Cybersecurity researchers have issued a warning regarding a significant vulnerability affecting numerous externally-facing Oracle NetSuite e-commerce sites. These vulnerabilities may expose sensitive customer data, including full addresses and mobile phone numbers, placing clients at risk of data leakage.
Aaron Costello from AppOmni highlighted a potential flaw within NetSuite’s SuiteCommerce platform. This flaw arises from misconfigured access controls on custom record types (CRTs), which may allow unauthorized users to access sensitive data. It is important to clarify that the underlying issue lies not within NetSuite’s product itself but in customer configurations that fail to apply adequate security measures.
The attack mechanism relies on CRTs that permit “No Permission Required” access, allowing unauthenticated users to gain entrance to data by manipulating NetSuite’s record and search APIs. This highlights a critical security oversight that serious threat actors could exploit if they know the names of the CRTs in use.
To mitigate these vulnerabilities, security experts recommend that site administrators enforce stricter access controls on CRTs. It is essential to set sensitive fields to “None” to restrict public access, and affected sites should be considered for temporary offline status to prevent any unauthorized data exposure. In simple terms, modifying the Access Type of record type definitions to ‘Require Custom Record Entries Permission’ or ‘Use Permission List’ can significantly enhance security.
This disclosure of vulnerabilities emerges parallel to Cymulate’s report on risks within Microsoft Entra ID (the evolved Azure Active Directory). Researchers unveiled a method that allows manipulation of the credential validation process, putting hybrid identity infrastructures at risk of unauthorized access with elevated privileges.
In the scenario explained regarding Microsoft Entra ID, attackers must have administrative access to a server that runs a Pass-Through Authentication (PTA) agent. This agent is critical for users who seek to access various applications, both on-premises and cloud-based, via Entra ID. The exploit stems from issues that occur when multiple on-premises domains sync with a singular Azure tenant, ultimately mismanaging authentication requests and creating pathways for potentially illicit access.
The vulnerabilities highlighted through both Oracle NetSuite and Microsoft Entra ID exemplify a pertinently concerning trend where misconfigurations and flaws in access control create exploitable points. Adversaries could leverage techniques aligning with the MITRE ATT&CK Matrix’s tactics of Initial Access and Persistence to effectuate these breaches.
Organizations relying on these platforms must prioritize tightening their security configurations. In doing so, they will safeguard themselves against the potential ramifications of unauthorized data exposure and maintain the integrity of sensitive customer information. As data breaches become increasingly prevalent, it is imperative for business leaders to remain vigilant and proactive in their cybersecurity efforts.
