US Dept. of Education Reveals Ellucian systems compromised at 62 Universities

Background

Roll-Call Security & Communications is no stranger to working with major Texas universities nor are they a stranger to the extensive legacy ERP systems those universities employ. Recently Roll-Call bid on contracts for a major Texas State school to assist them with their Ellucian/Banner ERP system upgrade and patching. This contract was never awarded and unfortunately this school fell victim to this unscrupulous cyber attack.

Executive Summary

An improper authentication vulnerability (CWE-287) was identified in Banner Web Tailor and Banner Enterprise Identity Services. This vulnerability is produced when SSO Manager is used as the authentication mechanism for Web Tailor, where this could lead to information disclosure and loss of data integrity for the impacted user(s). The vendor has verified the vulnerability and produced a patch that is now available. For more information see the postings on Ellucian Communities and Banner Enterprise Identity Services:

https://ecommunities.ellucian.com/message/252749#252749

And this is the link to the Banner Web Tailor and SSO Manager Vulnerability communication posted in the Banner General & Banner Technical Community space

https://ecommunities.ellucian.com/message/252810#252810

Hackers compromised student information systems at 62 universities through a vulnerability in a common software platform, the Department of Education has warned in a security alert.

The cyberattacks exploited a security flaw in the software company Ellucian’s Banner platform, the alert says, which allowed hackers to generate masses of fake student accounts and potentially access sensitive data. According to the Education Department, which issued its alert last week, hackers had been drawing up lists of institutions to target via the vulnerability, which was made public earlier this year.

Product

Banner Web Tailor is a web tool, made for higher education institutions, that provides registration, curriculum management, advising, administration, and reporting functionality. Students are able to access and change their registration, graduation, and financial aid information. Professors and teachers are able to input final grades and manage their courses. Administrators are able to access and change student and teacher information. It is used by hundreds of institutions, many of which have opted to use the Single Sign-on Manager in order to participate in CAS- and SAML-based single sign-on services.

Impact and Recommendations

Impact

A user's unique identifier, UDCID, is leaked via a cookie and it could lead to account compromise if this identifier is captured or otherwise known, in the case tested the UDCID was known to be the institutional ID printed on ID cards. The UDCID could be used to exploit a race condition that would provide an attacker with unauthorized access. For a student, the attacker could drop them from their courses, reject financial aid, change their personal information, etc. For a professor, this could lead to an inability to manage their courses, allow a malicious student to put in false final grades, etc. For an administrator, an attacker could change users information, place false holds on student accounts, etc.

In December 2018, a security researcher discovered a flaw in the Banner platform that allowed remote, unauthorized access to user accounts, but heard no response from Ellucian for months, according to the researcher’s disclosure. Ellucian eventually released a patch for the vulnerability in May, but according to the Department of Education, many institutions have been slow to upgrade their systems.

The alert says that hackers used the Ellucian vulnerability as a backdoor into institutions’ admissions and enrollment systems, where they generated fraudulent accounts numbering in the thousands — including 600 generated in one 24-hour period.

Ellucian replied that hackers can employ bots on poorly protected admissions portals and get the same result, regardless of the presence of other security vulnerabilities.

The far-reaching attacks underscore the dangers that cyber attacks can pose for college and universities — which must govern a huge volume of data, often armed only with poorly-funded IT departments.

The Education Department urged universities to upgrade to the patched version of Ellucian, noting that the fraudulent accounts “appear to be leveraged almost immediately for criminal activity.” It did not specify what type of criminal activity and did not list any affected institutions.

Recommendations

Organizations affected should update to the latest version. More information can be found in the postings on Ellucian Communities:

https://ecommunities.ellucian.com/message/252749#252749

And this is the link to the Banner Web Tailor and SSO Manager Vulnerability communication posted in the Banner General & Banner Technical Community space

https://ecommunities.ellucian.com/message/252810#252810

Please utilize Ellucian Communities or contact Ellucian through ActionLine to get more information.

Technical Details

Technical Description

The improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID.

During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim. See proof of concept code located at the GitHub link below for more details.

Exploit Code

Exploit code will be made available later via Github:

https://github.com/JoshuaMulliken/CVE-2019-8978

Disclosure Time-line

December 18, 2018: Attempted reporting through Ellucian's marketing web-form and sent to informationsecurityassessmentteam@ellucian.com

December 20, 2018: Submitted report to CERT Coordination Center at Carnegie Mellon University January 2, 2019: Submitted report to a CISO at Ellucian who was discovered through LinkedIn

January 2, 2019: Requested information on responsible disclosure procedure from the University of South Carolina

January 3, 2019: Was told to report through ActionLine by Ellucian

January 4, 2019: Was told by the University of South Carolina that there is no procedure for reporting vulnerabilities

January 4, 2019: Told the University of South Carolina that I had discovered a vulnerability in Banner

February 18, 2019: CERT informed me of failure to reach the vendor and advised me to publicly disclose

February 25, 2019: Sent draft of advisory to Ellucian and set the date of disclosure to March 4th.

February 28, 2019: Ran demo of vulnerability for Ellucian over Zoom conference

March 1, 2019: Was asked by the University of South Carolina to delay publication

March 21, 2019: The University of South Carolina received a backported patch from Ellucian

March 26, 2019: Ellucian finalized patches for all versions

March 29, 2019: Was told by Ellucian that the University of South Carolina would be doing changes on the 1st of April

April 1, 2019: Requested information on patch status from the University of South Carolina

April 5, 2019: The University of South Carolina gave ETA of April 30, 2019

April 30, 2019: The University of South Carolina updated ETA to the middle of May

May 7, 2019: Set publication date of disclosure to May 13

May 10, 2019: The University of South Carolina posted a planned outage notice for all Banner Services scheduled for May 11

May 11, 2019: The University of South Carolina successfully installed the patch

May 13, 2019: Disclosure published

References

- www.edscoop.co: Ellucian systems breached at 62 universities, Education Dept. says
- www.zdnet.com: Hackers breach 62 US colleges by exploiting ERP vulnerability
- www.infosecurity.com: Over 60 US Colleges Compromised by ERP Exploit
- www.ifap.ed.gov: Exploitation of Ellucian Banner System Vulnerability
- www.githubusercontent.com: Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity Services
- www.nvd.nist.gov: CVE-2019-8978 Detail