March 14, 2017 By Charlie Singh 3 min read

As I sit in my home office sipping tea and watching the Nor’easter dump snow in mid-March, I get an alert on my phone from a news feed around critical vulnerability patches being released by SAP. This news, published by Reuters, immediately reminded me of a blog I wrote last year.

Before I discuss the details of the latest two SAP HANA vulnerabilities and the potential business impact, let me take a moment to reiterate that this is the most vulnerable period for any SAP customer with this critical flaw in their IT landscape. This period, which I call “Hackers Busy Cracking,” started this morning and will not end until affected clients across the globe apply the patch from SAP.

Breaking Down the SAP HANA Vulnerabilities

Onapsis Security Research Lab discovered these vulnerabilities but hasn’t published technical details yet. We do know that the vulnerability is in the user self-service functionality provided by SAP HANA and has been present since SPS09 of SAP HANA, which was released in 2014.

As the name suggests, the user self-service functionality enables users to perform maintenance and support activities for their accounts and for new users to register the accounts. For this functionality to be useful, it must be accessible from wherever the user population is, be it on internal or external networks.

The second critical vulnerability revolves around session fixation, which can allow an attacker to elevate privileges by impersonating another user in the system. The SAP HANA 2.0 SPS 00 version is affected by this vulnerability.

A Double-Edged Sword

User self-service is a good example of technology that is a double-edged sword. It cuts costs associated with supporting a large user population and reduces the time taken to correct user issues, thus ensuring individuals spend more time as productive users. However, any unattended mechanism that allows modification of accounts without human intervention will always be an attractive target.

According to the Onapsis report, a combination of vulnerabilities can allow an attacker with remote access to the user self-service functionality to edit any account on the system, including activating previously deactivated accounts. The natural target for this attack would be the SYSTEM account present in all HANA deployments.

Hijacking the Three Fundamental Tenants of Security

The potential business impact of an attacker with access to the SYSTEM account is extraordinary. The three fundamental tenants of a securely operational system are no longer effective and are all under the control of the attacker. These three tenants are:

  • Confidentiality: As the SYSTEM account, an attacker can query and view or extract any data in the system, bypassing restrictions designed to prevent users from seeing sensitive or confidential information.
  • Integrity: An attacker can modify any data in the system. An attacker could, for example, search for banking and payment information. With a few keystrokes, he or she could modify that information to send payments to any account.
  • Availability: The HANA Extended Application Services (HANA XS) runs web-based applications directly on top of the SAP HANA platform. The HTML code associated with these applications is stored in the HANA DB. The attacker has access to all this code and can modify any application, rendering it unusable or changing the functionality.

Stay One Step Ahead

As SAP stated this morning, these vulnerabilities are now fixed for customers running SAP HANA revisions 122.7 for SAP HANA 1.0 and revision 1 for SAP HANA 2.0 SPS 00. I strongly urge all SAP HANA customers to check their HANA version levels and make immediate plans to prioritize these updates.

SAP customers who have already deployed active threat protection (ATP) controls or third-party products are one step ahead of zero-day threats. For the rest, look to invest in an active threat monitoring and detection solution — meaning a SAP-specific threat vector detection solution.

Visit us at IBM InterConnect 2017 to learn more and discuss other measures to safeguard SAP systems at your company.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today