SAP patched a series of critical vulnerabilities in its cloud-based business platform HANA today that if exploited, could allow for a full system compromise without authentication.
When chained together the flaws could lead to the theft of confidential information, financial fraud, and the disruption of key business processes, even without having a legitimate SAP HANA username or password, researchers warn. The attacker could also modify information in the database, including banking payment details, and modify HTML code for any site running on HANA XS.
SAP HANA, an in-memory database, has been increasingly targeted by hackers over the last year; the management system is primarily used to store, retrieve, and process core business data.
These particular vulnerabilities affect a specific component, User Self Service, or USS, which lets users carry out tasks, such as account creation or password recovery. While the service comes disabled by default, some users activate it in order to allow external users access to internal capabilities–something that exposes the component to the Internet.
According to researchers with Onapsis who identified the vulnerabilities, some of the bugs have existed since the component was released roughly two and a half years ago. The bugs were discovered in HANA 2, released last November, but since the user self service component was launched in October 2014 and figures into other SAP software, researchers stress that other products, such as HANA, S/4, Business Suite on HANA, and some Cloud apps, may also be affected.
“This level of access would allow an attacker to perform any action over the business information and processes supported by HANA, including creating, stealing, altering, and/or deleting sensitive information. If this vulnerability is exploited, organizations may face severe business consequences,” Sebastian Bortnik, the firm’s head of research, said Tuesday.
There’s no evidence that attackers have exploited the vulnerability yet but according to Bortnik, the fact that the flaws have existed in the wild for nearly 29 months, “highly increases the likelihood” they’ve been discovered and weaponized.
“Even if the service is not enabled, we still recommend that these organizations apply the patches in case a change is made to the system in the future,” Bortnik said.
— Sebastian Bortnik (@onabortnik) March 14, 2017
Onapsis worked with companies, some with the component enabled, leaving them vulnerable, to deploy mitigations prior to the patch’s release.
SAP pushed a fix for the vulnerability, less than 60 days after Onapsis alerted the company, along with 24 other bugs, as part of its patch cycle on Tuesday. The user self service vulnerabilities, Note #2424173, fetched a 9.8 CVSS rating and a “very high” priority by SAP. Other bugs fixed today include a session fixation vulnerability, Note #2429069, along with a handful of denial of service conditions, cross site scripting bugs, and SQL injections.
Researchers with the firm warn that the following SAP HANA systems are vulnerable, if User Self Service is enabled: SAP HANA SPS09 (1.00.91.14118659308), SAP HANA SPS10 (1.00.101.00.1435831848), SAP HANA SPS11 (1.00.110.144775), SAP HANA SPS 12 (newDB rel 1.00.121.00.1466466057) and above, and SAP HANA 2 SPS0 (newDB rel 2.00.000.00.1479874437).
The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) warned users about the dangers of running outdated or misconfigured SAP business systems last May. The alert, the first of its kind for SAP, pertained to the Invoker Servlet. The built-in function, part of the standard J2EE specification, was patched in 2010 but researchers with Onapsis warned at the time that it was had tied to attacks on three dozen global enterprises dating back to 2013.