BigDebIT flaws in Oracle EBS allow hackers to alter financial records

Oracle addressed two flaws in E-Business Suite solution that can be exploited by attackers to tamper with an organization’s financial records.

Oracle addressed two security flaws in its E-Business Suite (EBS) business management solution that could allow attackers to carry out a broad range of malicious activities, including to tamper with an organization’s financial records.

Oracle EBS is currently used by tens of thousands of organizations worldwide, it is an all in one business management solution that includes applications for customer relationship management, finances, human resources, supply chain management, contracts, procurement, and planning.

The flaws were discovered last year by experts at Onapsis along with other security issues. Oracle addressed some of the flaws in April 2019, except two issues tracked as CVE-2020-2586 and CVE-2020-2587and dubbed “BigDebIT” that were fixed in January 2020.

Unfortunately, a large number of vulnerable Oracle systems are still exposed online.

Onapsis researchers reported that attackers could exploit the flaws to target the General Ledger application in EBS.

General Ledger is a financial management tool used to track financial transactions that take place during the life of an operating company.

Onapsis demonstrated that a remote and unauthenticated attacker could exploit the BigDebIT flaws to alter financial reports, even after the closure of a financial reporting period, bypassing security solutions in place and hiding its activity.

“Once a financial reporting period is closed, financial data should not change. If an attacker modifies General Ledger reports between the period closure and the audit, it will cause critical damage to the company and its compliance process,” Onapsis explained in a report.

“Altered balances, depending on size and significance, may cause an alert during the audit period through common controls such as account reconciliations or variance reviews, and depending on the complexity of the changes, it could be really difficult (or even impossible) to identify and explain why financial balances do not match system data given that there is no record of the change that was made.”

“The level of effort required by internal resources, external resources (specialists and/or external auditors, etc.) in terms of labor hours and fees will be significant. Despite an organization’s best efforts this still may not uncover additional useful information indicating that this change was made by exploiting the General Ledger with these Oracle EBS vulnerabilities and not an actual business or accounting transaction,” the company added.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle EBS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.