Researchers slap SAP CRM with vuln combo for massive damage

Directory traversal + log injection = I can see your privates

A pair of recently patched security vulnerabilities in SAP NetWeaver Application Server Java* could have been combined to hack customer relationship management (CRM) systems.

When exploited together, the directory traversal and log injection flaws lead to information disclosure, privilege escalation and full SAP CRM system compromise. Both bugs were resolved by updates last month.

The security issues were rated as 6.3 and 7.7 by CVSS Base Score v.3 but their combined impact was much more severe, according to enterprise app security specialists ERPScan, the consultancy that uncovered the vulnerabilities.

The results of a scan by the firm released yesterday suggest that more than 500 SAP CRM systems were unpatched against the flaws and accessible via the internet.

The researchers shared details of the bugs and how they can be exploited with SAP prior to the development of patches.

  • An attacker uses the directory traversal vuln to read encrypted admin credentials from system config file
  • They decrypt this password and log into SAP CRM portal
  • Then the attacker uses another directory traversal vulnerability to change SAP log file path to the web application root path
  • Finally, using special request, they can inject the log file with malicious code and call it anonymously from a remote web server

ERPScan's researchers found a bug in SAP NetWeaver AS Java as far back as February 2016 but SAP was initially unable to replicate the problem. It was then wrongly classified as a duplicate of a previously reported issue, delaying the German software maker's normally efficient remediation process.

In response to queries from El Reg, SAP confirmed that it had patched both issues last month and urged customers to apply its updates, if they hadn't done so already. It thanked the ERPScan team for flagging up the faults.

SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. All vulnerabilities in question have been fixed using security notes 2547431 and 2565622.  Both security notes were released as part of February patch day. We strongly advise our customers to secure their SAP landscape by applying the available security patches immediately.

CRM systems typically store business-critical data (such as clients' personal information, prices, contact points), making any breach both costly and a threat to a victim's reputation.

Details of the vulnerabilities were unveiled during a presentation by ERPScan yesterday at the Troopers security conference, an annual event with a special track focused on SAP Security. During the talk, SAP BUGS: The Phantom Security, researchers explained how hackers might be able to remotely read any file on unpatched SAP CRM without authentication.

Youtube Video

Vahagn Vardanyan, senior security researcher of ERPScan, warned: "The security researchers at ERPScan identified directory traversal and log injection vulnerabilities in the solution. The two issues in combination lead to information disclosure, privilege escalation, and complete SAP systems compromise. The two vulnerabilities can wreak havoc in any company running SAP CRM."

ERPScan has put together a micro-site featuring details of vulnerabilities and an overview of attack process. ®


* SAP NetWeaver AS Java is an application platform that forms part of SAP CRM.

Broader topics

Other stories you might like

  • Rows, columns, and the search for a database that can do everything
    Snowflake last week promised analytics and transactions in the same system. For some it was déjà vu all over again

    Analysis Under Nevada's baking summer sunshine, Snowflake last week promised it would bring together two ways of working with data that mix about as well as oil and water.

    The data warehouse vendor – well known for its stratospheric $120 billion post-IPO valuation – said it would support both analytics and transactional workloads in the same system.

    Launched at the Snowflake Summit 2022 in Vegas, Unistore would be the "foundation for another wave of innovation in the Snowflake Data Cloud," said Christian Kleinerman, senior vice president of product. "Similar to how we redefined data lakes and data warehouses for our customers, Unistore is ushering in a renaissance of building and deploying a new generation of applications in the Data Cloud," he said.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading

Biting the hand that feeds IT © 1998–2022