Warnings are being issued by cybersecurity researchers about the discovery of thousands of externally-facing Oracle NetSuite e-commerce sites that have been found susceptible to leaking sensitive customer information.
AppOmni’s Aaron Costello said,”A potential issue in NetSuite’s SuiteCommerce platform could allow attackers to access sensitive data due to misconfigured access controls on custom record types (CRTs).”
It is important to emphasize here that the issue is not a NetSuite product security flaw; rather, it is a customer configuration error that can cause confidential data to leak. Full addresses and mobile phone numbers of registered e-commerce site customers are among the exposed data.
AppOmni’s attack scenario takes advantage of CRTs that use table-level access controls with the “No Permission Required” access type. This lets unauthenticated users use NetSuite’s record and search APIs to access data.
That said, for this attack to succeed, there are a number of prerequisites, the foremost being need for the attacker to know the name of CRTs in use.
Site administrators should consider temporarily taking impacted sites offline to prevent data exposure, tighten access controls on CRTs, set sensitive fields to “None” for public access, and mitigate the risk.
“The easiest solution from a security standpoint may involve changing the Access Type of the record type definition to either ‘Require Custom Record Entries Permission’ or ‘Use Permission List,'” Costello said.
Cymulate revealed a method for evading authentication in hybrid identity infrastructures and manipulating the credential validation process in Microsoft Entra ID (formerly Azure Active Directory), allowing attackers to establish persistence and sign in with high privileges within the tenant.
A Pass-Through Authentication (PTA) agent, a module that enables users to sign in to both on-premises and cloud-based applications using Entra ID, needs admin access on a server to carry out the attack. When syncing multiple on-premises domains to a single Azure tenant, the issue stems from Entra ID. According to security researchers Ilan Kalendarov and Elad Beber, “this issue arises when authentication requests are mishandled by pass-through authentication (PTA) agents for different on-prem domains, leading to potential unauthorized access.”
“Attackers can log in as any synced AD user without knowing their actual password thanks to this vulnerability, which effectively transforms the PTA agent into a double agent.” if such privileges were granted, this could potentially grant access to a global admin user.”
