Oracle PAYDAY Vulnerabilities ─ Thousands of Organizations at Risk

Exploit Scenarios Target Financial Fraud and Theft

Assess Your ERP System
for Risk Today

The Onapsis Business Risk Illustration is a complimentary assessment of your SAP and Oracle E-Business Suite systems to discover where risks and attack surfaces exist within your environment.

Onapsis delivers a detailed report of existing vulnerabilities and IT controls deficiencies highlighting the business impact, including exploit potential and compliance violations. Learn more about the assessment so you can schedule one today.

FREQUENTLY ASKED QUESTIONS

Q1. WHAT IS ORACLE EBS PAYDAY? WHAT DOES IT MEAN?

PAYDAY is the name that Onapsis uses to refer to a set of potential attacks against two Oracle EBS vulnerabilities. The name was chosen given the high risk that these vulnerabilities carry to potentially affect critical business information and processes. The Onapsis Research Labs believes that more than 21,000 global organizations who use Oracle EBS for financial management, customer relationship management (CRM), supply chain management (SCM), human capital management (HCM), logistics, and procurement may be at risk since the vulnerabilities exist in all versions of the Suite. 

As the vulnerabilities have a CVSS score of 9.9, this defines the vulnerabilities as a high risk and the Onapsis Research Labs furthermore believes there are no viable workarounds. These vulnerabilities can only be mitigated by applying the security patches. 

Successfully exploiting any of these vulnerabilities allows for financial theft and fraud and could lead to full control over the entire Oracle EBS system, including other potential exploitation scenarios such as modifying or deleting system data. Beyond the impact of financial fraud, these vulnerabilities represent a material compliance risk. For companies subject to Sarbanes-Oxley (SOX) in the United States and/or organizations subject to the European Union’s GDPR, these vulnerabilities must be promptly addressed. 

Q2. I’M AN ORACLE EBS CUSTOMER, HOW DO I NEED TO REACT TO PAYDAY?

The PAYDAY attack scenarios are especially important for Oracle EBS customers to understand how critical Oracle EBS security updates could be to their overall security posture if not properly implemented. Because these vulnerabilities can be exploited with unauthenticated access to Oracle EBS, organizations must be aware that existing Segregation of Duties (SoD) and access controls will not keep you protected. It is important to understand what the status quo is around Oracle EBS cybersecurity in your organization and get internal stakeholders aligned towards the goal of securing Oracle EBS applications. It is also recommended that you run a full Oracle EBS security assessment to learn where you may be vulnerable and at risk.

Q3. ARE THERE PATCHES AVAILABLE FOR ORACLE PAYDAY?

The Onapsis Research Labs has worked closely with Oracle Corporation's Security Response Team to fix several critical vulnerabilities in Oracle EBS. The initial vulnerabilities were patched in Oracle’s April 2018 Critical Patch Update (CPU) and subsequent vulnerabilities have been patched as late as the April 2019 CPU. 

• CVE-2019-2638 (fixed in April 2019), CVSS v3 9.9

• CVE-2019-2633 (fixed in April 2019), CVSS v3 9.9

Q4. WHY ARE SO MANY ORGANIZATIONS AT RISK OF ORACLE PAYDAY?

The vulnerabilities identified by the Onapsis Research Labs exist in theThin Client Framework (TCF) of Oracle EBS. TCF is an API used by all versions of Oracle EBS and is used to reduce the amount of processing at the client side and for allowing remote object invocation. 

Onapsis’s responsible disclosure policy does not allow us to release exploit code and/or technical details. For communication of the risks posed by these vulnerabilities, these vulnerabilities should be assumed as various types of remotely exploitable attacks. Depending on the patch levels (e.g. whether or not prior security patches have been applied), some of the vulnerabilities can also be exploited by an unauthenticated attacker.

Q5. MY ORACLE EBS SYSTEM IS CONTINUOUSLY AUDITED, WHY HAVEN'T THE RISKS OR ORACLE PAYDAY COME UP DURING MY INTERNAL/EXTERNAL AUDITS?

Unfortunately, auditors are not typically looking for these types of risks, even though timely application of security patches should be mandatory for every organization relying on EBS to support their business. To provide a proof of how critical these issues are, the Onapsis Research Labs has created two proof of concept attack scenarios. In spite of comprehensive auditing deployed both within the application and the database, due to the nature of the TCF vulnerabilities all audit trails of the exploits were able to be successfully erased.

We anticipate external audit firms will extend their current controls (which are mostly related to SoD) to address Oracle EBS cybersecurity risks in the near future. The status quo is clearly not sustainable, as these risks can be exploited to modify financial information, steal sensitive data and disrupt business-critical processes. We highly recommend that organizations evaluate their internal audit process to ensure they are incorporating these additional types of controls and manage business risk appropriately in advance of this happening.

Q6. WHAT ORACLE EBS SYSTEMS ARE EXPOSED?

Any Oracle EBS system without the proper patches installed (April 2019 CPU) is vulnerable to these attacks.

Q7. WHAT IS THE BUSINESS IMPACT OF A RISK LIKE ORACLE PAYDAY IN MY ORGANIZATION?

Successfully exploiting any of these vulnerabilities allows for financial theft and fraud and could lead to full control over the entire Oracle EBS system. Beyond the impact of financial fraud, these vulnerabilities represent a material compliance risk. For companies subject to Sarbanes-Oxley (SOX) in the United States and/or organizations subject to the European Union’s GDPR, these vulnerabilities must be promptly addressed. 

The Onapsis Research Labs has prepared two exploitation example scenarios of an attacker leveraging these vulnerabilities to pursue financial theft and fraud. The first is creating a malicious Electronic Fund Transfer (EFT) after exploiting the system and the second is fraudulent check printing. 

The EFT attack shows how an attacker could commit wire transfer fraud. The attack takes advantage of the standard financial process within Oracle EBS for approving payments and then submitting wire transfer instructions to a bank. The standard process for giving instructions to banks for wire transfers is done through an EFT file. 

The financial compromise attack leverages TCF vulnerabilities that allow the basic infrastructure of EBS to be exploited. Given that the architecture of EBS is well documented and this documentation is easily available on the internet, attackers using the TCF vulnerabilities are by no means limited to wire fraud. 

With access to the database supporting EBS, attackers could easily obtain a copy of the full customer master detailing out all customers and their orders. Likewise, if a company is publicly traded, attackers could obtain foreknowledge of financial results that would enable stock trading fraud based on insider knowledge. 

Q8. SHOULD MY ORGANIZATION INCLUDE THIS RISK IN OUR ANNUAL FINANCIAL REPORTING?

This is a question executive management has to discuss with the Board and the independent auditor. If the risk is present in your organization, you should assess its materiality, likelihood of occurrence and ability of detection with them. 

For example, attackers with full access to the basic infrastructure of Oracle EBS could directly or indirectly tamper with financial results. This could be done by altering records in the General Ledger or altering the reports and/or reporting mechanisms used to prepare financial statements. Financial Statement Generator (FSG) reports are primary means of producing both financial statements and ad-hoc inquiries in Oracle EBS. FSG report definitions, while stored in the database, are usually accessed by accounting departments from workstations and laptops using a Microsoft Excel add-on. Tampering with often used FSG reports to produce errant results would materially sabotage financial operations in ways not easily detected.

Being able to attest to the reliability of financial results is the core requirement of Sarbanes-Oxley (SOX). For companies subject to SOX compliance, the TCF vulnerabilities if left unmitigated represent a material finding. Ultimately, it will be up to the independent auditor to include Oracle PAYDAY as a risk to the integrity of the financial statements. Onapsis can only provide expert advice and support to management and auditors.

Q9. WHO SHOULD BE AWARE OF THIS RISK AT MY ORGANIZATION?

Management should be aware of this risk, starting with the CISO and CIO up to the CFO and CEO. Additionally, as a source of independent assurance, your internal audit team and the head of Compliance and Audit should assess this risk from a business perspective to become advocates and present it to the Audit Committee as well.

Q10. WOULD THIS BE DETECTED BY MY GRC SOLUTION / SEGREGATION OF DUTIES CONTROLS?

Unfortunately, these vulnerabilities are not detected by any solution performing GRC (SoD) controls for Oracle EBS. Because these attacks would be unauthenticated requiring no user credentials or passwords, attackers can easily bypass any SoD controls. Organizations will need to manually check for this or use an automated cybersecurity solution.

Q11. WOULD THIS BE MITIGATED BY IT GENERAL CONTROLS?

Unfortunately, these vulnerabilities are not under the general scope of IT General Controls. Even in a scenario where IT General Controls have a satisfactory state in your Oracle EBS application, the presence of this risk would equal the combination of several ITGC (IT General Controls) deficiencies. Based on our experience, the PAYDAY associated risks are usually not included in traditional audits. We encourage internal and external auditors to include the risk assessment of PAYDAY as part of your IT General Control audits for SAP systems.

Q12. IS IT ENOUGH IF I HAVE THE DETECTION SIGNATURE IN MY WEB-APPLICATION FIREWALL?

Most organizations deploy sophisticated defense-in-depth solutions to secure their networks. Web Application Firewalls (WAF) are commonly part of such solutions. All WAF solutions have coverage for certain specific remotely executable exploits. If the TCF attacks documented here are a variant and the WAF has the latest attack signatures for the exploit, will the WAF stop these TCF attacks? The answer is that it depends.

To be effective, WAFs need to be properly implemented and constantly maintained with the latest ruleset of attack signatures. Likewise, WAFs especially need to be carefully monitored. Given the number of possible attack techniques and vectors, the TCF attacks documented here should be assumed to differ greatly in how any one specific WAF could detect, alert and/or mitigate an attack. More than anything the skill and experience level of the human analyst monitoring the logs will be the most significant factor in the WAF’s ability to successfully defend against these attacks. 

The best guidance from the Onapsis Research labs for whether or not a WAF will detect and alert and/or mitigate the TCF attack scenarios documented is to assume that the WAF will fail to detect or stop the attacks. The security patches released by Oracle should be applied at the first opportunity.

Q13. HAVE THESE VULNERABILITIES BEEN COMPROMISED IN ANY ORACLE EBS CUSTOMERS?

Onapsis has no evidence of these vulnerabilities being exploited in the wild to date, but based on our field experience with customers, partners and prospects, we can confirm that any Oracle EBS implementation that has not applied the April 2019 Oracle Critical Patch are vulnerable to PAYDAY attacks. In fact, as most organizations are not able to detect the exploitation of these vulnerabilities, a system compromise may go undetected.

ABOUT ONAPSIS’S ORACLE EBS CYBERSECURITY EXPERTISE

Q1. HOW MANY VULNERABILITIES IN ORACLE EBS HAS THE ONAPSIS RESEARCH LABS HELPED ORACLE FIX TO DATE?

As the leading ERP cybersecurity expert, Onapsis has reported and helped secure over 150 security vulnerabilities in Oracle and over 500 including SAP applications.

Q2. HOW DOES THE ONAPSIS RESEARCH LABS WORK WITH ORACLE?

When the Onapsis Research Labs identifies a potential weakness, they immediately notify Oracle so they can begin evaluating and preparing a patch for the reported misconfiguration and vulnerability. The Onapsis Research Labs provides all necessary information to the vendor in order to confirm they have what they need to produce the patch. Onapsis never releases public information about a misconfiguration or vulnerability before it is patched by the vendor.

Q3. ARE ONAPSIS CUSTOMERS PROTECTED FROM THESE VULNERABILITIES?

Yes, The Onapsis Platform offers organizations the opportunity to eliminate risks related to these exploits and misconfigurations in three ways:

• by determining their level of exposure and potential business impact

• by continually assessing Oracle EBS to identify vulnerabilities and misconfigurations that put the organization at risk

• by prioritizing what vulnerabilities need to be addressed immediately to streamline risk mitigation