March 14, 2017 By Charlie Singh 3 min read

As I sit in my home office sipping tea and watching the Nor’easter dump snow in mid-March, I get an alert on my phone from a news feed around critical vulnerability patches being released by SAP. This news, published by Reuters, immediately reminded me of a blog I wrote last year.

Before I discuss the details of the latest two SAP HANA vulnerabilities and the potential business impact, let me take a moment to reiterate that this is the most vulnerable period for any SAP customer with this critical flaw in their IT landscape. This period, which I call “Hackers Busy Cracking,” started this morning and will not end until affected clients across the globe apply the patch from SAP.

Breaking Down the SAP HANA Vulnerabilities

Onapsis Security Research Lab discovered these vulnerabilities but hasn’t published technical details yet. We do know that the vulnerability is in the user self-service functionality provided by SAP HANA and has been present since SPS09 of SAP HANA, which was released in 2014.

As the name suggests, the user self-service functionality enables users to perform maintenance and support activities for their accounts and for new users to register the accounts. For this functionality to be useful, it must be accessible from wherever the user population is, be it on internal or external networks.

The second critical vulnerability revolves around session fixation, which can allow an attacker to elevate privileges by impersonating another user in the system. The SAP HANA 2.0 SPS 00 version is affected by this vulnerability.

A Double-Edged Sword

User self-service is a good example of technology that is a double-edged sword. It cuts costs associated with supporting a large user population and reduces the time taken to correct user issues, thus ensuring individuals spend more time as productive users. However, any unattended mechanism that allows modification of accounts without human intervention will always be an attractive target.

According to the Onapsis report, a combination of vulnerabilities can allow an attacker with remote access to the user self-service functionality to edit any account on the system, including activating previously deactivated accounts. The natural target for this attack would be the SYSTEM account present in all HANA deployments.

Hijacking the Three Fundamental Tenants of Security

The potential business impact of an attacker with access to the SYSTEM account is extraordinary. The three fundamental tenants of a securely operational system are no longer effective and are all under the control of the attacker. These three tenants are:

  • Confidentiality: As the SYSTEM account, an attacker can query and view or extract any data in the system, bypassing restrictions designed to prevent users from seeing sensitive or confidential information.
  • Integrity: An attacker can modify any data in the system. An attacker could, for example, search for banking and payment information. With a few keystrokes, he or she could modify that information to send payments to any account.
  • Availability: The HANA Extended Application Services (HANA XS) runs web-based applications directly on top of the SAP HANA platform. The HTML code associated with these applications is stored in the HANA DB. The attacker has access to all this code and can modify any application, rendering it unusable or changing the functionality.

Stay One Step Ahead

As SAP stated this morning, these vulnerabilities are now fixed for customers running SAP HANA revisions 122.7 for SAP HANA 1.0 and revision 1 for SAP HANA 2.0 SPS 00. I strongly urge all SAP HANA customers to check their HANA version levels and make immediate plans to prioritize these updates.

SAP customers who have already deployed active threat protection (ATP) controls or third-party products are one step ahead of zero-day threats. For the rest, look to invest in an active threat monitoring and detection solution — meaning a SAP-specific threat vector detection solution.

Visit us at IBM InterConnect 2017 to learn more and discuss other measures to safeguard SAP systems at your company.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today