A report from enterprise security firm Positive Technologies reveals that its research team found eight different vulnerabilities in SAP software in early 2017.
The most serious of the flaws, the absence of XML validation in the Web Dynpro Flash Island development environment, received a Common Vulnerability Scoring System
(CVSS)score of 7.5 (out of 10). That flaw allows a hacker to perform an XML external entity (XXE) attack, giving them access to files on the compromised server.
Encryption keys and other critical information could be stolen in an XXE attack of that kind, and it also opens the door to a denial of service (DoS) attack.
Those concerned will be relieved to learn that all of the flaws Positive Technologies found were patched by SAP earlier this year. That doesn't matter, however, if the server isn't updated.
The baleful eight
As mentioned above, the most serious flaw discovered in SAP software was the absence of XML validation in the Web Dynpro Flash Island development environment, which is used for building SAP web apps.
SEE: IT pro's guide to effective patch management (free PDF) (TechRepublic)
That's hardly the only problem, though: There are seven more that merit mentioning.
- Absence of XML validation in SAP Composite Application Framework Authorization Tool: Could allow an attacker to access all files on a server, steal administrator credentials, and escalate user privileges.
- Two separate instances of the absence of XML validation in SAP NetWeaver Web Services Configuration UI: Both could allow an attacker to access all files on a server, steal administrator credentials, and escalate user privileges. Could also allow inside attacker access to operating system password hashes, secure storage files, and SAP encryption keys.
- Absence of XML validation in SAP Enterprise Portal: Could allow inside attacker access to operating system password hashes, secure storage files, and SAP encryption keys.
- Information disclosure flaw in Business Process Management: Could give an attacker access to SAP user lists.
- XSS vulnerability in SAP Enterprise Portal styleservice: Could allow for injection of malicious scripts.
- XSS vulnerability in SAP NetWeaver Monitoring application: Could allow for injection of malicious scripts.
How to keep your SAP servers from being knocked offline
The lack of XML validation in Web Dynpro Flash Island, the SAP Enterprise Portal, and the SAP NetWeaver Web Services Configuration UI could all take servers offline through DoS attacks, in the case of the former, and DDoS attacks in the case of the latter two.
SEE: CISSP: Certified Information Systems Security Professional Training (TechRepublic Academy)
"SAP products are used at hundreds of thousands of companies," Positive Technologies says. "This software is so commonplace and so central to operations that even exploits of run-of-the-mill vulnerabilities can be devastating."
All eight of the flaws found by Positive Technologies have been patched. Most of them, in fact, were patched months ago. If your systems aren't updated you'll be taking responsibility for a potentially serious attack that could have easily been avoided.
The top three takeaways for TechRepublic readers:
- A security research firm found eight flaws in SAP software that could cause a variety of serious security breaches.
- The most serious of the flaws is a lack of XML validation in several SAP platforms. Those attacks could cause DDoS attacks, remote access of files on SAP servers, credential escalation, and database intrusion.
- All eight flaws have been patched by SAP, which recommends updating all systems immediately.
- Massive DDoS attacks up 138% from last year, says Akamai report (TechRepublic)
- Cloud vulnerabilities are being ignored by the enterprise (ZDNet)
- How to keep your data lakes from becoming cesspools (TechRepublic)
- SAP vulnerabilities can take servers offline (ZDNet)
- IT leader's guide to big data security (Tech Pro Research)