March 14, 2017 By Charlie Singh 3 min read

As I sit in my home office sipping tea and watching the Nor’easter dump snow in mid-March, I get an alert on my phone from a news feed around critical vulnerability patches being released by SAP. This news, published by Reuters, immediately reminded me of a blog I wrote last year.

Before I discuss the details of the latest two SAP HANA vulnerabilities and the potential business impact, let me take a moment to reiterate that this is the most vulnerable period for any SAP customer with this critical flaw in their IT landscape. This period, which I call “Hackers Busy Cracking,” started this morning and will not end until affected clients across the globe apply the patch from SAP.

Breaking Down the SAP HANA Vulnerabilities

Onapsis Security Research Lab discovered these vulnerabilities but hasn’t published technical details yet. We do know that the vulnerability is in the user self-service functionality provided by SAP HANA and has been present since SPS09 of SAP HANA, which was released in 2014.

As the name suggests, the user self-service functionality enables users to perform maintenance and support activities for their accounts and for new users to register the accounts. For this functionality to be useful, it must be accessible from wherever the user population is, be it on internal or external networks.

The second critical vulnerability revolves around session fixation, which can allow an attacker to elevate privileges by impersonating another user in the system. The SAP HANA 2.0 SPS 00 version is affected by this vulnerability.

A Double-Edged Sword

User self-service is a good example of technology that is a double-edged sword. It cuts costs associated with supporting a large user population and reduces the time taken to correct user issues, thus ensuring individuals spend more time as productive users. However, any unattended mechanism that allows modification of accounts without human intervention will always be an attractive target.

According to the Onapsis report, a combination of vulnerabilities can allow an attacker with remote access to the user self-service functionality to edit any account on the system, including activating previously deactivated accounts. The natural target for this attack would be the SYSTEM account present in all HANA deployments.

Hijacking the Three Fundamental Tenants of Security

The potential business impact of an attacker with access to the SYSTEM account is extraordinary. The three fundamental tenants of a securely operational system are no longer effective and are all under the control of the attacker. These three tenants are:

  • Confidentiality: As the SYSTEM account, an attacker can query and view or extract any data in the system, bypassing restrictions designed to prevent users from seeing sensitive or confidential information.
  • Integrity: An attacker can modify any data in the system. An attacker could, for example, search for banking and payment information. With a few keystrokes, he or she could modify that information to send payments to any account.
  • Availability: The HANA Extended Application Services (HANA XS) runs web-based applications directly on top of the SAP HANA platform. The HTML code associated with these applications is stored in the HANA DB. The attacker has access to all this code and can modify any application, rendering it unusable or changing the functionality.

Stay One Step Ahead

As SAP stated this morning, these vulnerabilities are now fixed for customers running SAP HANA revisions 122.7 for SAP HANA 1.0 and revision 1 for SAP HANA 2.0 SPS 00. I strongly urge all SAP HANA customers to check their HANA version levels and make immediate plans to prioritize these updates.

SAP customers who have already deployed active threat protection (ATP) controls or third-party products are one step ahead of zero-day threats. For the rest, look to invest in an active threat monitoring and detection solution — meaning a SAP-specific threat vector detection solution.

Visit us at IBM InterConnect 2017 to learn more and discuss other measures to safeguard SAP systems at your company.

More from

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

Pentesting vs. Pentesting as a Service: Which is better?

5 min read - In today's quickly evolving cybersecurity landscape, organizations constantly seek the most effective ways to secure their digital assets. Penetration testing (pentesting) has emerged as a leading solution for identifying potential system vulnerabilities while closing security gaps that can lead to an attack. At the same time, a newer entrant into the security arena is Pentesting as a Service (PTaaS). Although PTaaS shares some similarities with pentesting, distinct differences make them two separate solutions. This article will discuss how these methodologies…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today