Security issue in ERP 10

nikhil · March 27, 2018, 9:11am

I would like to report a security issue and want to know whom to talk to in Epicor @Bart_Elia

This security issue has been noticed since the early ERP 10.0 release all the way to ERP 10.2.100

Regards,
Nikhil

Mark_Wonsil · March 27, 2018, 1:39pm

If it were me, I’d file a case in EpicCare and then post the case number here so several Epicor employees might see it.

Mark W.

Bart_Elia · March 27, 2018, 2:20pm

Agreed but most security stuff ends up in my lap anyways. We treat that quite serious - BEliaAtEpicor.com please

Gil_V · March 27, 2018, 2:43pm

As do we, Bart. I’d be interested in knowing the details of the security issue, as we are investigating upgrading to 10.

aidacra · March 27, 2018, 3:50pm

When in doubt, speak with Support–that is what we’re here for We know all the right people to speak to about it.

Kimberley · March 27, 2018, 3:52pm

What is the security issue? We are getting ready to upgrade and be interested in what you found.
thanks Kim

Gil_V · March 27, 2018, 4:53pm

If there is a known security issue, the right people to speak to about it are the customers looking to upgrade.

Mark_Wonsil · March 27, 2018, 5:06pm

Mmm, I’m not so sure Gil. I’m for responsible disclosure to the vendor FIRST or you’re actually increasing the risk to the customer base.

Also, customers should be focusing on internal security practices like changing default passwords to service accounts (sysprogress or manager), blank passwords, weak ODBC logins, never using “Access All” in menu programs, etc.

At least in my experience, 10.2 is the most secure version of Epicor I have used and .200 will add multifactor authentication with Azure AD.

Mark W.

Gil_V · March 27, 2018, 5:18pm

Hey, I’m not locked into anything, all I can bring is my perspective.

I will say this - if upgrading to 10 introduces a security issue (and we are heavily regulated), it’s not gonna be pretty.

From a customer perspective, I’d prefer the software manufacturer be honest about the features that might not work when upgrading. Much easier to mitigate an issue when you know about it.

josecgomez · March 27, 2018, 5:28pm

A couple of things to keep in mind while talking about this topic

This forum isn’t necessarily the appropriate avenue to report an issue with security. Reaching out to support would be the best bet. As @aidacra said when in doubt call support. An open forum is certainly not the right place for that type of disclaimer and discussion. I’m glad to see that @nikhil is trying to reach the right people.

Just because someone is claiming there is a potential security issue doesn’t mean it is actually there nor do we know what the scope of it is. So we should let Epicor do what it does and they will determine if and when to inform the users after they’ve had a chance internally to vet the information and mitigation (if required). No need to go running around like a chicken with out head cut off. Epicor is a major software company and as such they know and understand how to handle these issues and disclosures if necessary.

So please don’t worry about it until you absolutely need to and let Epicor do their job

Mark_Wonsil · March 27, 2018, 5:37pm

I agree with you Gil. Once the vendor knows about an issue, it’s their responsibility to let the customer base know about a fix or how to mitigate an issue as soon as one is possible. I just don’t want script-kiddies racing the vendor to get into my system before there’s a solution.

While we have seen new releases of software by Microsoft, Progress, Apple, Google, and, yes Epicor introduce security problems, the general trend is the most recent versions are the most secure. The whole Equifax debacle was caused by them not staying current with their software…

Mark W.

Bart_Elia · March 27, 2018, 5:43pm

We have had a major issue happen before - There was a SQL Injection vector that occurred a few years we addressed against a gazillion versions and we pushed out the notice to update immediately when we had the fix tested, immediate blocks if you can’t update, etc.
The process is well in place and understood. It’s been awhile since anything real although we have had false reports before due to incorrect configuration, etc. I never discount it though and want to help even if it’s an admin shooting themselves in the foot. That is still a learning moment on how we can improve UX, etc to not have that happen.

Bart_Elia · March 27, 2018, 6:21pm

FYI - the customer is in Africa so probably in bed. We reached out to them and will start the due diligence

Bart_Elia · March 27, 2018, 6:30pm

FYI - lunch so taking off my Epicor hat a sec…

I love a ton of the discussions around security, data breach handling, the tech behind HaveIBeenPwned. Troy Hunt does a great service to the industry for his efforts in highlighting security and data breach issues. We’ve never had one knock on wood but I love how Discus handling matters and his discussion on it. Definitely a standard to follow:

MiguelS · March 27, 2018, 6:32pm

I think this would have been a good use of PM’s until the potential issue could have been verified.

jgiese.wci · March 27, 2018, 6:51pm

The majority of the ones I’ve ever been aware of were due to issues with .NET or Microsoft libraries LOL

rbucek · March 27, 2018, 6:52pm

OH NO!!!

giphy

nikhil · March 28, 2018, 6:20am

Thank you and I request the moderator to close the topic