Our ongoing research with targeted institutions has led us to a broader concern regarding the front-end registration portals used by institutions. Specifically, some institutions are using third-party software as front-end access points to the Ellucian Banner System and similar administrative tools. We strongly encourage every institution to review these third-party front-end applications to ensure that they are not introducing vulnerabilities (in need of patches) or increasing the risk of a potential future issue through automation attacks. An automation attack, in this context, uses automated scripts or robotic process automation to rapidly fill forms through the institution’s front-end system and submit them in the hope of gaining accounts. We encourage all institutions to consider using human validation checks as part of front-end portal submission processes.
Additionally, we encourage institutions to continue to provide Federal Student Aid (FSA) with the status of their efforts to validate the correct versions and the use of the Ellucian Banner System and other third party software that may be in use if they suspect fraudulent accounts may have been created. The U.S. Department of Education (Department) is continuing to work with colleges and universities to determine what impact, if any, the Ellucian Banner System vulnerability may have had. To date, based on reports from targeted institutions, we have not found any instances where the Ellucian Banner System vulnerability has been exploited or is related to the issues described in the original alert.
For reference, here is the vulnerability information and the FSA Cyber Incident Team contact information from the initial Technology Security Alert:
Actions for Institutions Using Ellucian Banner System
If your institution uses Ellucian Banner Web Tailor version 8.8.3 or 8.8.4 and/or Banner Enterprise Identity Services version 8.3, 8.3.1, 8.3.2, or 8.4
|review the vulnerability details as provided in NIST advisory CVE-2019-8978;|
|contact Ellucian to receive information needed to patch or upgrade affected systems; and|
|respond immediately to the Department via email to both FSASchoolCyberSafety@ed.gov and CPSSAIG@ed.gov.
Include the following information in your email:
Note: Although Banner Web Tailor 8.9 was previously listed as impacted, it is a roll-up software release that contains all patches and releases since 8.8 and is not affected.
Once the Department receives a notification email from an institution, the FSA Cyber Incident Team will acknowledge receipt of the email and collaborate with the institution to identify if its systems are using the versions impacted by this vulnerability. In our shared mission with the institution to safeguard student information, the FSA Cyber Incident Team will act as an information resource and guide the institution to Ellucian to obtain appropriate updates and patches to mitigate the vulnerability.