SAP’s patch update for this month included a fix for a critical remote code execution vulnerability in the SAP GUI client that provides remote access to a central SAP server in a corporate network.
Researchers at ERPScan, a Dutch company specializing in business application security, disclosed some details and a proof-of-concept exploit of the vulnerability, CVE-2017-6950, today during the Troopers security conference in Germany. The vulnerability allows an attacker to remotely upload code that would execute on the vulnerable client; should an attacker, for example, successfully execute a ransomware attack, critical business systems could be held hostage.
ERPScan calls this the most dangerous SAP vulnerability since a 2011 verb tampering vulnerability was disclosed at the Black Hat conference. SAP GUI for Windows 7.20 and 7.30, and SAP GUI for Windows 7.40 Core SP011 are affected, the company said.
“We have no information or evidence of this vulnerability being exploited at a customer but advise all customers to patch their infrastructure immediately,” a SAP representative told Threatpost. “Customers are required to apply the SAP GUI patch released on their landscape using their standard client software distribution and update tools (which they would have in place for end-user software licensed from other vendors as well).”
ERPScan’s researchers said that an attacker would first need to compromise an SAP server such as NetWeaver, which supports Java and the ABAP business application programming language. ERPScan cautions that there are 3,800 known vulnerabilities in SAP products, and given business requirements, the downtime necessary to update systems often causes delays in bringing these critical servers up to current patch levels.
“There are two factors that worsen the situation. Firstly, in this case, patching process is especially laborious and time-consuming, as the vulnerability affects client side, so an SAP administrator has to apply the patch on every endpoint with SAP GUI in a company and a typical enterprise has thousands of them. Secondly, each client can have its own unique payment address, which hampers the paying process,” said Vahagn Vardanyan, senior security researcher at ERPScan.
In a report published today, ERPScan explains that an attacker could attack the endpoints running the vulnerable SAP GUI through maliciously crafted ABAP code that would execute malware, including ransomware, automatically.
“Each time a user [logs in] to the infected SAP server using SAP GUI, the malicious transaction will be executed calling a program on an endpoint that downloads the ransomware on SAP GUI,” ERPScan said. “Next time a user tries to run an SAP GUI application, the ransomware will be executed and prevent him or her from logging on SAP Server.”
In addition to ransomware, an attacker could execute other exploits that allow them to access arbitrary files and directories in an SAP filesystem. This would include source code and configuration files, ERPScan said. Critical business data would also be at risk.
“The damage depends on hacker’s skills and imagination as the vulnerability allows executing any code,” said Dmitry Chastukhin, lead security researcher at ERPScan. “For example, a malicious person can obtain or delete sensitive information as well as simply make or workstations unavailable. SAP GUI is literally installed on every PC within a company using SAP, so this vulnerability opens the door to mass exploitation.”
The SAP GUI is installed on SAP workstations, and its 345,000-plus customers and millions of individual users could be affected. Chastukhin said that patching SAP requires downtime, which could contribute to companies’ hesitancy to patch. He also cautions that some organizations may not be aware that some vulnerable SAP services are enabled by default or that a particular module may be installed.
SAP’s March patch update also included a fix for vulnerabilities in its HANA in-memory database that scored higher in criticality than the GUI bug. These vulnerabilities affected the HANA User Self Service, or USS, which lets users carry out tasks, such as account creation or password recovery. While the service comes disabled by default, some users activate it in order to allow external users access to internal capabilities–something that exposes the component to the Internet.
This story was updated March 22 with comments from ERPScan’s Dmitry Chastukhin.