NewsMarch 14, 2017 @ 10:45 AM

Got SAP HANA? Your Calendar Just Filled Up With Zero-Day Critical Vulnerabilities

As I sit in my home office sipping tea and watching the Nor’easter dump snow in mid-March, I get an alert on my phone from a news feed around critical vulnerability patches being released by SAP. This news, published by Reuters, immediately reminded me of a blog I wrote last year.

Before I discuss the details of the latest two SAP HANA vulnerabilities and the potential business impact, let me take a moment to reiterate that this is the most vulnerable period for any SAP customer with this critical flaw in their IT landscape. This period, which I call “Hackers Busy Cracking,” started this morning and will not end until affected clients across the globe apply the patch from SAP.

graph for Charlie Singh news item about SAP HANA vulnerabilties.

Breaking Down the SAP HANA Vulnerabilities

Onapsis Security Research Lab discovered these vulnerabilities but hasn’t published technical details yet. We do know that the vulnerability is in the user self-service functionality provided by SAP HANA and has been present since SPS09 of SAP HANA, which was released in 2014.

As the name suggests, the user self-service functionality enables users to perform maintenance and support activities for their accounts and for new users to register the accounts. For this functionality to be useful, it must be accessible from wherever the user population is, be it on internal or external networks.

The second critical vulnerability revolves around session fixation, which can allow an attacker to elevate privileges by impersonating another user in the system. The SAP HANA 2.0 SPS 00 version is affected by this vulnerability.

A Double-Edged Sword

User self-service is a good example of technology that is a double-edged sword. It cuts costs associated with supporting a large user population and reduces the time taken to correct user issues, thus ensuring individuals spend more time as productive users. However, any unattended mechanism that allows modification of accounts without human intervention will always be an attractive target.

According to the Onapsis report, a combination of vulnerabilities can allow an attacker with remote access to the user self-service functionality to edit any account on the system, including activating previously deactivated accounts. The natural target for this attack would be the SYSTEM account present in all HANA deployments.

Hijacking the Three Fundamental Tenants of Security

The potential business impact of an attacker with access to the SYSTEM account is extraordinary. The three fundamental tenants of a securely operational system are no longer effective and are all under the control of the attacker. These three tenants are:

  • Confidentiality: As the SYSTEM account, an attacker can query and view or extract any data in the system, bypassing restrictions designed to prevent users from seeing sensitive or confidential information.
  • Integrity: An attacker can modify any data in the system. An attacker could, for example, search for banking and payment information. With a few keystrokes, he or she could modify that information to send payments to any account.
  • Availability: The HANA Extended Application Services (HANA XS) runs web-based applications directly on top of the SAP HANA platform. The HTML code associated with these applications is stored in the HANA DB. The attacker has access to all this code and can modify any application, rendering it unusable or changing the functionality.

Stay One Step Ahead

As SAP stated this morning, these vulnerabilities are now fixed for customers running SAP HANA revisions 122.7 for SAP HANA 1.0 and revision 1 for SAP HANA 2.0 SPS 00. I strongly urge all SAP HANA customers to check their HANA version levels and make immediate plans to prioritize these updates.

SAP customers who have already deployed active threat protection (ATP) controls or third-party products are one step ahead of zero-day threats. For the rest, look to invest in an active threat monitoring and detection solution — meaning a SAP-specific threat vector detection solution.

Visit us at IBM InterConnect 2017 to learn more and discuss other measures to safeguard SAP systems at your company.

Share this Article:
Charlie Singh

SAP Security and GRC Leader, IBM

Charlie has over 16 years of experience in audit, risk and compliance arena and has held various technical and leadership positions in the Information Technology and Security field. He has expertise in SAP Security and GRC, ISO and SOX Risk Assessments, Developing Security Strategies and Roadmaps and Leading Remediation Activities. He is sought out to speak on Security and GRC topics at various conferences sponsored by the Internal Audit Institute (IIA) and SAPinsider. Prior to joining IBM, Charlie was the Director of Enterprise Business Systems at American Water where he led the SAP Security and GRC implementation.