Hacking

BigDebIT flaws in Oracle EBS allow hackers to alter financial records

Oracle addressed two flaws in E-Business Suite solution that can be exploited by attackers to tamper with an organization’s financial records.

Oracle addressed two security flaws in its E-Business Suite (EBS) business management solution that could allow attackers to carry out a broad range of malicious activities, including to tamper with an organization’s financial records.

Oracle EBS is currently used by tens of thousands of organizations worldwide, it is an all in one business management solution that includes applications for customer relationship management, finances, human resources, supply chain management, contracts, procurement, and planning.

The flaws were discovered last year by experts at Onapsis along with other security issues. Oracle addressed some of the flaws in April 2019, except two issues tracked as CVE-2020-2586 and CVE-2020-2587and dubbed “BigDebIT” that were fixed in January 2020.

Unfortunately, a large number of vulnerable Oracle systems are still exposed online.

Onapsis researchers reported that attackers could exploit the flaws to target the General Ledger application in EBS.

General Ledger is a financial management tool used to track financial transactions that take place during the life of an operating company.

Onapsis demonstrated that a remote and unauthenticated attacker could exploit the BigDebIT flaws to alter financial reports, even after the closure of a financial reporting period, bypassing security solutions in place and hiding its activity.

“Once a financial reporting period is closed, financial data should not change. If an attacker modifies General Ledger reports between the period closure and the audit, it will cause critical damage to the company and its compliance process,” Onapsis explained in a report.

“Altered balances, depending on size and significance, may cause an alert during the audit period through common controls such as account reconciliations or variance reviews, and depending on the complexity of the changes, it could be really difficult (or even impossible) to identify and explain why financial balances do not match system data given that there is no record of the change that was made.”

“The level of effort required by internal resources, external resources (specialists and/or external auditors, etc.) in terms of labor hours and fees will be significant. Despite an organization’s best efforts this still may not uncover additional useful information indicating that this change was made by exploiting the General Ledger with these Oracle EBS vulnerabilities and not an actual business or accounting transaction,” the company added.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle EBS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

3 hours ago

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise…

5 hours ago

Google fixed a Chrome vulnerability that could lead to full account takeover

Google released emergency security updates to fix a Chrome vulnerability that could lead to full…

5 hours ago

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

16 hours ago

Coinbase disclosed a data breach after an extortion attempt

Coinbase confirmed rogue contractors stole customer data and demanded a $20M ransom in a breach…

19 hours ago

U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…

1 day ago