SAP HANA is a business-critical application used by more than 10,000 customers. Onapsis, a security firm, warns that all these clients are at risk of a hack due to vulnerabilities in the different versions of the applications. In a report they released this week, Onapsis has detailed the vulnerabilities and issued advisories. The vulnerabilities include Critical security bugs. One high-risk security flaw the firm observed is a User Brute Force Attack in the application that could grant an attacker access to confidential business information.
Onapsis claims that an unknown unauthorized person exploiting this bug could earn administrator privileges on the applications systems and modify database information. The vulnerability, according to Onapsis, has a CVSS v3 score of 9.0.
There are two high-risk Arbitrary Audit Injections flaws affecting SAP HANA. One of them is a through the HTTP request, and the other is through the SQL protocol. If exploited, both flaws could grant an attacker authority to audit logs and hide evidence of any attack on the system. Onapsis also discovered remote code execution flaws in the application. These flaws could allow a hacker to access and change indexed information in the SAP HANA system.
Companies have different ways of implementing SAP HANA. The implementation method determines what an attacker gathers from a hack. The hacker could get access to critical information such as product pricing, customer data, supply chains, business intelligence, business plans and forecasts, employee information, and financial statements.
Onapsis also discovered a critical remote code execution flaw in SAP TREX. A vicious hacker could use the security flaw to access and edit indexed information in the SAP system. Onapsis said that this flaw has a CVSS v3 score of 10.0
Onapsis also exposed additional high-risk flaws in the SAP TREX including an Arbitrary File Write with the potential of granting an attacker access and modification authority to information indexed by the SAP system. Other high-risk flaws found in SAP TREX are Remote Directory Traversal and Remote file Read flaws, which could allow a remotely located unauthorised person to access arbitrary information about the business in the SAP system.
Sebastian Bortnik, Onapsis’ Head of Research, said that what make the set of advisories they published unique is that the vulnerabilities discovered are often undervalued. “The methods in which these attacks can be executed are not obvious and can even go unnoticed.” He continued to explain how an attacker can exploit an error message that contains information about the general environment of the system including users’ data.
SAP has released a set of security patches for July 2016. The patches fix 21 vulnerabilities discovered in June. In June, the set of patches released fixed ten flaws, including a flaw as old as five years that was responsible for hacks in 36 worldwide organizations.