Oracle’s E-Business Suite is a collection of enterprise resource planning (ERP), customer relationship management (CRM), and supply-chain management (SCM) computer applications. Reports indicate that over 21,000 global organizations use Oracle EBS. Two critical vulnerabilities (CVE-2019-2638, CVE-2019-2633) in Oracle EBS have turned around the face of security for businesses. These vulnerabilities (also known as ORACLE EBS PAYDAY vulnerabilities) could allow an attacker to completely compromise the Oracle EBS system. Additionally, an attacker can maliciously transfer electronic funds, print a bank check in the attacker’s name, read sensitive information or modify business data.
These critical security bugs though were patched by Oracle in April 2019, thousands of business systems are still found to be unpatched and exposed to attack. An IDC survey of 430 IT decision makers indicates that 64% of the organizations have reported an ERP breach.
Onapsis points out in there survey,
survey, coupled with critical alerts from the U.S. Department of Homeland Security continues to show that ERP systems are under fire more than ever.
These flaws are still a matter of concern as several attacks have been reported in the last 12 months.
As explained by Onapsis, the vulnerability lies in Thin Client Framework (TCF) which is an API provided to developers to build server-based applications by reducing the amount of processing at the client-side. TCF is known to be enabled by default on all EBS and cannot be disabled. TCF can be accessed through simple HTTP(S) requests thus making all EBS systems connected to the internet a potential target for attackers. Onapsis estimates that at least 1,500 EBS systems could be connected directly to the internet.
The two critical vulnerabilities:
- CVE-2019-2638 is a vulnerability in the ‘Consolidation Hierarchy Viewer‘ component of Oracle General Ledger.
- CVE-2019-2633 is a vulnerability in the ‘Messages‘ component of Oracle Work in Process.
These vulnerabilities are easily exploitable and attacks could affect additional products too. An attacker who successfully exploits the vulnerabilities could gain complete access to critical data and allow unauthorized creation, deletion or modification of the critical data or allow an attacker to cause denial of service condition.
Onapsis published a report detailing two possible scenarios of financial fraud using Oracle EBS. The normal process for fund transfer involves a payment module for transactions. The information for this transaction is provided by financial and accounting modules and previously generated invoices for suppliers. EBS communicates with a bank for fund transfer using a preconfigured transmission protocol provided by Oracle or a custom protocol created by a company. This can also be carried out manually using the documents produced by EBS.
Malicious Electronics Fund Transfer
All companies have a specific day when the payments are processed. Instructions about the Electronic Funds Transfer (EFT) for the bank are created by EBS as a text document with a previously configured format. The EFT file contains information about each pre-approved electronic transfer in the payment order, which includes amount to br transfered, the destination and source bank name, branch number and destination account number etc. The created EFT file is sent to the bank using transmission protocols provided by EBS or a communication protocol configured by the user. The EFT file is to instruct the bank to complete the transaction without the need for any further approval.
An attacker who abuses these vulnerabilities in EBS can modify the EFT details leading to compromise of the entire transaction process happening for several hundreds of accounts.
Malicious Check Printing
Printed Cashable Checks is another important payment method used to make secure transactions. Companies use printers configured to work with EBS for printing checks. Any instruction about money movements coming from EBS is always considered legitimate. When EBS has to print a check, the application server must be configured to reach the printer. The OS treats the check printer as a regular one which can be used to print any other files too.
An attacker can gain control over the OS of the EBS application server to print checks with desired details. But, the attacker needs to put in extra effort in ensuring the validity of the check number. An attacker can take over the EBS application server by exploiting a flaw in EBS and gain access to the check printer by modifying OS commands in different module configurations or by manipulating procedures and concurrent processes. After retrieving a valid check number and template, an attacker can create a file with an arbitrary cashable check and print it.
Another very threatening fact is that the application also allows an attacker to cover his tracks. SQL protocol can be used to erase audit logs and restore it to the state before the attack, leaving no trace behind.
Oracle E-Business Suite (EBS)
These vulnerabilities affect Confidentiality, Integrity and Availability of the EBS system. An attacker who successfully exploits the vulnerabilities could gain complete access to critical data and allow unauthorized creation, deletion or modification of the critical data or allow an attacker to cause denial of service condition, which could disrupt businesses and lead to huge financial losses.
Oracle has released patches in April 2019 to mitigate these vulnerabilities. The attacks are more widespread now than ever and therefore we strongly recommend that these updates (if not already installed) be installed on the highest priority.