A research published by vulnerability testing experts at security firm Onapsis claims that multiple vulnerabilities have been discovered in Oracle’s E-Business Suite. If exploited, these flaws would allow threat actors to gain full control of electronic transfers and even print undetected checks.
The report mentions that the attack, known as Oracle Payday, involves exploiting two key vulnerabilities. Although Oracle ensures that the vulnerability has been corrected, Onapsis mentions that half of the users of this software install the updates, whereby the risk remains latent for more than 10,000 companies using ERP.
Although most companies that use this software do so only on intranet, vulnerability testing experts estimate that at least 1,500 systems are connected to the public Internet. If the security patches are not installed, the attack can be triggered by an unauthenticated remote hacker to gain full access to the exposed system.
Oracle EBS, which includes a payment module that allows companies to transfer money from bank accounts or generate paychecks, the potential risk is enormous for any company operating with this system. After receiving the vulnerability report, the Oracle Payday attack has been assigned a score of 9.9/10 on the Common Vulnerability Scoring System (CVSS) scale.
The first update that Oracle released to fix the issue comes from April 2018, to which are added some additional patches to fix other aspects of the vulnerability, including the latest solution, available for the CVE-2019-2638 and CVE-2019-2633 failures, present in the Oracle Critical Patch Update package.
While the ERP includes audit tables for payment modules, as the SQL protocol allows attackers to execute arbitrary queries with APPS users, it is possible to disable and delete these audit log tables, mentioning vulnerability testing specialists from the International Institute of Cyber Security (IICS).
The security firm claims that they also have a proof of concept for the attack, which demonstrates a way to detect and delete these audit tables, which would leave no record of the attack.