Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label NetSuite. Show all posts

Misconfigured Access Controls in NetSuite Stores Cause Major Data Breach

 


Microsoft's apps for MacOS have been exploited by hackers recently to expose a critical vulnerability. It is believed that hackers have been exploiting vulnerabilities in popular applications, such as Microsoft Outlook and Teams, to spy on Mac users. In recent weeks, Cisco Talos' security researchers have revealed how attackers can take advantage of this security breach and gain access to sensitive components like Mac's microphone and camera without the user's consent or knowledge, a division of Cisco Talos that focuses on malware and system vulnerabilities. 

The researchers of Oracle NetSuite have found that there are several thousand NetSuite customers who are inadvertently exposing sensitive company information to unauthenticated users through public-facing stores built using NetSuite SuiteCommerce or NetSuite Site Builder. Possibly, the exposure of custom record types in NetSuite was caused by a lack of understanding about the access controls for these types of record types in this popular SaaS enterprise resource planning platform (ERP) in today's marketplace. 

In terms of Enterprise Resource Planning (ERP) solutions, NetSuite is a widely used SaaS Platform that is widely used for developing and deploying online retail platforms through its SuiteCommerce or SiteBuilder platforms that serve external customers. As a result of these web stores that are hosted on subdomains of the NetSuite tenant, unauthenticated customers can browse, register, and make purchases directly from businesses through those sites. 

This is not a problem with the NetSuite solution itself; it is a problem with the way some access controls have been configured on custom record types (CRTs) that may lead to sensitive customer information being leaked. The most vulnerable data are PII, or personally identifiable information, which includes full addresses and mobile phone numbers of registered customers. In NetSuite, threat actors tend to target Custom Record Types (CRTs) that are controlled using "No Permission Required" access controls. 

This means that unauthenticated users can access data by using NetSuite’s APIs to search for records and records on the cloud. There is, however, one prerequisite that must be met before the attacker can be successful in the attack, and that is knowing what name the CRTs are. Hackers might be able to access sensitive data through a potential problem in NetSuite's SuiteCommerce platform, due to misconfigured access controls to custom record types (CRTs) on NetSuite's platform, according to Aaron Costello, CEO at AppOmni.

To emphasize the point, it is important to recognize that the issue does not have anything to do with a security flaw in the NetSuite product, rather it has more to do with a potential data leak caused by a customer misconfiguration. By that report, the e-commerce sites have been exposed to information about their registered customers, including their addresses and mobile phone numbers. As a result of how Microsoft apps interact with MacOS's Transparency Consent and Control framework (TCC), which is intended to control an application's permissions to comply with the law, there is a vulnerability. 

The TCC ensures that apps are required to request specific entitlements to grant access to certain features, such as the camera, microphone, or location services if they want to use them. A typical application without the necessary entitlements cannot even ask for permission to run, effectively blocking unauthorised access to the application. Cisco Talos has discovered a vulnerability that enables attackers to inject malicious software into Microsoft apps, and then leverage the permissions already granted to those apps to execute malicious code using the software injection. 

As a result, once an attacker modifies an app such as Microsoft Teams or Outlook to inject their code into the app, they are also able to access the camera and microphone on a Mac computer, allowing them to record audio and take photos without the user ever knowing what they are doing. Using an attack scenario outlined by AppOmni, an attacker potentially exploits a CRT in NetSuite that employs table-level access controls with a permission type of "No Permission Required," which enables users who do not have the necessary authentication to access their data through NetSuite's search and record APIs. 

In recent developments, it has been discovered that a significant vulnerability exists in NetSuite stores due to an access control misconfiguration, which has resulted in the exposure of sensitive data. However, for this security breach to be successful, there are several critical prerequisites. The most notable of these is the requirement for the attacker to have prior knowledge of the names of the Custom Record Types (CRTs) in use. 

To mitigate the risks associated with this vulnerability, it is strongly recommended that site administrators take immediate action to enhance access controls on CRTs. This includes setting sensitive fields to "None" for public access, thereby restricting unauthorized access. Additionally, administrators should consider temporarily taking affected sites offline to prevent further data exposure while corrective measures are being implemented. 

One of the most straightforward and effective solutions from a security perspective, as suggested by security expert Costello, involves changing the Access Type of the record type definition. This can be done by setting it to either "Require Custom Record Entries Permission" or "Use Permission List." These changes would significantly reduce the likelihood of unauthorized access to sensitive data.

In a related disclosure, Cymulate has unveiled another significant security concern involving Microsoft Entra ID, formerly known as Azure Active Directory. The issue centres around the potential manipulation of the credential validation process within hybrid identity infrastructures. This vulnerability allows attackers to bypass authentication mechanisms, enabling them to sign in with elevated privileges within the tenant and establish persistence. 

However, the execution of this attack requires that the adversary already possesses administrative access to a server hosting a Pass-Through Authentication (PTA) agent. The PTA agent is a critical module that permits users to sign in to both on-premises and cloud-based applications using Entra ID. The root cause of this vulnerability lies in the synchronization of multiple on-premises domains to a single Azure tenant, which introduces security gaps that could be exploited by attackers.