August 20, 2024Ravie LakshmananCorporate Security / Data Breaches

Cybersecurity researchers are warning of the discovery of thousands of external-facing Oracle NetSuite ecommerce sites vulnerable to leaks of sensitive customer data.

“A potential vulnerability in NetSuite’s SuiteCommerce platform could allow attackers to access sensitive data due to misconfigured access controls on custom record types (CRTs),” said Aaron Costello of AppOmni.

It is worth emphasizing here that the issue is not a security vulnerability in the NetSuite product, but rather a customer misconfiguration that could lead to the leakage of confidential data. The exposed information includes full addresses and mobile phone numbers of registered customers of the e-commerce sites.

The attack scenario described by AppOmni leverages CRTs that use table-level access control with the access type “No Permission Required,” allowing unauthenticated users to access data using NetSuite’s record and search APIs.

For this attack to succeed, there are a number of conditions. The most important condition is that the attacker knows the name of the CRTs used.

To mitigate the risk, it is recommended that site administrators tighten access controls on CRTs, set sensitive fields to ‘None’ for public access, and consider temporarily taking affected sites offline to prevent data exposure.

“The simplest solution from a security perspective might be to change the access type of the record type definition to ‘Require permission for custom record entries’ or ‘Use permission list,’” Costello said.

The disclosure follows a detailed description of a way Cymulate can manipulate the credential validation process in Microsoft Entra ID (formerly Azure Active Directory) and bypass authentication in hybrid identity infrastructures, allowing attackers to log in to the tenant with elevated privileges and establish persistence.

However, the attack requires an adversary to have administrative access on a server hosting a Pass-Through Authentication (PTA) agent, a module that allows users to sign in to both on-premises and cloud-based applications using Entra ID. The issue is rooted in Entra ID synchronizing multiple on-premises domains to a single Azure tenant.

“This issue arises when authentication requests are mishandled by pass-through authentication (PTA) agents for various on-prem domains, leading to potential unauthorized access,” security researchers Ilan Kalendarov and Elad Beber said.

“This vulnerability effectively makes the PTA agent a double agent, allowing attackers to log in as any synced AD user without knowing the password. This could potentially grant access to a global administrator if such rights are granted.”