Several vulnerabilities was found in Oracle’s banking platform flexcube
Summary:
Oracle has released a security advisory with a bunch of
vulnerabilities and CVE’s.
Our system picked this up and while looking closer at the
vulnerabilities several vulnerabilities for Oracle’s banking
software solutions for private banks called flexcube.
Flexcube is used by several global banks.
Flexcube private banking
CVE’s
- CVE-2020–2724
- CVE-2020–2723
- CVE-2020–2722
- CVE-2020–2721
- CVE-2020–2720
- CVE-2020–2700
- CVE-2020–2699
- CVE-2020–2685
- CVE-2020–2684
- CVE-2020–2683
Interesting CVE’s
CVE-2020–2722
This vulnerability allows a unauthenticated third party with network access to the HTTP interface to compromise
FLEXCUBE’s Investor Servicing which is a handles mutual funds, hedge funds and unit-linked insurance products.
The vulnerability allows a unauthenticated third party to have read access to sensitive data as well as
updating, inserting or deleting access to Investors Servicing’s data.
CVE-2020–2685
A successful exploitation of this will lead to an third party
having read access to sensitive data.
A proper implementation of these systems would be to put these
systems on private networks behind firewalls and not accessible
to the public.
Google dork
intitle:"Oracle FLEXCUBE Direct Banking"
Some links we found while dork’ing:
https://www.secure.bred.vu/B001/eng/faq.html
https://corponline.cncbinternational.com/B001/securityTipsEn.html
https://portal.amicorpbank.com/B001/trans.htm
https://online.saxopayments.com/B001/def_blank.htm
https://www.ncdstbanking.com/B001/trans.htm
https://secure.bankofjordan.com.ps/T001/trans.htm
External links:
Flexcube wikipedia
Oracle.com flexcube
List of banks using flexcube
Quora.com banks using oracle
KDB Bank Europe in Hungary and Všeobecná úverová banka (VUB) in Slovakia
coopmoneynz.org.nz New zealand flexcube
If you are using an rss reader you can subscribe to the blog here:
https://blog.firosolutions.com/exploits/index.xml
https://blog.firosolutions.com/posts/index.xml