At Least 62 Colleges Were Exploited by a Software Vulnerability. Here’s What You Need to Know.

The U.S. Education Department posted an alert late Wednesday saying that a software program used widely among higher-education institutions has a severe vulnerability that could allow users to gain access to student records.

The program, Banner, is operated by Ellucian, a company that makes higher-education software. Banner can be used to manage student-information, financial, human-resources, and financial-aid systems, according to Ellucian’s website. The Department of Education’s Federal Student Aid office said it had identified at least 62 colleges that have been exploited through the vulnerability.

In the alert, the department said colleges had seen attackers infiltrate Banner and then create multiple student accounts in the “admissions or enrollment section of the affected Banner system.” Over the past 24 hours, department said that “at least 600 fake or fraudulent student accounts were created,” and that “some of these accounts appear to be leveraged almost immediately for criminal activity.”

The Department of Education did not reply on Thursday to The Chronicle’s questions about which colleges had been affected.

Paul E. Black, a computer scientist with the National Institute of Standards and Technology, an arm of the U.S. Department of Commerce that in May posted a description of the vulnerability, said it could cause “really big” problems. The institute, known as NIST, gave the vulnerability a base score of 8.1 out of 10, a high score, meaning that the vulnerability could have severe implications.

If a user successfully penetrated the vulnerability and gained administrative privileges, he or she could change any information in the system, including grades and course-registration schedules, according to Black. More concerning, he said, if colleges use Banner to manage their financial-aid systems and payments, a user could change addresses and banking information, potentially redirecting money to different accounts.

The vulnerability was probably identified in December 2018 by a student at the University of South Carolina, Black said. The student notified Ellucian and his university about the problem, according to a report the student uploaded to GitHub. But it wasn’t until late March that Ellucian patched the vulnerability, also according to the report.

It is unclear when or if Ellucian contacted the colleges that use Banner to notify them to patch or update their Banner systems once the vulnerability had been discovered. Ellucian sent a statement to The Chronicle but did not reply to direct questions on Thursday.

In its statement, Ellucian said the department had mistakenly stated that its Banner 8.9 version was susceptible to the vulnerability. The 8.9 version is patched; however, older versions are still vulnerable, the company said. “Only Ellucian customers with Banner Web Tailor versions 8.8.3 and 8.8.4 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4 or earlier, should apply the patches,” the statement read, in part.

Ellucian noted in its statement that bots’ infiltration of colleges’ information systems is an “industry issue” and not specific to Ellucian or Banner.

Colleges store large quantities of personal information behind electronic walls, and breaches, or attempted breaches, are common. Monroe College, in New York, suffered an attack this month and was locked out of its website and other management systems, which were being held hostage in exchange for $2 million in Bitcoin, according to Inside Higher Ed. The college has since regained access to its systems, according to Jackie Ruegger, executive director of public affairs at Monroe.

How the Vulnerability Works

Banner’s vulnerability could be exploited through a “race condition.”

According to Black, a race condition can be best compared to a sneaky prowler trying to gain access to a locked building. Say you walk up to your apartment building’s security officer, who needs to buzz in your key card in order for your front door to swing open. When you hand over the key card, and the door opens, anyone lurking in the shadow of the door frame can head in too.

That’s how virtual prowlers have been able to get into Banner’s systems, by duplicating certain electronic cookies attached to users with administrative privileges who are attempting to log in. In other words, the hackers “race” in first, according to Black.

Black also said that once the hackers enter Banner’s systems, it can be extremely difficult for colleges to distinguish what information has been changed unless the systems keep a log of all edits made. Even then, it can be difficult to sift through what was a legitimate change and what wasn’t. There can be telltale signs of foul play, of course, such as a professor who was logged in and changing a student’s grades in July from another country.

And while NIST rated the vulnerability a high 8.1, the exploitation rate is low, meaning that it’s a difficult vulnerability to abuse.

“It’s actually a lot harder to use,” Black said. “But if you do manage to get in, it’s going to be a whole bunch worse.”

Grace Elletson is an editorial intern at The Chronicle. Follow her on Twitter @graceelletson, or email her at grace.elletson@chronicle.com.