Onapsis, the leading provider of business application protection have revealed new threat research into a recently discovered vulnerability on Oracle E-Business Suite – Oracle PAYDAY.
The attack scenarios exploit two vulnerabilities with CVSS scores of 9.9 out of 10 in Oracle EBS, Oracle’s ERP software installed at up to 21,000 companies. Onapsis discovered and reported the vulnerabilities to Oracle, which issued patches earlier this year. Onapsis estimates that 50% of Oracle EBS customers have not deployed the patches. The fact that Oracle runs mostly on Java, means that the attack would be relatively simple to carry out by anyone with knowledge of Java and Oracle EBS.
The Onapsis threat research details two attack scenarios:
- Malicious manipulation of the wire transfer payment process through unauthenticated access (which would bypass segregation of duties and access controls), though which an attacker can change approved EFTs in the EBS system to reroute invoice payments to an attacker’s bank account, leaving no trace.
- Creating and printing approved bank checks through the Oracle EBS check printing process and disabling and erasing audit logs to cover up the activity.
The severity of this vulnerability is evident from the significance of ERP systems such as Oracle to global business function. Indeed, 77% of global revenue will pass through an ERP system at some point, of which Oracle’s several thousand EBS customers are just a proportion. In 2017, Oracle themselves conducted a simulation, Oracle selected a realistic financial structure derived from a typical large enterprise based on more than 25 years’ experience with ERP deployments. This simulation found that it was possible to create 1,000,000 payments per hour, through 7,000,000 Imported Invoice Lines. Therefore, successful PayDay exploits may go unnoticed amongst so many transactions.
Commenting on this threat report. Mariano Nunez, CEO and Co-founder of Onapsis said:
“This threat research demonstrates something which has historically been chronically underreported in IT and cyber security: That business-critical applications, specifically ERP systems, used by the world’s largest and most relied upon organisations are vulnerable to attackers stealing potentially billions. The advice we would provide to any users of Oracle EBS in the wake of this disclosure would be to utilise diagnostic tools and services to help them to highlight the most vulnerable areas of business operations, and to then deploy the appropriate patches and compensating controls.”
The threat report is available here, and the demo video demonstrating how users can manipulate the process can be found here.
All companies using Oracle should ensure that they are running the latest patch to ensure complete protection against any vulnerability.