According to a new report from the Onapsis Research Labs, critical vulnerabilities in the Oracle E-Business Suite (EBS) leave thousands of customers at risk of exploitation. This despite the so-called PAYDAY vulnerabilities being patched by Oracle as recently as April this year.
"The Onapsis Research Labs believes that 21,000 or more of Oracle EBS customers may be at risk since the vulnerabilities exist in all versions of Oracle EBS," Sebastian Bortnik, the Onapsis director of research, writes in a blog posting.
There are two vulnerabilities being discussed, CVE-2019-2633 and CVE-2019-2648, which have a CVSS score of 9.9 out of 10 which means they are very high-risk indeed. They are also quite the rare beast as, Bortnik said, "there have only been four 9.9 CVSS score vulnerabilities since 2015, including PAYDAY."
Onapsis researchers estimate that half of Oracle EBS customers have yet to deploy the patches to fix these vulnerabilities, the only way to mitigate the risk. Given that much of Oracle runs on Java, thus making an exploit scenario relatively simple in the overall scheme of criminal things, that risk would seem to be one not worth taking. These reflected SQL injection vulnerabilities are potentially most dangerous when exploited through servers that use the EBS payments module.
How dangerous? The Onapsis report provides two potential attack scenarios. Firstly, there's the malicious manipulation of the wire transfer payment process through unauthenticated access which could reroute invoice payments, without any trace, to another bank account. Then there's the Oracle EBS cheque printing process that could be used to create and print "approved" bank cheques, with audit logs erased to cover fraudster tracks.
"This threat research demonstrates something which has historically been chronically under reported in IT and cyber-security," Mariano Nunez, CEO and co-founder of Onapsis said, "that business-critical applications, specifically ERP systems, used by the world’s largest and most relied upon organisations are vulnerable to attackers stealing potentially billions." Nunez advises users of Oracle EBS to "utilise diagnostic tools and services to help them to highlight the most vulnerable areas of business operations," and to deploy the appropriate patches and compensating controls as a result.
The Oracle EBS vulnerabilities should act as a reminder for enterprises of the importance of patching software, particularly those that impact critical payment systems. That only 50 percent of all Oracle EBS customers have deployed the available patch, points to "organisations lacking proper cyber-hygiene practices or the inability to detect and prioritise patches," Robert Ramsden-Board, VP EMEA at Securonix says. Ramsden-Board agrees with Nunez that running an immediate assessment to ensure they are not exposed to these vulnerabilities is essential for customers. "In the longer term," he concludes, those customers should "make investments into next generation SIEM technology that can make this process easier."