ERP News

These 8 SAP bugs could knock your servers offline

113 0

Businesses using SAP products need to be aware of these 8 security flaws–the results for those who aren’t could be devastating.

A report from enterprise security firm Positive Technologies reveals that its research team found eight different vulnerabilities in SAP software in early 2017.

The most serious of the flaws, the absence of XML validation in the Web Dynpro Flash Island development environment, received a Common Vulnerability Scoring System

(CVSS)score of 7.5 (out of 10). That flaw allows a hacker to perform an XML external entity (XXE) attack, giving them access to files on the compromised server.

Encryption keys and other critical information could be stolen in an XXE attack of that kind, and it also opens the door to a denial of service (DoS) attack.

Those concerned will be relieved to learn that all of the flaws Positive Technologies found were patched by SAP earlier this year. That doesn’t matter, however, if the server isn’t updated.

The baleful eight

As mentioned above, the most serious flaw discovered in SAP software was the absence of XML validation in the Web Dynpro Flash Island development environment, which is used for building SAP web apps.

That’s hardly the only problem, though: There are seven more that merit mentioning.

  • Absence of XML validation in SAP Composite Application Framework Authorization Tool: Could allow an attacker to access all files on a server, steal administrator credentials, and escalate user privileges.
  • Two separate instances of the absence of XML validation in SAP NetWeaver Web Services Configuration UI: Both could allow an attacker to access all files on a server, steal administrator credentials, and escalate user privileges. Could also allow inside attacker access to operating system password hashes, secure storage files, and SAP encryption keys.
  • Absence of XML validation in SAP Enterprise Portal: Could allow inside attacker access to operating system password hashes, secure storage files, and SAP encryption keys.
  • Information disclosure flaw in Business Process Management: Could give an attacker access to SAP user lists.
  • XSS vulnerability in SAP Enterprise Portal styleservice: Could allow for injection of malicious scripts.
  • XSS vulnerability in SAP NetWeaver Monitoring application: Could allow for injection of malicious scripts.

How to keep your SAP servers from being knocked offline

The lack of XML validation in Web Dynpro Flash Island, the SAP Enterprise Portal, and the SAP NetWeaver Web Services Configuration UI could all take servers offline through DoS attacks, in the case of the former, and DDoS attacks in the case of the latter two.

Read the full story here.

Leave A Reply

Your email address will not be published.

*

code