SAP has issued an updated patch for a code-injection vulnerability affecting the TREX search engine integrated into more than a dozen SAP products, including the old NetWeaver application integration platform and the SAP HANA database.
The flaw was originally found in 2015 and patched in SAP HANA, the company’s in-memory data analysis and database infrastructure.
ERPScan head of threat intelligence Mathieu Geli continued to look into the vulnerability and found that the original patch was incomplete. The flaw could still be exploited through the search engine’s internal communication protocol called TREXNet, which lacks authentication.
“I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the exploit has been easily adapted,” Geli said in a statement. “SAP fixed some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX.”
The flaw (CVE-2017-7691) was patched Tuesday along with 14 other vulnerabilities as part of SAP’s scheduled patch release. The TREX vulnerability was given the highest severity rating of the bugs patched yesterday.
ERPScan said an attacker who exploits the vulnerability would need to forge a request to the TREXNet ports in order to read or create files. The researchers said details on the vulnerability would not be released for another 90 days.
SAP also updated a security note for a patch released last month for a remote code execution vulnerability in the SAP GUI for Windows, a client that provides remote access to a central SAP server in an enterprise. SAP is advising users to activate the SAP GUI Security Module.
The vulnerability allows an attacker to remotely upload code that would execute on the vulnerable client; should an attacker, for example, successfully execute a ransomware attack, critical business systems could be held hostage, ERPScan researchers said, adding that this was the most critical SAP flaw in six years when a verb tampering flaw was disclosed at Black Hat in the summer of 2011.
Two other high-severity issues were patched by SAP on Tuesday.
The first was a missing XML validation in the Web Dynpro Flash Island, a development environment used to build rich internet applications. SAP also patched a number of vulnerabilities in SAPLPD, a transfer program used for front-end printing on SAP systems.
SAP also patched eight flaws it rated as medium severity, and two low-severity vulnerabilities. The most severe of the medium severity issues include a cross-site scripting bug in SAP NetWeaver Central Technical Configuration, a missing authorization check in SAP NetWeaver ADBC Demo Programs, and incorrect authorization checks in SAP ERP Logistics Customer Master and Vendor Master.