Note: We posted an update to this information on August 6, 2019. Please refer to Update #1 at
https://ifap.ed.gov/electronic-announcements/08-06-2019-technology-security-alert-exploitation-ellucian-banner-system for the most current information.
The U.S. Department of Education (Department) has obtained information regarding the active and ongoing exploitation of a previously identified vulnerability in the Ellucian Banner (Banner) system. The vulnerability only occurs in Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4.
According to National Institute of Standards and Technology (NIST) advisory CVE-2019-8978, attackers can leverage a known vulnerability in these versions of these applications to log in to the Banner system with an institutional account. Access to operational areas and functions within the system would depend upon the administrative privileges granted to the affected account, but this information does not appear to be specifically detailed in the NIST advisory.
The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.
Victimized institutions have indicated that the attackers exploit the vulnerability and then leverage scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts. It has been reported that at least 600 fake or fraudulent student accounts were created within a 24-hour period, with the activity continuing over multiple days resulting in the creation of thousands of fake student accounts. Some of these accounts appear to be leveraged almost immediately for criminal activity.
Victimized institutions also have indicated that their implementation of the Banner system affects or influences all aspects of academic administration, including the administration of student financial aid. The Department is concerned that some institutions that use a Banner system that still deploys Ellucian Banner Web Tailor version 8.8.3, 8.8.4, or 8.9 and/or Banner Enterprise Identity Services version 8.3, 8.3.1, 8.3.2, or 8.4 may not have implemented appropriate safeguards to segregate the system functions affecting the Department’s student financial aid data. It is believed that such a condition could put the security and the integrity of the Department’s data and systems at risk. Impacted entities using the affected systems are encouraged to review the NIST advisory in its entirety and take appropriate response measures.
Actions for Institutions Using Ellucian Banner System
If your institution uses Ellucian Banner Web Tailor version 8.8.3, 8.8.4, or 8.9 and/or Banner Enterprise Identity Services version 8.3, 8.3.1, 8.3.2, or 8.4
1) review the vulnerbility details as provided in NIST advisory CVE-2019-8978;
2) contact Ellucian to receive information needed to patch or upgrade affected systems; and
3) respond immediately to the Department via email to both FSASchoolCyberSafety@ed.gov and CPSSAIG@ed.gov.
Include the following information in your email:
-
Institution’s Name
-
Information Technology (IT) Contact at Institution (Name, Email Address, Phone Number)
Once the Department receives a notification email from an institution, the FSA Cyber Incident Team will acknowledge receipt of the email and collaborate with the institution to identify if its systems are using the versions impacted by this vulnerability. In our shared mission with the institution to safeguard student information, the FSA Cyber Incident Team will act as an information resource and guide the institution to Ellucian to obtain appropriate updates and patches to mitigate the vulnerability.