A pair of recently patched security vulnerabilities in SAP NetWeaver Application Server Java* could have been combined to hack customer relationship management (CRM) systems.
When exploited together, the directory traversal and log injection flaws lead to information disclosure, privilege escalation and full SAP CRM system compromise. Both bugs were resolved by updates last month.
The security issues were rated as 6.3 and 7.7 by CVSS Base Score v.3 but their combined impact was much more severe, according to enterprise app security specialists ERPScan, the consultancy that uncovered the vulnerabilities.
The results of a scan by the firm released yesterday suggest that more than 500 SAP CRM systems were unpatched against the flaws and accessible via the internet.
The researchers shared details of the bugs and how they can be exploited with SAP prior to the development of patches.
- An attacker uses the directory traversal vuln to read encrypted admin credentials from system config file
- They decrypt this password and log into SAP CRM portal
- Then the attacker uses another directory traversal vulnerability to change SAP log file path to the web application root path
- Finally, using special request, they can inject the log file with malicious code and call it anonymously from a remote web server
ERPScan's researchers found a bug in SAP NetWeaver AS Java as far back as February 2016 but SAP was initially unable to replicate the problem. It was then wrongly classified as a duplicate of a previously reported issue, delaying the German software maker's normally efficient remediation process.
In response to queries from El Reg, SAP confirmed that it had patched both issues last month and urged customers to apply its updates, if they hadn't done so already. It thanked the ERPScan team for flagging up the faults.
SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. All vulnerabilities in question have been fixed using security notes 2547431 and 2565622. Both security notes were released as part of February patch day. We strongly advise our customers to secure their SAP landscape by applying the available security patches immediately.
CRM systems typically store business-critical data (such as clients' personal information, prices, contact points), making any breach both costly and a threat to a victim's reputation.
Details of the vulnerabilities were unveiled during a presentation by ERPScan yesterday at the Troopers security conference, an annual event with a special track focused on SAP Security. During the talk, SAP BUGS: The Phantom Security, researchers explained how hackers might be able to remotely read any file on unpatched SAP CRM without authentication.
Vahagn Vardanyan, senior security researcher of ERPScan, warned: "The security researchers at ERPScan identified directory traversal and log injection vulnerabilities in the solution. The two issues in combination lead to information disclosure, privilege escalation, and complete SAP systems compromise. The two vulnerabilities can wreak havoc in any company running SAP CRM."
ERPScan has put together a micro-site featuring details of vulnerabilities and an overview of attack process. ®
* SAP NetWeaver AS Java is an application platform that forms part of SAP CRM.