A total of eight bugs found in SAP products lead to serious consequences for vulnerable systems.
Eight vulnerabilities have been found in SAP products which can lead not only to information leaks, but also the possibility of taking entire servers offline.
On Wednesday, security researchers from Positive Technologies said the bugs were found in a variety of SAP solutions, including the Web Dynpro Island development — which is used to create SAP web applications — the SAP Composite Application Framework Authorization Tool, and the SAP Enterprise Portal, all of which could be potentially dangerous to companies worldwide which use the popular products.
One of the most severe bugs, caused due to an absence of XML validation, was discovered in Web Dynpro Flash Island, which enabled hackers to perform an XML External Entity (XXE) attack, without the need to authenticate, and obtain local files on the SAP server such as private encryption keys and other business-critical data.
The vulnerability could also be utilized to perform a denial-of-service (DoS) attack to take the server offline.
Another vulnerability was discovered in the SAP Enterprise portal. An absence of XML validation allowed attackers obtain local files on the SAP server.
This could lead to information being stolen included private encryption keys, hashes for operating system passwords, and sensitive corporate data.
“Attackers outside of the local network could not gain network access to the OS and database, but could try to use these credentials to hack accounts on other open services or perform a DDoS attack,” the researchers note.
In addition, the security team discovered an information disclosure security flaw in the SAP NetWeaver Business Process Management (BPM) solution, which businesses use to jointly compose executable processes using standardized notation.
The same kind of XML validation lack was present in the SAP Composite Application Framework Authorization Tool and a further two were embedded in the SAP NetWeaver Web Services Configuration UI.