Critical business applications such as SAP and Oracle ERP products process and store the Fortune 2000’s most critical data, yet spur relatively little concern when it comes to security vulnerabilities.
That trend seems to be reversing itself, given the spate of disclosures and high-profile vulnerabilities that have been patched in the past year.
Today, researchers at Onapsis disclosed 21 security issues in SAP’s HANA in-memory database management, application processing and integration services platform. All of the issues have been either patched by SAP, or in the case of a critical configuration issue, new guidance was issued for administrators.
“These products are behind the biggest companies in the world in handling scientific data and millions of dollars of business crown jewels in every organization,” said Ezequiel Gutesman, director of research at Onapsis. “There has been an increase in vulnerability reports in these applications in the last year, but it’s not receiving the attention it deserves.
“Every Fortune 2000 organization is running SAP or Oracle or other business applications and they’re missing a lot of security checks. And there’s not enough people concerned about vulnerabilities present in this software,” Gutesman said. “It’s been a common practice leaving security of these systems to a segregation of duties. Now vulnerabilities in these apps are notorious and could the targets of criminal or state-sponsored attackers.”
There were eight critical advisories of the 21 addressed by SAP, six of which are related to the TrexNet administrative interface present in every HANA installation that allows for the execution of business critical functions, especially in high availability environments, Gutesman said. The interfaces’ default configuration leaves them exposed to remote attack and require a new configuration, which SAP provided in a security advisory. An attacker successfully exploiting these flaws could have a direct path to an organization’s business data, which could be manipulated, deleted or stolen.
“If you install SAP HANA, by default all of these interfaces are open,” Gutesman said. You must configure parameters to close them to the outside world. If you orchestrate communication between multiple servers, they have to be on an isolated network.”
SAP also patched a number of memory corruption and SQL-based vulnerabilities, all of which could lead to either remote code execution or denial-of-service attacks. For some of the vulnerabilities, Gutesman said, one maliciously crafted packet might be enough to bring down a system, or gain access to critical data.
“The complexity is not high,” Gutesman said, adding that neither SAP nor Onapsis is aware of public exploits.
In the meantime, Gutesman expects the study of these critical applications to continue.
“They are difficult in terms of the complexity and knowledge needed to research vulnerabilities,” Gutesman said, acknowledging the work it takes to understand not only the architecture of these applications but how they interact is crucial to adequate vulnerability research.
“Any security researcher who wants to get their hands into these apps would require some business-level knowledge of how these apps work,” Gutesman said. “Sometimes it’s not always related to software vulnerabilities, but a simple misconfiguration allowing an attacker to carry out actions they should not be able to do. There are so many coexisting architectures that could be leveraged by attackers. It’s a whole world by itself.”