The Onapsis Research Labs has been working closely with Oracle Corporation's Security Response Team to fix several critical vulnerabilities in the Oracle E-Business Suite (EBS). The vulnerabilities, named PAYDAY, were initially patched in Oracle’s April 2018 Critical Patch Update (CPU) and subsequent vulnerabilities have been patched as late as the April 2019 CPU.
The Onapsis Research Labs believes that 21,000 or more of Oracle EBS customers may be at risk since the vulnerabilities exist in all versions of Oracle EBS. As both vulnerabilities have a CVSS score of 9.9, this defines the vulnerabilities as high risk and very rare—there have only been four 9.9 CVSS score vulnerabilities since 2015 including PAYDAY. The Onapsis Research Labs furthermore believes there are no viable workarounds other than applying the patches.
The severity of this vulnerability is evident from the significance of ERP systems such as Oracle to global business function; 77% of global revenue will pass through an ERP system at some point, of which Oracle’s 21,000 EBS customers are just a proportion. These vulnerabilities can only be mitigated by applying security patches. Onapsis estimates that 50% of Oracle EBS customers have not deployed the patches.
In 2017, Oracle themselves conducted a simulation of a realistic financial structure derived from a typical large enterprise based on more than 25 years’ experience with ERP deployments. This simulation found that it was possible to create 1,000,000 payments per hour, through 7,000,000 Imported Invoice Lines.
Successfully exploiting any of these vulnerabilities allows for financial theft and fraud and could lead to full control over the entire Oracle EBS system. Beyond the impact of financial fraud, these vulnerabilities represent a material compliance risk. For companies subject to Sarbanes-Oxley (SOX) in the United States and/or organizations subject to the European Union’s GDPR, these vulnerabilities must be promptly addressed.
The Onapsis Research Labs has prepared an in-depth threat report that demonstrates the risks of these PAYDAY vulnerabilities in two potential scenarios.
- Malicious manipulation of the wire transfer payment process through unauthenticated access (which would bypass Segregation of Duties (SoD) and access controls), through which an attacker can change approved Electronic File Transfers (EFTs) in the Oracle EBS system to reroute invoice payments to an attacker’s bank account, leaving no trace.
- Creating and printing approved bank checks through the Oracle EBS check printing process and disabling and erasing audit logs to cover up the activity. The PAYDAY attack scenarios are especially important for Oracle EBS customers to understand how critical Oracle EBS security updates could be to their overall security posture if not properly implemented.
Because these vulnerabilities can be exploited with unauthenticated access to Oracle EBS, organizations must be aware that existing SoD and access controls will not keep you protected. It is important to understand what the status quo is around Oracle EBS cybersecurity in your organization and get internal stakeholders aligned towards the goal of securing Oracle EBS applications. It is also recommended that you run a full Oracle EBS security assessment to learn where you may be vulnerable and at risk.
The Onapsis Research Labs strongly recommends Oracle EBS customers apply Oracle’s latest Critical Patch Update (CPU) to address these vulnerabilities, which have been patched as late as the April 2019 CPU including CVE-2019-2638 (fixed in April 2019), CVSS v3 9.9 and CVE-2019-2633 (fixed in April 2019), CVSS v3 9.9.
The below videos are two examples of potential exploit scenarios, one involving a wire transfer and one involving a printing of a forged check. Watch how these vulnerabilities could be exploited in practice, download the detailed Onapsis Threat Report and learn how you can engage with Onapsis on a complimentary risk assessment of your Oracle EBS environment in the link below.
ORACLE EBS PAYDAY: MANIPULATING WIRE TRANSFERS
ORACLE EBS PAYDAY: PRINTING APPROVED CHECKS
Learn more about the Oracle EBS PAYDAY vulnerabilities here.