Nearly half of Oracle E-Business Suite application users have not yet installed patches for the PayDay vulnerabilities closed by the vendor in April 2019. In total, more than 20 thousand owners of Oracle EBS are at risk of PayDay.
Exploitation of these bugs allows an attacker to withdraw money from a company’s current account or create bank checks to receive cash.Specialists from Onapsis, a company that monitors security problems in Oracle solutions, found that approximately 21,000 installed E-Business Suite (EBS) instances are vulnerable to attacks using CVE-2019-2638 and CVE-2019-2633, collectively called PayDay. Both bugs have a critical threat level and experts rated them with 9.9 CVSS points.
The severity of this vulnerability is evident from the significance of ERP systems such as Oracle to global business function; 77% of global revenue will pass through an ERP system at some point, of which Oracle’s 21,000 EBS customers are just a proportion”, — report Onapsis company specialists.
Patches that fix these errors were included in the manufacturer’s security update package in April, but not all users hurried to install them.
Onapsis experts demonstrated two attack scenarios through these bugs. In the first case, an unauthorized attacker gets the opportunity to make changes to the approved payment orders and transfer funds to his account. This action is not reflected in the event log, because a fraudulent operation is bypassing the system of separation of rights and access control.
The second type of attack aims at creating and printing bank checks using the Oracle EBS check subsystem. The presence of a problem also allows the criminal to hide the traces of his activities by editing the program audit log. He can use the generated checks to receive cash at the bank.
Read also: Monero cryptocurrency official website was hacked and distributed malware
According to analysts, the exploitation of these vulnerabilities can lead not only to the theft of money, but also to the seizure of control of the EBS system. In addition, during the attack, personal data may be compromised, which will result in penalties under the European Act GDPR and the American Sarbanes-Oxley Act on the transparency of business structures.
Vulnerabilities PayDay – not the only critical bugs identified in the E-Business Suite this year. The July Oracle patch set fixed two similar errors: in the Oracle Field Service module and in the EBS Payments subsystem. The latter is responsible for the processing of financial transactions, therefore, the detected problems could lead to a compromise of the bank card details stored in the application database.
Recommendations:
The Onapsis Research Labs strongly recommends Oracle EBS customers apply Oracle’s latest Critical Patch Update (CPU) to address these vulnerabilities, which have been patched as late as the April 2019 CPU including CVE-2019-2638 (fixed in April 2019), CVSS v3 9.9 and CVE-2019-2633 (fixed in April 2019), CVSS v3 9.9.
