Over 21,000 organisations that use Oracle's E-Business Suite could be at risk of financial fraud or theft as hackers can exploit a number of critical vulnerabilities known as PAYDAY to hijack an Oracle EBS system, reroute invoice payments, and erase audit logs to cover up their activity.
Several critical vulnerabilities in Oracle's E-Business Suite, commonly known as PAYDAY, were identified in 2017 and Oracle issued several security patches in 2018 and 2019 to mitigate these flaws. Managing these vulnerabilities is critical considering that 77% of global revenue will pass through an ERP system at some point.
Even though Oracle has been prompt in issuing security patches to ensure its customers do not become victims of financial fraud or theft as a result of cyber criminals exploiting critical vulnerabilities, as many as 21,000 organisations using the company's E-Business Suite continue to remain vulnerable to the exploitation of these flaws.
According to Onapsis Research Labs, the main reason for organisations' vulnerability is that 50% of Oracle EBS customers have not deployed security patches issued by the company. By failing to apply security patches, organisations are not only exposing themselves to financial fraud but are also falling foul of GDPR.
The security firm noted that if the PAYDAY vulnerabilities remain unpatched, hackers can bypass Segregation of Duties (SoD) and access controls to maliciously manipulate wire transfer payment processes. The manipulation includes the changing of approved Electronic File Transfers (EFTs) in the Oracle EBS system, and rerouting of invoice payments to an attacker’s bank account.
By exploiting the vulnerabilities, attackers can also create and print approved bank checks through the Oracle EBS check printing process and also disable and erase audit logs to cover up any signs of their manipulation.
Lack of patching of PAYDAY flaws rendering organisations vulnerable to EBS hijacking
"Because these vulnerabilities can be exploited with unauthenticated access to Oracle EBS, organisations must be aware that existing SoD and access controls will not keep you protected. It is important to understand what the status quo is around Oracle EBS cybersecurity in your organization and get internal stakeholders aligned towards the goal of securing Oracle EBS applications.
"It is also recommended that you run a full Oracle EBS security assessment to learn where you may be vulnerable and at risk," the firm added, stating that Oracle has been able to patch a number of PAYDAY vulnerabilities including CVE-2019-2638 (fixed in April 2019), CVSS v3 9.9 and CVE-2019-2633 (fixed in April 2019).
Commenting on the warning issued by Onapsis Research Labs, Robert Ramsden-Board, VP EMEA at Securonix, said that the Oracle EBS improper access control flaw should act as a stark reminder for enterprises of the importance of patching and updating software, particularly for high severity vulnerabilities and those that impact critical systems, like payments.
"An estimated 50% of all Oracle EBS customers have not deployed a patch despite one being available in April 2019. This points to organisations lacking proper cyber hygiene practices or the inability to detect and prioritise patches.
"Because of the financial risk involved, it is recommended that companies using Oracle EBS run an immediate assessment to ensure they are not exposed to these vulnerabilities; and in the longer term, make investments into next generation SIEM technology that can make this process easier," he added.