A research published by vulnerability testing experts at security firm Onapsis claims that multiple vulnerabilities have been discovered in Oracle’s E-Business Suite. If exploited, these flaws would allow threat actors to gain full control of electronic transfers and even print undetected checks.
The report mentions that the attack, known as Oracle Payday, involves exploiting two key vulnerabilities. Although Oracle ensures that the vulnerability has been corrected, Onapsis mentions that half of the users of this software install the updates, whereby the risk remains latent for more than 10,000 companies using ERP.
Although most companies that use this software
do so only on intranet, vulnerability testing experts estimate that at least 1,500
systems are connected to the public Internet. If the security patches are not
installed, the attack can be triggered by an unauthenticated remote hacker to
gain full access to the exposed system.
Oracle EBS, which includes a payment module
that allows companies to transfer money from bank accounts or generate paychecks,
the potential risk is enormous for any company operating with this system.
After receiving the vulnerability report, the Oracle Payday attack has been
assigned a score of 9.9/10 on the Common
Vulnerability Scoring System (CVSS) scale.
The first update that Oracle released to fix
the issue comes from April 2018, to which are added some additional patches to
fix other aspects of the vulnerability, including the latest solution,
available for the CVE-2019-2638 and CVE-2019-2633 failures, present in the
Oracle Critical Patch Update package.
While the ERP includes audit tables for payment
modules, as the SQL protocol allows attackers to execute arbitrary queries with
APPS users, it is possible to disable and delete these audit log tables,
mentioning vulnerability testing specialists from the International Institute of
Cyber Security (IICS).
The security firm claims that they also have a
proof of concept for the attack, which demonstrates a way to detect and delete
these audit tables, which would leave no record of the attack.
