SAP recently fixed 15 different vulnerabilities that existed in the database management system HANA and subsequent communication channels used by the software. All told the vulnerabilities affect just north of 10,000 SAP customers running different versions of the system, according to researchers at Onapsis, who disclosed the bugs Thursday.
Nine of the bugs affected HANA, the cloud-based business platform that has been increasingly targeted by attackers as of late. Another six affected TREXnet, an internal communication channel that feeds into HANA.
One of the most pressing vulnerabilities, a SYSTEM user brute force attack, affected HANA. According to the advisory, if exploited, a remote attacker could achieve high privileges on a system and gain unrestricted access to any business information.
Four other bugs marked “high risk” also existed in HANA. Two of them – an injection via HTTP request bug and SQL injection bug – could let an attacker tamper with the audit logs to hide evidence of an attack. The other two, both remote code execution bugs, could let an attacker access and modify stored SAP data.
The scariest TREX bug, a critical remote code execution bug, could allow an attacker access and modify any information indexed by an affected SAP system.
Additional bugs – an arbitrary file write bug, a remote directory traversal, and a remote file read bug are branded “high risk” by the firm. They could result in one of two outcomes: Attackers could either access information or modify information – but not both, unless combined. An additional bug discovered by Onapsis could disclose sensitive TNS information about the TREX NameServer. With this information, an attacker would have a much easier time crafting specialized attacks, the firm warns.
Nahuel Sanchez, a security researcher at Onapsis, broke down technical details around two bugs in a blog post on Thursday.
Sanchez explained how an attacker could achieve information disclosure through an error message. When a user attempts to login to the SAP HANA database through the SQL interface and fails, they’re greeted with a message: “invalid username or password.” When a user tries to login under a taken, locked username, they’re given a different message entirely however.
Onapsis discovered that by receiving different messages, an attacker could create a Python script to discover legitimate users. As Sanchez points out, exploiting this vulnerability can open the door to another vulnerability: The aforementioned brute force attack.
Before SAP fixed the vulnerabilities there was no limit to how many times a SYSTEM user could stage a login attempt.
“This means that an attacker could perform an unlimited number of login attempts knowing that the SYSTEM user will not be blocked,” Sanchez wrote.
Now SAP locks the SYSTEM user after a certain number of invalid login attempts.
“This set of advisories is unique as most of the vulnerabilities attackers can leverage are undervalued. Meaning, the way in which they can be exploited is not always obvious and can go undetected,”Sebastian Bortnik, Head of Research, Onapsis said Thursday. “For example, one of the critical vulnerabilities that can be exploited creates an error message which includes sensitive information about its environment, users, or associated data.”
Onapsis periodically finds bugs in SAP HANA but this is the first chunk of vulnerabilities the firm has identified in the platform this year. Last November the company discovered 21 issues in SAP HANA, including eight critical bugs.
The United States Computer Emergency Readiness Team (US-CERT) encouraged SAP users in May to verify whether or not they were running an outdated or misconfigured system. The alert came in the wake of news around an old vulnerability, originally patched by SAP way back in 2010 that was found affecting at least 36 organizations worldwide since 2013. The vulnerability stemmed from an issue in Invoker Servlet, part of the J2EE Engine’s Web Container. According to an Onapsis report at the time, large organizations from the U.S., U.K., Germany, and China were being targeted and breached through the bug.
Sanchez claims that today’s SAP advisories are just the beginning of a long series of disclosures; the company plans to disclose 40 vulnerabilities in both SAP and Oracle in the next month.
Matias Mevied, a researcher with the firm is credited for discovering at least one of the bugs patched this week by Oracle. The company issued its largest ever Critical Patch Update on Tuesday afternoon, addressing 276 vulnerabilities, more than half of which are remotely exploitable.
