If your business operations and sensitive data security depend on Oracle's E-Business Suite (EBS), make sure you have updated recently and are running the latest version of the software available.
In a report from cyber security company Onapsis, shared with The Hacker News, the company today released technical details about vulnerabilities reported in Oracle's E-Business Suite (EBS), an integrated set of applications for automating security CRM, ERP and SCM operations for organizations.
The two vulnerabilities, named "BigDebIT" and a CVSS value of 9.9, were patched by Oracle in a critical patch update (CPU) that was released in early January. According to the company, an estimated 50 percent of Oracle EBS customers have not yet released the patches.
The vulnerabilities could be exploited by bad actors to target accounting tools such as the general ledger to steal confidential information and commit financial fraud.
According to the researchers, "an unauthenticated hacker could automatically exploit the general ledger module to extract assets from a company (e.g. cash) and change accounting tables without leaving a trace."
"Successfully exploiting this vulnerability would allow an attacker to steal financial information and cause delays in financial reporting related to the company's compliance processes," he added.
It is worth noting that the BigDebIT attack methods contribute to the PAYDAY vulnerabilities in EBS that Onapsis discovered three years ago. After that, Oracle only released a series of patches in April 2019.
General Ledger Targeting for Financial Fraud
The new bugs that are tracked as CVE-2020-2586 and CVE-2020-2587 are in its Oracle Human Resources Management System (HRMS) in a component called Hierarchy Diagrammer, which allows users to create organizational and positional hierarchies that are assigned to a company. Together, they can also be used if EBS customers have provided patches that were released in April 2019.
"The difference is that these patches confirm that even the current systems are vulnerable to these attacks and must therefore prioritize the CPU installation in January," the company said in a statement released in January.
One consequence of these errors, if not patched, is the possibility of financial fraud and theft of sensitive information by attacking a company's accounting systems.
Oracle General Ledger is automated financial processing software that acts as a repository for accounting information and is offered as part of the company's E-Business Suite, the company's integrated application suite – through Enterprise Resource Planning (ERP), Supply Chain Management (SCM), and Customer Relationship Management (CRM) – that users can implement in their own company.
The general ledger is also used to prepare corporate financial reports and to conduct audits to ensure compliance with the 2002 SOX Act.
An attacker could break this trust by taking advantage of the errors to modify critical ledger reports, including fraudulent manipulation of transactions on a company's balance sheets.
"For example, an attacker could change the test balance report, which summarizes the accounting balances over a period of time, virtually unnoticed, resulting in inaccurately reported results being undetected in the financial statements. This could result in inaccurately submitted or reported financial results," said Onapsis said.
The importance of critical software flattening
Given the financial risk, companies using Oracle EBS are strongly advised to perform an immediate assessment to ensure that they are not exposed to these vulnerabilities and to apply the patches to address them.
"Organizations need to be aware that current GRC tools and other traditional security methods (firewalls, access controls, SoD, and others) cannot prevent this type of attack on vulnerable Oracle EBS systems," the researchers warned.
"If companies had Oracle EBS systems connected to the Internet, the potential threat potential would increase significantly. Companies that are attacked are not aware of the attack and only know the extent of the damage if it is caused by a very extensive internal or external Examination evidence will be found. ""