SAP patched a dozen holes in its in-memory management system, HANA, that could have led to SQL injection attacks, cross-site scripting (XSS) errors, and memory corruption vulnerabilities.
Many of the bugs were addressed by the company months ago, but it wasn’t until Tuesday that Onapsis, the security firm that dug up the vulnerabilities, disclosed them.
Perhaps the most pressing vulnerability the firm found could have let an attacker exploit multiple memory corruption vulnerabilities in its HDBSQL client to abuse management interfaces on the system. By entering a specially crafted input, an attacker could have executed commands and compromised any information stored and processed by the platform.
Another equally risky vulnerability could have let a remote attacker read secret business information stored on the system and tweak certain parameters to lock other users out. Attackers could have used the trace configuration page of Workbench, a web-based development environment in HANA, to specifically to execute arbitrary SQL commands.
Other vulnerabilities that Onapsis discovered could have enabled an attacker to partially compromise the system, along with any information processed or stored by it via a command injection vulnerability, change configuration settings and delete user credentials via a SQL injection.
Six instances in the software in which an attacker could have injected SQL code and two XSS vulnerabilities were fixed by the patches.
SAP fixed most of the bugs back in April and May of this year but Onapsis, a Boston-based firm that specializes in SAP and Oracle cybersecurity waited until this week to announce all of the bugs in one fell swoop.
Another troublesome issue in the popular HANA system – once called SAP’s “hottest product ever,” was found over the summer. Researchers at ERPScan, another firm that digs up bugs in enterprise resource planning software, pointed out at Black Hat Europe in June that a default encryption key was protecting passwords, data, and backups on the system.
Since the encryption key was static, it made it so an attacker would have only had to use a few tricks, like a SQL injection or a directory traversal, to read encrypted data, or remotely execute code.
While few customers follow their recommendations, SAP points out in documentation for HANA, that it encourages end users to verify that the default master keys have been changed, warning that misconfiguration could leave systems vulnerable.