Hackers breach 62 US colleges by allegedly exploiting Ellucian Banner Web flaw

Pierluigi Paganini July 21, 2019

Hackers breached at least 62 college and university networks exploiting a flaw in Ellucian Banner Web Tailor, a module of the Ellucian Banner ERP.

US Department of Education warned that hackers have breached at least 62 college and university networks by exploiting a vulnerability in the Ellucian Banner Web Tailor module of the Ellucian Banner ERP.

The module is used by colleges and universities to customize their web applications.

The vulnerability, tracked as CVE-2019-8978, was discovered by the security expert Joshua Mulliken, it affects the authentication process used by the two modules of the ERP, including the Ellucian Banner Enterprise Identity Services used to manage user accounts.

“An improper authentication vulnerability (CWE-287) was identified in Banner Web Tailor and Banner Enterprise Identity Services. This vulnerability is produced when SSO Manager is used as the authentication mechanism for Web Tailor, where this could lead to information disclosure and loss of data integrity for the impacted user(s).” reads the security advisory published by the expert.

Ellucian Banner Web 2

The vulnerability could be exploited by a remote attacker to hijack users’ accounts.

“A user’s unique identifier, UDCID, is leaked via a cookie and it could lead to account compromise if this identifier is captured or otherwise known, in the case tested the UDCID was known to be the institutional ID printed on ID cards. The UDCID could be used to exploit a race condition that would provide an attacker with unauthorized access.” continues the advisory. “For a student, the attacker could drop them from their courses, reject financial aid, change their personal information, etc. For a professor, this could lead to an inability to manage their courses, allow a malicious student to put in false final grades, etc. For an administrator, an attacker could change users information, place false holds on student accounts, etc.”

Affected versions are Banner Enterprise Identity Services 8.3 and later, Ellucian addressed the vulnerability in May.

Unfortunately, threat actors started exploiting the CVE-2019-8978 flaw in the wild.

“The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.” reads the alert published on the Federal Student Aid.

The educational institutions that were targeted by the attacks exploiting the vulnerability have reported that threat actors are using scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts.

Officials reported that attackers created at least 600 fake or fraudulent student accounts within a 24-hour period. The malicious activity is continuing over multiple days resulting in the creation of thousands of fake student accounts. The bad news is that some of the accounts created in the attacks were involved in criminal activity.

Officials warn that for those organizations that have not implemented network segregation attackers could access students’ financial aid data.

Ellucian denies that the creation of fake accounts is related to the vulnerability in its ERP.

“Although it was reported that attackers can leverage the vulnerability discussed above to create accounts, Ellucian believes this is not correct,” read a statement published by the company. “The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products.”

“Attackers are utilizing bots to submit fraudulent admissions applications and obtain institution email addresses through admission application portals,”

The company recommends implementing reCAPTCHA capabilities to the admission process.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Ellucian Banner Web, ERP)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment