New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research

Search

Over 60 US Colleges Affected by One ERP Vulnerability

The Ellician Banner, which is used by many colleges throughout the United Sates as their student-facing portal has been found to have a vulnerability that when carried out, allows attackers to use the credentials of the students immediately for criminal activity. The Department of Education released a statement about the vulnerability, stating that the flaw lies in the Banner Web Tailor version 8.8.3, 8.8.4 and 8.9, as well as the Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2 and 8.4. The Web Tailor portion allows the universities to customize their web apps, while the Identity Services is used to manage user accounts. The vulnerability, CVE-2019-8978, was given a score of 8.1 and has been listed as a “improper authentication” flaw. When attackers leverage this vulnerability through remote access, they can steal a victim’s session and cause denial of service. They do this by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSIS cookie set to the victim’s UDCID, in this case the institutional ID. When the attacker attempts to login, they will be issued a SESSID that was meant for the victim. The attackers are also using the vulnerability and admin credentials to create fake accounts in the system. The extent of the criminal activity is not clear yet, but the Board of Education is worried that if the attackers manage to get into the student accounts, they will be able view personally identifiable information as well as financial aid data.

Analyst Notes

While the Board of Education has identified over 60 affected schools so far, it is possible that they will find more. Schools that use Ellician Banner should check to see what version they are on. If they are on one of the affected versions, they should begin mitigation processes to update their version. Schools on the affected versions should also review accounts to see if any fraudulent accounts have been made in the system.