users.
A PeopleSoft system uses various authorization IDs:
- User ID – a PeopleSoft Application user account;
- Connect ID – a special type of database account with minimal database privileges used by PeopleSoft application;
- Access ID – a special type of database account with high level of database privileges.
When a user attempts to login into a PeopleSoft application, there is a sequence of events that happens within the PeopleSoft application to validate the user ID and password entered by the user and grant the user session with the appropriate access.
PeopleSoft Authentication Process:
- User logs in with his or her User ID and password to the Application Server (1).
- Application Server, in its turn, connects to RDBMS using Connect ID. User ID and correct password stored in database tables are compared to the ones that were entered by the user (2).
- If the comparison goes successful, the Application Server will retrieve the necessary Access ID with the encrypted password (3).
- Finally, the system reconnects to RDBMS using Access ID with full access (4).
In order to protect PeopleSoft environment, we should check that none of the accounts either in application or database have default passwords.
PeopleSoft default passwords in application [EASSEC-PVAG-PS-03]
Description
As said before, a PeopleSoft User ID is an identifier you enter on the PeopleSoft sign-in page. The User ID is the key that the application uses to identify the user profile definition. You assign each PeopleSoft user User ID and password, but PeopleSoft delivers some default User IDs, providing superuser-type access to specific applications within the system (see table 1). Before PeopleTools 8.53, default user password is equal to login (e.g. PS/PS or VP1/VP1). With PeopleTools 8.53 the possibility to choose one global password for all users was introduced.
| PeopleSoft default User ID | Default password before PeopleTools 8.53 | Default password since PeopleTools 8.53 |
|---|---|---|
| PS | PS | PS / Global password |
| VP1 | VP1 | VP1 / Global password |
| PTDMO | PTDMO | PTDMO / Global password |
| PSADMIN | PSADMIN | PSADMIN / Global password |
| PSEM | PSEM | PSEM / Global password |
| PSHC | PSHC | PSHC / Global password |
| PSCR | PSCR | PSCR / Global password |
| HFG | HFG | HFG / Global password |
| PSPY | PSPY | PSPY / Global password |
| HHR_JPM | HHR_JPM | HHR_JPM / Global password |
| HHR_CMP | HHR_CMP | HHR_CMP / Global password |
Table 1 – PeopleSoft Default passwords
During the installation of PeopleTools since 8.53 version, there are two ways for activating default users:
- If choose to enable other user profiles in the database, the user passwords are given as “Master Password”:
- A password that is the same as the User ID (e.g. user1/user1).
- A common global password for all the User profiles in the database, which sets separately (except the Application Server User Profile and Web server User profiles).
- A common global password for all the User profiles in the database, which sets separately (except the Application Server User Profile and Web server User profiles).
Threat
The default PeopleSoft user IDs are well-known and often the password is the same as the User ID. Therefore, an adversary may enter the system with full access and, as a result, get an unlimited access to sensitive business data stored in the system.
Solution
- As an administrator, you must customize your own user definition.
- Determine a new super user and lock the PS (VP1) User ID.
- Remove default User IDs from production, if it doesn’t affect system performance. In case it isn’t possible, passwords of these default user IDs should be hard, periodically changed and securely stored.
PeopleSoft default credentials for Connect ID [EASSEC-PVAG-PS-04]
Description
The PeopleSoft Connect ID performs the initial connection to the database. Connect ID has limited rights, it allows only to retrieve User ID and encrypted password from RDBMS tables. It has access to 3 tables (PSSTATUS, PSOPRDEFN, PSACCESSPRFL), but only two of them store valuable information.
The first one – PSOPRDEFN – contains PeopleSoft credentials. However, the passwords are hashed and each even gets its own random salt, which is stored in the same table. This fact make bruteforcing attacks easy to perform.
The second table – PSACCESSPRFL – contains the encrypted Access ID and its password.
During the installation, you can set Connect ID and its password. In PeopleSoft PeopleTools 8.54 and earlier versions, password length must be between 6 and 8 characters for Connect ID. In addition, Connect ID can be stored in plain text in some configuration files of the PeopleSoft application.
The main security drawback is that the common Connect ID in PeopleSoft ispeople with password people/peop1e.
Threat
The default PeopleSoft Connect ID credentials are simple and known for attackers. Once an attacker gets a Connect ID account and manages to connect to the RDBMS, they can easily decrypt Access ID and take total control over the PeopleSoft system or can bruteforce users password from PSOPRDEFN table, enter the system with full-access and, as a result, get an unlimited access to key corporate information stored in the system.
Moreover, if default password is changed, the length of the Connect ID password is limited to 8 characters, it facilitates its brute force.
Solution
- Best Practice is to upgrade PeopleTools to the latest version (since PeopleTools 8.55 password of Connect ID is limited to 30 characters).
- Change the default “people”Connect ID.
- Change password of Connect ID to more complex, periodically change it and securely store it.
PeopleSoft default credentials for Access ID [EASSEC-PVAG-PS-05]
Description
The PeopleSoft Access ID is the RDBMS ID with which PeopleSoft applications are ultimately connected to your database after the PeopleSoft system connects using the connect ID and validates the user credentials. Typically, an access ID has all the RDBMS privileges necessary to access and manipulate data for an entire PeopleSoft application. The access ID should have Select, Update, and Delete access.
Frequently, Access ID uses RDBMS administration account:
- “SYSADM” for Oracle DB
- “sa” for MS SQL Server
Access ID with the password is stored in the PSACCESSPRFL table, but this ID and its password are encrypted. Therefore, to retrieved or referenced Access ID, the query selects the appropriate access ID by using the Symbolic ID as a search key. The Symbolic ID acts as an intermediary entity between the User ID and the Access ID. Referring to an installation guide, Symbolic ID is often the same as Access ID + “1”, i.e. Symbolic ID for “sa” is “sa1”.
As well as for Connect ID, in PeopleSoft PeopleTools 8.54 and earlier versions, password length must be between 6 and 8 characters for Access ID.
Threat
If Symbolic ID is used as “Access ID + 1”, it increases the probability of knowing Access ID, for which the password may be default database password and thus known to attackers. Also, the length of the Access ID password is also limited to 8 characters, it facilitates its brute force attack. If a malicious person gets Access ID and the password, he or she will obtain a total control over PeopleSoft and get an unlimited access to sensitive business data stored in the system.
Solution
- It is recommended not to use default administration account of RDBMS system (i.e. “SYSADM” or “sa”) for Access ID and create a new Access ID with a hard password, which is periodically changed and securely stored.
- Best Practice is to upgrade PeopleTools to the latest version (since PeopleTools 8.55 password of Access ID is limited to 30 characters).
PeopleSoft WebLogic default passwords [EASSEC-PVAG-PS-06]
Description
PeopleSoft is usually installed together with the WebLogic application server. However, WebLogic installed with PeopleSoft has several special configuration features, which lower the overall system security posture:
- WebLogic launches the management console on a local network interface by default. However for PeopleSoft, it will be located on the same port as the PeopleSoft Portal and thus available for external connections.
- WebLogic installed with PeopleSoft has several default user accounts with default passwords:
- system – admin security role, which has a permission to do all management tasks on WebLogic server.
- operator – operator role, which has almost no rights.
- monitor – monitor role, which has almost no rights.
The administrator Login ID and password are assigned in the PeopleSoft Pure Internet Architecture installation, but it has some default passwords listed in Table 2. Nevertheless, with PeopleTools 8.53 default passwords of user accounts are not available and the administrator password must be set manually during PIA installation.
| Default WebLogic authorization ID | Default WebLogic authorization ID |
|---|---|
| system | Passw0rd / password |
| operator | password |
| monitor | password |
Table 2 – WebLogic Default passwords
Threat
As WebLogic Administration Console (https://hostname:port/console) is located on the same port with PeopleSoft application by default, anyone can try to access the WebLogic Server with default accounts.
Once a malicious person gets access to a WebLogic server with this account, he or she can obtain full control over WebLogic (by system account) and/or perform remote command execution (by operator and monitor account). Operator and monitor roles have more capabilities than the interface displays, therefore an attacker can create an exploit, which allows installing WL applications under these accounts. These applications will have full access to operation system and thus will be susceptible to risks of espionage, sabotage, and fraud.
Solution
Best Practice is to not use default credentials. Instead, create new accounts with complex passwords and delete default ones using the WebLogic Administration Console.
Further steps
It is necessary to check default authorization IDs and their passwords, providing super-type access to specific applications within the system. After the check for default passwords, a user password dictionary check should be run.
In addition, the default accounts and their passwords should be checked in all associated systems, such as network equipment, operating systems, Web Application Server and RDBMS that store the PeopleSoft system data. For example, an Oracle RDBMS contains numerous default passwords, including those specific for the PeopleSoft systems.
Stay tuned, as soon we will come back with the next critical area – Unnecessary functionality.
Post by Research Team