Cybersecurity researchers are warning about the discovery of thousands of externally-facing Oracle NetSuite e-commerce sites that have been found susceptible to leaking sensitive customer information.
“A potential issue in NetSuite’s SuiteCommerce platform could allow attackers to access sensitive data due to misconfigured access controls on custom record types (CRTs),” AppOmni’s Aaron Costello said.
It’s worth emphasizing here that the issue is not a security weakness in the NetSuite product, but rather a customer misconfiguration that can lead to leakage of confidential data. The information exposed includes full addresses and mobile phone numbers of registered customers of the e-commerce sites.
The attack scenario detailed by AppOmni exploits CRTs that employ table-level access controls with the “No Permission Required” access type, which grants unauthenticated users access to data by making use of NetSuite’s record and search APIs.
That said, for this attack to succeed, there are a number of prerequisites, the foremost being need for the attacker to know the name of CRTs in use.
To mitigate the risk, it’s recommended that site administrators tighten access controls on CRTs, set sensitive fields to “None” for public access, and consider temporarily taking impacted sites offline to prevent data exposure.
“The easiest solution from a security standpoint may involve changing the Access Type of the record type definition to either ‘Require Custom Record Entries Permission’ or ‘Use Permission List,'” Costello said.
The disclosure comes as Cymulate detailed a way to manipulate the credential validation process in Microsoft Entra ID (formerly Azure Active Directory) and circumvent authentication in hybrid identity infrastructures, allowing attackers to sign in with high privileges inside the tenant and establish persistence.
The attack, however, requires an adversary to have admin access on a server hosting a Pass-Through Authentication (PTA) agent, a module that allows users to sign in to both on-premises and cloud-based applications using Entra ID. The issue is rooted in Entra ID when syncing multiple on-premises domains to a single Azure tenant.
“This issue arises when authentication requests are mishandled by pass-through authentication (PTA) agents for different on-prem domains, leading to potential unauthorized access,” security researchers Ilan Kalendarov and Elad Beber said.
“This vulnerability effectively turns the PTA agent into a double agent, allowing attackers to log in as any synced AD user without knowing their actual password; this could potentially grant access to a global admin user if such privileges were assigned.”