Researchers at Onapsis today released an unprecedented 21 security advisories for all SAP HANA-based applications, including eight critical vulnerabilities, six of which cannot be fixed by simple patches.
Collectively, the critical vulnerabilities can be exploited remotely and enable attackers to execute code, move files, delete data, completely compromise the system, access and manage business-relevant data and processes, and render all SAP systems unavailable.
SAP HANA is the in-memory processing technology that powers some of the biggest big-data analytics projects, as well as SAP's other business products, including customer relationship management (CRM), enterprise resource planning (ERP), and product lifecycle management (PLM) systems.
Onapsis CTO Juan Pablo Perez-Etchegoyen says most enterprises are "not just running one SAP product. Typically, they're running the whole suite. ... What happens if one of these systems goes down, when you have so many processes going to this system?"
The impact of an SAP outage or compromise will vary by company and by what SAP applications they use, says Etchegoyen, but one Onapsis customer told him last year that a SAP outage could cost its company $22 million per minute.
Six of the critical vulnerabilities of gravest concern are due to a configuration problem, and therefore cannot be fixed just by patching, he says. They affect the TREXnet protocol, used by the HANA Database's TREX servers -- NameServer, Preprocessor, IndexServer, StatisticsServer, WebDispatcher, XSEngine, or CompileServer -- to communicate with one another. If the TREXnet communication is not secured with authentication, attackers can exploit a variety of vulnerabilities by sending specially crafted packets to these TREX server ports. Those vulnerabilities are:
To close those holes, users need to upgrade to the latest version of the software and reconfigure their settings to enable strong authentication and encryption measures on TREXnet.
There are another two critical vulnerabilities in the HANA Database due to incorrect calculation of buffer size:
In addition to the critical ones, Onapsis' release also contains six high-severity and seven medium-severity vulnerabilities.
Exacerbating the problem is the fact that while many of businesses' core processes run on SAP systems, information security teams have very little visibility into these systems and how they're secured, according to Etchegoyen.
"We still have these two teams separated," says Etchegoyen. "That's something we're trying to evangelize. They need to have more communication between those two teams."
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio