BigDebIT flaws in Oracle EBS allow hackers to alter financial records

Pierluigi Paganini June 16, 2020

Oracle addressed two flaws in E-Business Suite solution that can be exploited by attackers to tamper with an organization’s financial records.

Oracle addressed two security flaws in its E-Business Suite (EBS) business management solution that could allow attackers to carry out a broad range of malicious activities, including to tamper with an organization’s financial records.

Oracle EBS is currently used by tens of thousands of organizations worldwide, it is an all in one business management solution that includes applications for customer relationship management, finances, human resources, supply chain management, contracts, procurement, and planning.

The flaws were discovered last year by experts at Onapsis along with other security issues. Oracle addressed some of the flaws in April 2019, except two issues tracked as CVE-2020-2586 and CVE-2020-2587and dubbed “BigDebIT” that were fixed in January 2020.

Unfortunately, a large number of vulnerable Oracle systems are still exposed online.

Onapsis researchers reported that attackers could exploit the flaws to target the General Ledger application in EBS.

General Ledger is a financial management tool used to track financial transactions that take place during the life of an operating company.

Onapsis demonstrated that a remote and unauthenticated attacker could exploit the BigDebIT flaws to alter financial reports, even after the closure of a financial reporting period, bypassing security solutions in place and hiding its activity.

“Once a financial reporting period is closed, financial data should not change. If an attacker modifies General Ledger reports between the period closure and the audit, it will cause critical damage to the company and its compliance process,” Onapsis explained in a report.

“Altered balances, depending on size and significance, may cause an alert during the audit period through common controls such as account reconciliations or variance reviews, and depending on the complexity of the changes, it could be really difficult (or even impossible) to identify and explain why financial balances do not match system data given that there is no record of the change that was made.”

“The level of effort required by internal resources, external resources (specialists and/or external auditors, etc.) in terms of labor hours and fees will be significant. Despite an organization’s best efforts this still may not uncover additional useful information indicating that this change was made by exploiting the General Ledger with these Oracle EBS vulnerabilities and not an actual business or accounting transaction,” the company added.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle EBS)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment