trusted formThousands of NetSuite eCommerce Sites Face Security Flaw | Several.com
Although we earn commissions from partners, we ensure unbiased evaluations. More on our 'How We Work' page
Oracle Netsuite Vulnerability Puts Thousands Of Sites At Risk
Get a Quote

Oracle NetSuite Vulnerability Puts Thousands of Sites at Risk

Oracle NetSuite Vulnerability Puts Thousands of Sites at RiskOracle NetSuite Vulnerability Puts Thousands of Sites at Risk
Oracle netsuite vulnerability

Published On: August 20, 2024

Cybersecurity researchers have recently uncovered a critical issue affecting thousands of Oracle NetSuite eCommerce sites. Misconfigured access controls could potentially expose sensitive customer information. This problem specifically involves NetSuite's SuiteCommerce platform, which is widely used by businesses to manage their online stores.

The vulnerability arises from misconfigured access controls on custom record types (CRTs), which are essential data structures within the SuiteCommerce platform. These CRTs are configured in a way that allows unauthorized users to exploit NetSuite’s APIs, particularly the record and search APIs, to access sensitive data, including full customer addresses and mobile phone numbers. This issue is not due to an inherent flaw in NetSuite's software but rather stems from the way businesses have set up their access controls.

According to Aaron Costello, Chief of SaaS Security Research at AppOmni, the risk of data exposure is significant because the CRTs often employ table-level access controls set to "No Permission Required." This setting inadvertently grants unauthenticated users the ability to access sensitive information. While the attack requires the malicious actor to know the name of the CRTs in use, once that information is obtained, they can easily exploit the vulnerability.

The impact of this misconfiguration is far-reaching, as it affects thousands of active SuiteCommerce websites. The data exposed could be used in various malicious ways, from identity theft to targeted phishing attacks.

This discovery comes alongside other significant cybersecurity disclosures, such as a recent finding by Cymulate regarding a potential vulnerability in Microsoft Entra ID (formerly Azure Active Directory). This issue allows attackers with administrative access on a server hosting a Pass-Through Authentication (PTA) agent to bypass credential validation, potentially gaining high-level privileges within an organization.

Both cases highlight the ongoing challenges organizations face in securing their digital environments against increasingly sophisticated threats.

Mitigation measures

To address this issue, security experts recommend several steps that administrators can take to mitigate the risk:

  • Tighten access controls: Administrators should immediately review and tighten access controls on CRTs, ensuring that sensitive fields are not accessible to the public
  • Change access type: One of the most straightforward solutions is to change the Access Type of the record type definition to either "Require Custom Record Entries Permission" or "Use Permission List," which would restrict unauthorized access
  • Consider site downtime: In severe cases, it might be prudent to take affected sites offline temporarily until the issue can be fully resolved.
     

Related Topics

Recent Posts