Oracle’s NetSuite, a popular Enterprise Resource Planning (ERP) platform, has a feature that allows businesses to deploy an external-facing store using SuiteCommerce or SiteBuilder. This feature enables e-commerce operations and back-office processes within a unified platform, streamlining and automating order processing, fulfillment, and inventory management.
However, a recent investigation has uncovered a potential issue in the SuiteCommerce platform that could allow attackers to access sensitive data due to misconfigured access controls on custom record types (CRTs).
Addressing Potential Risk in NetSuite’s SuiteCommerce
According to Aaron Costello, Chief of SaaS Security Research at AppOmni, the issue could potentially affect thousands of live public SuiteCommerce websites. He explains that the problem often arises when organizations deploying NetSuite are unaware that a default stock website has been publicly exposed, even if they had no intention of setting up an e-commerce store.
The most commonly exposed data appears to be personally identifiable information (PII) of registered customers, including full addresses and mobile phone numbers,” Costello said.
It’s important to note that this is not a security vulnerability in the NetSuite product itself. Rather, it is a potential issue that can arise from how customers configure the access controls within their NetSuite environments.
NetSuite uses a multi-layered access control system to protect sensitive data. There are two types of access controls: table-level and field-level.
- Table-level access controls determine who can see the entire table of data.
- Field-level access controls determine who can see specific fields within a table.
The security risk lies in the way NetSuite’s online store feature interacts with the database. When a customer tries to access sensitive information, NetSuite checks the access controls to see if they have permission to view it. If the access controls are not properly set up, hackers can exploit this vulnerability and gain access to sensitive information.
Mitigating the NetSuite Vulnerability
To protect sensitive information, businesses should ensure that table-level access controls are set to “Require Custom Record Entries Permission” and field-level access controls are set to “None” for public access. To address this risk, the team recommends that NetSuite administrators take a few additional steps:
- Review access controls on custom record types (CRTs): Ensure the “Access Type” is not set to allow public access without authentication.
- Restrict access to sensitive fields: Even if table-level access is limited, administrators should review field-level permissions and set sensitive information to have “None” access for unauthenticated users.
- Consider temporarily taking impacted sites offline: As a temporary measure, organizations may want to take any public-facing SuiteCommerce sites offline until the access controls can be properly configured.