Experts urge users take action following vendor's update recommendations
Vulnerabilities in SAP components enable attackers to access ERP databases, take an ERP server offline, escalate system privileges, and more. These security issues were discovered by a group of Positive Technologies experts in early 2017.
In total, Positive Technologies researchers discovered eight separate vulnerabilities in SAP components, the most dangerous of which was found in the Web Dynpro Flash Island development environment, used to create SAP web applications. The absence of XML validation allowed an attacker not logged into the SAP system to perform an XXE attack and obtain local files on the SAP server (such as private encryption keys and other critical information). An attacker could also perform denial of service to take the SAP server offline.
SAP products are used at hundreds of thousands of companies. This software is so commonplace and so central to operations that even exploits of run-of-the-mill vulnerabilities can be devastating. For example, an ordinary XSS attack, in which the attacker sends a link to a malicious script and waits for the user to run it in a browser, can be used to obtain any data on the page – such as cookie files or session tokens. If the victim machine has sufficient privileges, the attacker can pose as the system owner in order to change the SAP configuration, such as to create new users, assign roles and privileges, upload files, or perform remote code execution (RCE).
While the additional vulnerabilities were found to be less severe, if successfully exploited they could potentially cause serious damage. These include:
- XML validation absent in SAP Composite Application Framework Authorization Tool and SAP NetWeaver Web Services Configuration UI: could allow a successful attacker to read all files on the server and steal administrator credentials, also allowing the escalation of user privileges
- XML validation absent in SAP Enterprise Portal and SAP NetWeaver Web Services Configuration UI: could allow an inside attacker to obtain access to files containing hashes for operating system passwords, as well as secure storage files and SAP encryption keys (attackers outside of the local network could not gain network access to the OS and database, but could try to use these credentials to hack accounts on other open services or perform a DDoS attack)
- Information disclosure flaw in Business Process Management: attackers could access a list of SAP users as part of targeted attacks and could also help to exploit other vulnerabilities, such as guessing user passwords
According to a SAP representative, the company works closely with security experts around the world in order to find and remediate product vulnerabilities as early as possible. The issues identified by Positive Technologies in some SAP products were addressed by patches released earlier this year (February through April, a full list is below). The company recommends that all clients read the latest SAP security notes and install updates in a timely manner.
Positive Technologies has partnered with SAP for many years and contributed greatly to making products more secure. The representative confirmed, that such research was published under responsible disclosure, giving SAP sufficient time to fix issues and distribute updates.
Positive Technologies offers several products to protect SAP solutions from these and similar threats. MaxPatrol vulnerability and compliance management system enables timely identification of vulnerabilities in SAP products, inventory of SAP systems, management of updates, and analysis of settings, configurations, and access privileges. MaxPatrol SIEM is compatible out-of-the-box with SAP systems running on SAP NetWeaver ABAP/Java. PT Application Firewall uses special security profiles to identify attacks (including zero-day attacks) targeting vulnerabilities in SAP NetWeaver, SAP ICM, SAP Management Console, and SAP SOAP RFC. PT Application Inspector supports detection of security issues in the source code of applications written in Java for the SAP NetWeaver Java platform.
Vulberabilities identified and patched:
- Absence of XML validation in SAP Enterprise Portal (CVSS score 6.5). Security note 2369541
- Information disclosure flaw in Business Process Management (CVSS score 5.3). Security note 2372188
- XSS vulnerability in SAP Enterprise Portal styleservice (CVSS score 5.4). Security note 2392509
- XSS vulberability in SAP NetWeaver Monitoring application (CVSS score 6.1). Security note 2417046
- Absence of XML validation in Web Dynpro Flash Island (CVSS score 7.5). Security note 2410082
- Absence of XML validation in SAP Composite Application Framework Authorization Tool (CVSS score 4.9). Security note 2372301
- Absence of XML validation in SAP NetWeaver Web Services Configuration UI (CVSS score 5.4). Security note 2400292
- Absence of XML validation in SAP NetWeaver Web Services Configuration UI (CVSS score 3.8). Security note 2406918