Oracle’s E-Business Suite (EBS) were found to have two vulnerabilities, dubbed BigDebIT which were patched in a critical patch update by Oracle this January.
An enterprise cybersecurity firm Onapsis revealed the technical details of the vulnerabilities which has been rated a CVSS score of 9.9.
Oracle’s E-Business Suite is an integrated group of applications designed to automate CRM, ERP, and SCM operations for organizations.
The security flaws could be exploited by threat actors to target accounting tools such as General Ledger to steal sensitive information and perform financial fraud.
The researchers stated that it is possible for an attacker to conduct automated exploit on the General Ledger module to get financial data from a company and modify accounting tables, without leaving a trace.
The BigDebIT attack vectors add to the PAYDAY vulnerabilities in EBS which was discovered by Onapsis three years ago, and patched by Oracle in April 2019.
The vulnerabilities tracked as CVE-2020-2586 and CVE-2020-2587 reside in its Oracle Human Resources Management System (HRMS) in a component called Hierarchy Diagrammer which allows the users to create organization and position hierarchies associated with an enterprise. They can be exploited even if the users have deployed patches released in April 2019.
It is confirmed that even the systems up to date are vulnerable to these attacks, and therefore it is compulsory to prioritize the installation of January’s CPU.
If the flaws are left unpatched, financial fraud and confidential information theft can be performed by attacking a firm’s accounting systems.
Oracle General Ledger is an automated financial processing software that acts as a repository of accounting information and is offered as part of E-Business Suite, the company’s integrated suite of applications — which includes enterprise resource planning (ERP), supply chain management (SCM), and customer relationship management (CRM) — that users can implement into their own businesses.
General Ledger is also used to generate corporate financial reports as well as conduct audits to ensure compliance with the SOX Act of 2002.
An attacker can exploit the flaws to modify critical reports in the ledger, including fraudulently manipulating transactions on a firm’s balance sheets.
Patch Critical Software
Since, financial risk is involved if the flaws are exploited, it is highly recommended that companies who use Oracle EBS for their business operations and for security of sensitive data must run an immediate assessment to make sure that they are not exposed to these vulnerabilities, and apply the patches to fix them.
It is found that around 50 percent of Oracle EBS customers have not deployed the patches to date.
It must be noted that current GRC tools and other traditional security methods like firewalls, access controls, SoD etc. does not work against preventing this type of attack on vulnerable Oracle EBS systems.
The researchers said that if organizations have internet-facing Oracle EBS systems, the potential threat would be even more. Organizations under attack will not be aware of the attack and does not know the extent of the damage unless very extensive internal or external audit is conducted to get evidence.