6 Critical SAP HANA Vulns Can't Be Fixed With Patches
Researchers at Onapsis today released an unprecedented 21 security advisories for all SAP HANA-based applications, including eight critical vulnerabilities, six of which cannot be fixed by simple patches.
Collectively, the critical vulnerabilities can be exploited remotely and enable attackers to execute code, move files, delete data, completely compromise the system, access and manage business-relevant data and processes, and render all SAP systems unavailable.
SAP HANA is the in-memory processing technology that powers some of the biggest big-data analytics projects, as well as SAP's other business products, including customer relationship management (CRM), enterprise resource planning (ERP), and product lifecycle management (PLM) systems.
Onapsis CTO Juan Pablo Perez-Etchegoyen says most enterprises are "not just running one SAP product. Typically, they're running the whole suite. ... What happens if one of these systems goes down, when you have so many processes going to this system?"
The impact of an SAP outage or compromise will vary by company and by what SAP applications they use, says Etchegoyen, but one Onapsis customer told him last year that a SAP outage could cost its company $22 million per minute.
Six of the critical vulnerabilities of gravest concern are due to a configuration problem, and therefore cannot be fixed just by patching, he says. They affect the TREXnet protocol, used by the HANA Database's TREX servers -- NameServer, Preprocessor, IndexServer, StatisticsServer, WebDispatcher, XSEngine, or CompileServer -- to communicate with one another. If the TREXnet communication is not secured with authentication, attackers can exploit a variety of vulnerabilities by sending specially crafted packets to these TREX server ports. Those vulnerabilities are:
- Trexnet remote file write -- override relevant info and render system unavailable due to corrupted data
- Trexnet remote directory deletion -- delete info and render system unavailable
- Trexnet remote file deletion -- delete data, affect integrity, and potentially render system unavailable
- Trexnet file move -- relocate info stored in system so it's easy to access; it could also potentially render the system unavailable due to a non-integral file system
- Trexnet remote command execution -- completely compromise the system and would be able to access and manage any business-relevant information or processes, execute commands with admin privileges
- Trexnet remote Python execution -- completely compromise the system and would be able to access and manage any business-relevant information or processes; executing arbitrary Python modules in SAP HANA with admin privileges
To close those holes, users need to upgrade to the latest version of the software and reconfigure their settings to enable strong authentication and encryption measures on TREXnet.
There are another two critical vulnerabilities in the HANA Database due to incorrect calculation of buffer size:
- HTTP remote code execution. By sending specially crafted HTTP packets to SAP HANA XSServer, a remote, unauthenticated attacker could completely compromise the system, access and manage business-relevant information and processes. This could be achieved remotely and potentially through the Internet, affecting on-premise and cloud-based HANA solutions.
- SQL remote code execution. By sending specially crafted packets to SQL interfaces, attackers could compromise the platform, executing arbitrary code or performing a denial of service attack, completely compromise system, access and manage business-relevant information and processes.
In addition to the critical ones, Onapsis' release also contains six high-severity and seven medium-severity vulnerabilities.
Exacerbating the problem is the fact that while many of businesses' core processes run on SAP systems, information security teams have very little visibility into these systems and how they're secured, according to Etchegoyen.
"We still have these two teams separated," says Etchegoyen. "That's something we're trying to evangelize. They need to have more communication between those two teams."
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full BioComment |
Print |
More Insights
Comments
Newest First | Oldest First | Threaded View
appreciate
H,
Thanks for the tip, appreciate it. Your article definitely helped me to understand the core concepts.
I'm most excited about the details your article touch based! I assume it doesn't come out of the box, it sounds like you are saying we'd need to write in the handlers ourselves.
Is there any other articles you would recommend to understand this better?
In the HANA migration guide, it is stated to run some consistency checks in FICO (see verbiage below).
I have run these, but I really don't know what I'm looking for - are we running just to make sure they run, running to validate numbers on the reports? Thoughts & guidance are appreciated. Thank you!
3.8 FI/CO: Performing Additional Consistency Checks
To ensure that the source system is consistent, user of Financial Accounting (FI) and Controlling (CO) need to perform some preparatory activities, among others additional consistency checks.
3.2 Product-Specific Preparations of the System Copy Guide, which is mentioned in Further Documentation [page 6].Caution Make sure that no customer data is changed in the meantime. Proceed as follows:
Procedure
1. FI: Run job SAPF190 to perform an additional consistency check. Choose AccountingFinancial AccountingGeneral ledgerPeriodic ProcessingClosingCheck/count. Then choose for○ classic FI: Reconciliation○ new general ledger: Reconciliation (New)
2. FI: You can further check consistency by running the jobs listed below:
○ RFUMSV00 (tax on sales/purchases)
○ RAGITT01 (asset history sheet)
○ RAZUGA01 (asset acquisitions)
○ RAABGA01 (fixed asset retirements)
3. CO: Run the report group 1SIP
Appreciate your effort for making such useful blogs and helping the community.
Thanks a heaps,
Irene Hynes
Thanks for the tip, appreciate it. Your article definitely helped me to understand the core concepts.
I'm most excited about the details your article touch based! I assume it doesn't come out of the box, it sounds like you are saying we'd need to write in the handlers ourselves.
Is there any other articles you would recommend to understand this better?
In the HANA migration guide, it is stated to run some consistency checks in FICO (see verbiage below).
I have run these, but I really don't know what I'm looking for - are we running just to make sure they run, running to validate numbers on the reports? Thoughts & guidance are appreciated. Thank you!
3.8 FI/CO: Performing Additional Consistency Checks
To ensure that the source system is consistent, user of Financial Accounting (FI) and Controlling (CO) need to perform some preparatory activities, among others additional consistency checks.
3.2 Product-Specific Preparations of the System Copy Guide, which is mentioned in Further Documentation [page 6].Caution Make sure that no customer data is changed in the meantime. Proceed as follows:
Procedure
1. FI: Run job SAPF190 to perform an additional consistency check. Choose AccountingFinancial AccountingGeneral ledgerPeriodic ProcessingClosingCheck/count. Then choose for○ classic FI: Reconciliation○ new general ledger: Reconciliation (New)
2. FI: You can further check consistency by running the jobs listed below:
○ RFUMSV00 (tax on sales/purchases)
○ RAGITT01 (asset history sheet)
○ RAZUGA01 (asset acquisitions)
○ RAABGA01 (fixed asset retirements)
3. CO: Run the report group 1SIP
Appreciate your effort for making such useful blogs and helping the community.
Thanks a heaps,
Irene Hynes
White Papers
Video
1 Comments
Current Issue
5 Emerging Cyber Threats to Watch for in 2019Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Developing Secure Applications
IT security and application development are disparate processes that are increasingly coming together. Here's a look at how that's happening.
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2019-11469
PUBLISHED: 2019-04-23
PUBLISHED: 2019-04-23
PUBLISHED: 2019-04-23
PUBLISHED: 2019-04-22
PUBLISHED: 2019-04-22
From DHS/US-CERT's National Vulnerability Database CVE-2019-11469
PUBLISHED: 2019-04-23
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
CVE-2013-7470PUBLISHED: 2019-04-23
cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.
CVE-2019-11463PUBLISHED: 2019-04-23
A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive through 3.3.3 allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo.
CVE-2019-0218PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
CVE-2019-11383PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2019 UBM, All rights reserved
Tweet This