Countless Oracle NetSuite Websites at Risk of Revealing Customer Data
A group of cybersecurity experts have issued a caution regarding the identification of numerous externally-facing Oracle NetSuite e-commerce platforms that are vulnerable to exposing private customer details.
“An issue that could potentially allow unauthorized access to sensitive data has been discovered in NetSuite’s SuiteCommerce platform. This is a result of improperly configured access controls on custom record types (CRTs),” expressed Aaron Costello from AppOmni mentioned.
It is important to note that the problem lies not in the security aspects of the NetSuite product itself, but in the misconfiguration by customers, which can lead to the disclosure of confidential data. The information that may be exposed includes the complete addresses and mobile numbers of the registered customers of these e-commerce websites.
The attack technique outlined by AppOmni capitalizes on CRTs that use table-level access controls with the access type “No Permission Required”, giving unauthenticated users access to data via the utilization of NetSuite’s record and search APIs.
Nevertheless, for this attack to be successful, there are several prerequisites, with the primary one being that the attacker must know the names of the CRTs in use.
To reduce the risk, it is advisable for site administrators to enhance access controls on CRTs, set sensitive fields to “None” for public access, and potentially consider temporarily shutting down affected sites to prevent data leakage.
“The simplest security solution may involve modifying the Access Type of the record type definition to either ‘Require Custom Record Entries Permission’ or ‘Use Permission List,'” as per the advice of Costello.
This disclosure coincides with Cymulate revealing a method to manipulate the credential validation process in Microsoft Entra ID (formerly Azure Active Directory) and bypass authentication in hybrid identity environments, enabling attackers to log in with elevated privileges within the tenant and create persistence.
However, for this attack to work, an adversary must have administrative access to a server hosting a Pass-Through Authentication (PTA) agent, which permits users to authenticate themselves to both on-premises and cloud-based applications using Entra ID. The root of the problem lies in Entra ID when syncing multiple on-premises domains to a single Azure tenant.
“This flaw emerges when pass-through authentication (PTA) agents mishandle authentication requests for different on-prem domain users, potentially leading to unauthorized access,” noted security researchers Ilan Kalendarov and Elad Beber stated.
“This vulnerability essentially transforms the PTA agent into a double agent, enabling attackers to log in as any synchronized AD user without knowledge of their actual password. This could provide access to a global admin user if such permissions were assigned.”
About Author
