In a report released by enterprise cybersecurity firm Onapsis and shared with The Hacker News, the firm today disclosed technical details for vulnerabilities it reported in its integrated group of applications designed to automate CRM, ERP, and SCM operations for organizations.
The two vulnerabilities, dubbed "BigDebIT" and rated a CVSS score of 9.9, were patched by Oracle in a critical patch update (CPU) pushed out earlier this January. But the company said an estimated 50 percent of Oracle EBS customers have not deployed the patches to date.
The security flaws could be exploited by bad actors to target accounting tools such as General Ledger in a bid to steal sensitive information and commit financial fraud.
According to the researchers, "an unauthenticated hacker could perform an automated exploit on the General Ledger module to extract assets from a company (such as cash) and modify accounting tables, without leaving a trace."
"Successful exploitation of this vulnerability would allow an attacker to steal financial data and cause delays in any financial reporting related to the company's compliance processes," it added.
It's worth noting that the BigDebIT attack vectors add to the already reported PAYDAY vulnerabilities in EBS discovered by Onapsis three years ago, following which Oracle released a series of patches as late as April 2019.
Targeting General Ledger for Financial Fraud
Tracked as CVE-2020-2586 and CVE-2020-2587, the new flaws reside in its Oracle Human Resources Management System (HRMS) in a component called Hierarchy Diagrammer that enables users to create organization and position hierarchies associated with an enterprise. Together, they can be exploited even if EBS customers have deployed patches released in April 2019.
"The difference is that with these patches, it is confirmed that even with the systems up to date are vulnerable to these attacks, and therefore need to prioritize the installation of January's CPU," the company had stated in a note posted back in January.
One consequence of these bugs, if left unpatched, is the possibility of financial fraud and confidential information theft by attacking a firm's accounting systems.
Oracle General Ledger is an automated financial processing software that acts as a repository of accounting information and is offered as part of E-Business Suite, the company's integrated suite of applications — spanning enterprise resource planning (ERP), supply chain management (SCM), and customer relationship management (CRM) — that users can implement into their own businesses.
General Ledger is also used to generate corporate financial reports as well as carry out audits to ensure compliance with the SOX Act of 2002.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
An attacker could break this trust by exploiting the flaws to modify critical reports in the ledger, including fraudulently manipulating transactions on a firm's balance sheets.
"For example, an attacker could modify the Trial Balance Report, which summarizes accounting balances in a given period, virtually unnoticed, resulting in inaccurately reported results flowing undetected into the financial statements. This could result in inaccurately filed or reported financial results," Onapsis said.
The Importance of Patching Critical Software
Given the financial risk involved, it is highly recommended that companies using Oracle EBS run an immediate assessment to ensure they are not exposed to these vulnerabilities, and apply the patches to fix them.
"Organizations need to be aware that current GRC tools and other traditional security methods (firewalls, access controls, SoD and others) would be ineffective against preventing this type of attack on vulnerable Oracle EBS systems," the researchers cautioned.
"If organizations have internet-facing Oracle EBS systems, the potential threat likelihood would be significantly magnified. Organizations under attack will be unaware of the attack and not know the extent of the damage until evidence is found by a very extensive internal or external audit."