Serious vulnerabilities were exposed in SAP systems worldwide, leaving them open to business data theft, business process disruption, fraud and many other forms of attacks.
ERP Security (ERP-SEC) discovered the vulnerabilities and says they related directly to SAP’s inbound email processing functionality.
Joris van de Vis, ERP-SEC researcher, demonstrated the vulnerabilities at the annual ‘Troopers Security Conference’, which has a special track dedicated to SAP security.
The team worked closely with SAP Product Security Response team to resolve and patch the vulnerabilities. As a result, SAP released Security Note 2308217 to mitigate them.
According to SAP’s website, the Security Note 2308217 is specifically for:
“SAP Web-Survey has an XML external entity vulnerability (CVSS Base Score: 7.5 ). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS filesystem. Install this SAP Security Note to prevent risks.”
Van de Vis says the percentage of affected customers is unclear, but around 50% use inbound mail capabilities in their SAP systems.
“The impact of these vulnerabilities can be severe for SAP customers that use the inbound mail processing functionality as it can be exploited over the internet and without authentication. In some cases we even managed to completely take over SAP systems by sending just one email to them with a specially crafted attachment,” comments van de Vis.
For Full Story, Please click here.