Thousands of Enterprises At Risk Due to Oracle EBS Critical Flaws

Two critical security vulnerabilities discovered in Oracle's E-Business Suite (EBS) could allow potential attackers to take full control over a company's entire enterprise resource planning (ERP) solution.

"Over 21,000 global organizations use Oracle EBS for financial management, customer relationship management (CRM), supply chain management (SCM), human capital management (HCM), logistics, procurement and more," according to Onapsis Research Labs.

Onapsis reported the issues to the Oracle Security Response Team in December 2018 and helped fix the vulnerabilities, with patches released as part of Oracle's April 2019 Critical Patch Update Advisory.

Critical ERP vulnerabilities leading to financial fraud

The Oracle EBS improper access control flaws come with CVSS scores of 9.9 out of 10, and are tracked as CVE-2019-2638 (in the Consolidation Hierarchy Viewer component of the Oracle General Ledger) and CVE-2019-2633 (in the Messages component of the Oracle Work in Process product).

If successfully exploited in an attack, the two security flaws enable threat actors to avoid detection while printing bank checks and making electronic fund transfers.

At the moment, Onapsis' research team estimates that approximately 50% of all Oracle EBS customers have not yet deployed the patches.

"Thousands of Oracle EBS customers, potentially as many as 10,000 organizations, could be at risk since the affected component is present in all EBS installations and cannot be disabled," Opansis says.

"At the same time, systems exposed to the internet can also be attacked just as any other system on the internal network. Onapsis estimates there are at least 1,500 EBS systems connected directly to the internet."

The Onapsis threat researchers detail the following two possible scenarios allowing attackers to leverage the flaws to pursue financial fraud:

Data breach risks, mitigation measures

Attacks exploiting these Oracle EBS security issues can also lead to exposure and exfiltration of sensitive personal and business financial info like bank account and credit card numbers, enabling the attackers to alter or delete data, and even going as far as business-wide disruption events.

Enterprises that get their unpatched ERP systems infiltrated also face data privacy GDPR, CCPA, or HIPAA compliance risks since unauthorized access to personally identifiable information (PII) stored on the company's servers can be stolen and leaked following the security incidents.

"This is the type of risk that usually makes executives and boards concerned about the possibility of a breach and a subsequent penalty if not properly addressed," Onapsis Research Labs adds.

These severe flaws affect all confidentiality, integrity, and availability of the information in an enterprise's ERP system. No workaround is available to address these issues because the affected components can be found in all Oracle EBS implementations and cannot be toggled off.

For protection against attacks designed to abuse the CVE-2019-2638 and CVE-2019-2633 bugs, admins have to apply the latest Oracle Critical Patch Update that will also deploy the latest available patches.

"The financial fraud scenarios explained in this document are just a few attack vectors that a threat actor can leverage to successfully exploit this vulnerability," the researchers concluded. "Post-exploitation is not necessarily limited to these attacks."