News

Thousands of businesses vulnerable to 'severe' Oracle EBS flaws

The suite of enterprise products can be exploited for financial fraud and theft

20 Nov 2019

Security researchers at Onapsis have discovered a number of 'severe' vulnerabilities in Oracle's E-Business Suite (EBS) that could leave more than 21,000 organisations at risk of financial theft and fraud.

Oracle EBS has become a critical set of products that help to integrate customer relationship management (CRM), enterprise resource planning (ERP) and supply chain management processes within a business.

The vulnerabilities have been given a CVSS score of 9.9 – only four other issues have been given the same a score since 2015, according to Onapsis, although many more have been assigned a score of 10.0 (highest).

Businesses could be exploited in two different scenarios, the first involving manipulation of the wire transfer payment system whereby an attacker can reroute invoice payments to a bank account of their choosing without leaving a digital footprint.

Attackers could also create and print genuine bank checks through the Oracle EBS check printing process, disabling and erasing audit logs to conceal rogue activity.

"This threat research demonstrates something which has historically been chronically underreported in IT and cyber security: That business-critical applications, specifically ERP systems, used by the world's largest and most relied upon organisations are vulnerable to attackers stealing potentially billions," said Mariano Nunez, CEO and co-founder of Onapsis to IT Pro.

"The advice we would provide to any users of Oracle EBS in the wake of this disclosure would be to utilise diagnostic tools and services to help them to highlight the most vulnerable areas of business operations, and to then deploy the appropriate patches and compensating controls."

Onapsis researchers have been working with Oracle's Security Response Team in order to disclose the issues and create patches. The original vulnerabilities were patched in April 2018 but subsequent flaws have been patched as recently as April 2019. It's believed more than 21,000 Oracle EBS customers are still vulnerable to the attacks.

Oracle ran a simulation in 2017 of a realistic financial structure based on a large business with more than 25 years of experience with ERP deployments. Highlighting the risk these vulnerabilities present, the simulation found it was possible to process 1 million payments per hour.