March 14, 2017 By Charlie Singh 3 min read

As I sit in my home office sipping tea and watching the Nor’easter dump snow in mid-March, I get an alert on my phone from a news feed around critical vulnerability patches being released by SAP. This news, published by Reuters, immediately reminded me of a blog I wrote last year.

Before I discuss the details of the latest two SAP HANA vulnerabilities and the potential business impact, let me take a moment to reiterate that this is the most vulnerable period for any SAP customer with this critical flaw in their IT landscape. This period, which I call “Hackers Busy Cracking,” started this morning and will not end until affected clients across the globe apply the patch from SAP.

Breaking Down the SAP HANA Vulnerabilities

Onapsis Security Research Lab discovered these vulnerabilities but hasn’t published technical details yet. We do know that the vulnerability is in the user self-service functionality provided by SAP HANA and has been present since SPS09 of SAP HANA, which was released in 2014.

As the name suggests, the user self-service functionality enables users to perform maintenance and support activities for their accounts and for new users to register the accounts. For this functionality to be useful, it must be accessible from wherever the user population is, be it on internal or external networks.

The second critical vulnerability revolves around session fixation, which can allow an attacker to elevate privileges by impersonating another user in the system. The SAP HANA 2.0 SPS 00 version is affected by this vulnerability.

A Double-Edged Sword

User self-service is a good example of technology that is a double-edged sword. It cuts costs associated with supporting a large user population and reduces the time taken to correct user issues, thus ensuring individuals spend more time as productive users. However, any unattended mechanism that allows modification of accounts without human intervention will always be an attractive target.

According to the Onapsis report, a combination of vulnerabilities can allow an attacker with remote access to the user self-service functionality to edit any account on the system, including activating previously deactivated accounts. The natural target for this attack would be the SYSTEM account present in all HANA deployments.

Hijacking the Three Fundamental Tenants of Security

The potential business impact of an attacker with access to the SYSTEM account is extraordinary. The three fundamental tenants of a securely operational system are no longer effective and are all under the control of the attacker. These three tenants are:

  • Confidentiality: As the SYSTEM account, an attacker can query and view or extract any data in the system, bypassing restrictions designed to prevent users from seeing sensitive or confidential information.
  • Integrity: An attacker can modify any data in the system. An attacker could, for example, search for banking and payment information. With a few keystrokes, he or she could modify that information to send payments to any account.
  • Availability: The HANA Extended Application Services (HANA XS) runs web-based applications directly on top of the SAP HANA platform. The HTML code associated with these applications is stored in the HANA DB. The attacker has access to all this code and can modify any application, rendering it unusable or changing the functionality.

Stay One Step Ahead

As SAP stated this morning, these vulnerabilities are now fixed for customers running SAP HANA revisions 122.7 for SAP HANA 1.0 and revision 1 for SAP HANA 2.0 SPS 00. I strongly urge all SAP HANA customers to check their HANA version levels and make immediate plans to prioritize these updates.

SAP customers who have already deployed active threat protection (ATP) controls or third-party products are one step ahead of zero-day threats. For the rest, look to invest in an active threat monitoring and detection solution — meaning a SAP-specific threat vector detection solution.

Visit us at IBM InterConnect 2017 to learn more and discuss other measures to safeguard SAP systems at your company.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today