Thousands of Oracle E-Business Suite customers are vulnerable a security bug that can be exploited for bank fraud.

Security company Onapsis estimates that roughly half of all companies using the Oracle EBS software have not yet patched CVE-2019-2648 and CVE-2019-2633, despite Big Red having pushed out fixes for both bugs back in April.

The two vulnerabilities are found in the Thin Client Framework API and are described as reflected SQL injections. An attacker who could remotely access the EBS server via HTTPS would be able to exploit the bug and send arbitrary commands to the vulnerable machine.

While this flaw is dangerous to EBS as a whole, it is particularly bad for servers that use the Payments module included with the suite. The Payments tool allows companies to set up and schedule direct deposits and automatic money transfers to suppliers or partners as well as handle invoices and orders. The bank routing and account numbers for transfer orders are kept on the server as text files and automatically loaded when needed.

You can guess where this is going.

An attacker who exploited either of the SQL injection flaws would be able to remotely modify those transfer order files to include instructions to move cash to an account of their choosing. Instant bank fraud.

For those not convinced, Onapsis has put together a proof-of-concept video showing how the attack would work.

Youtube Video

In a second scenario, Onapsis shows how the same bugs could be used for a slightly more old-school type of financial fraud: printing bogus checks. If the EBS server was also being used to print paper checks, the remote attacker would potentially be able to do that as well, though Onapsis notes the attacker would of course need access to the printer and the check templates, which might be stored on a different machine. Still, such an attack would at least be theoretically possible.

Europe's digital identity system needs patching after can_we_trust_this function call ignored READ MORE

While the bugs themselves are serious risks (both have been given CVSS scores of 9.9), perhaps even more worrying is the vast number of machines that are believed to be vulnerable, despite a patch for both having been out since April. Onapsis estimates that as many half of the companies running EBS have yet to actually patch their machines.

The low patch rates are in part a reflection of how most enterprise staff prioritize ERP and supply chain platforms like Oracle EBS when it comes to security. As these apps are rarely facing the general public, they can get overlooked.

"Overall, companies tend to underestimate ERP cybersecurity, since most of them rely on separation of duties or other security measures for these types of platforms," Onapsis director of research Sebastian Bortnik told The Register.

"Based on this, it is unfortunately more common than expected to find ERP software without the latest security patches."

Having stayed silent on the bugs since those April updates went out, the security firm is now posting additional details in hope that more will be pushed to patch their systems. ®