Threat update
Researchers discovered that externally-facing Oracle NetSuite e-commerce sites may expose sensitive customer information when configured inaccurately.
Technical Detail and Additional Info
What is the threat?
It is found that Oracle Netsuite's SuitCommerce platforms are commonly misconfigured, allowing attackers to gain access to full addresses and mobile phone numbers of registered customers. There are two places in NetSuite to secure data, Custom Record Type (CRT) level, and/or the field type. The common misconfiguration for many NetSuite sites is using the "No Permission Required" permission on some of their CRTs.
If these permissions are misconfigured, an attacker can discover the names of fields and CRTs, allowing them to leak data through standard API calls. However, the default permission for searches is open, resulting in an attacker being able to search for data if they are able to leak the field names and IDs.
Why is it noteworthy?
It is important to note that this is not a vulnerability in Oracle NetSuite, but a common misconfiguration. Researchers have found thousands of external-facing sites with this misconfiguration. The issue most likely arises when you fail to implement adequate compensating controls after setting the CRT permissions to open.
What is the exposure or risk?
An incorrectly configured Netsuite SuiteCommerce site allows attackers to access sensitive customer data, including names, addresses, phone numbers, and other information.
What are the recommendations?
LBT Technology Group recommends the following actions to improve data security available via Oracle NetSuite's SuiteCommerce:
- Audit data permissions and access regularly.
- Set access controls on both the CRT and fields.
- Set the default permission for all new fields to be "none". An administrator will have to manually assess the permission for each new field. This should be applied to both the "Default Access Level" and "Default Level for Search / Reporting". In most cases, this will require the administrator to reinstate permissions using a different technique.
- Train administrators on the proper configuration of CRT permissions to minimize the risk of accidental exposure.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact LBT's Sales Engineer.