Latest threats target key administration capabilities for SAP HANA and allow remote attackers to access restricted functionality to gain access to any organization’s secure information
August 1, 2014
PRESS RELEASE
Cambridge, MA - July 30, 2014 – Onapsis, Inc., a leading provider of solutions and research to audit and mitigate advanced threats targeting business-critical applications including Enterprise Resource Planning (ERP), Supply Chain Management (SCM), Finance and Accounting, Human Capital Management and Business Intelligence (BI), has released six new security advisories for SAP users. With more than 250,000 SAP installations in 188 countries, numerous organizations across the world could be impacted by the highlighted vulnerabilities.
The security advisories come from Onapsis Research Labs which continuously investigates, detectsand reports exploitable vulnerabilities. The advisories enable vendors to prioritize patches and updates, while Onapsis customer and partner communities benefit from real-time analysis. Onapsis security advisories, together with vendor patches and security notes, are available for download to provide vendors and end-users with the information to mitigate advanced threats.
Onapsis Research Labs experts will be at Black Hat USA 2014 in Las Vegas from August 2-7 (booth #1131) to brief front-line security practitioners on the latest SAP advisories and discuss best practices for mitigating advanced threats. Onapsis customers will gain deep insight into the advisories from the Onapsis Security Research team during the company’s exclusive annual customer advisory council on August 4 at the MGM Grand.
“We advise all SAP users to review our advisories and ensure that their systems are protected from the latest threats,” said Juan Perez-Etchegoyen, CTO of Onapsis. “Ignored vulnerabilities may compromise SAP systems, but as experts in business critical application security we work to secure and protect systems while continuously monitoring for future vulnerabilities. Our customers receive instant access to fixes and have an advantage over other organizations that fail to protect their ‘Crown Jewels’.”
The following advisories have been released by experts at Onapsis Research Labs to alert vendors and user communities of the cyber-security risks affecting their business critical systems. Administrators, owners and users can sign up for alerts by clicking here.
1. Multiple cross-site scripting vulnerabilities in SAP HANA XS Administration Tool
· Onapsis risk level assessment: Medium (two out of four)
· Initial Base CVSS v2: 4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N)
· Affected components: SAP HANA XS Administration Tool, a web application used to administer and maintain the HANA XS Engine
· Details: Functions within SAP HANA XS Administration Tool do not sufficiently encode or filter output parameters, resulting in a reflected cross-site scripting vulnerability. A reflected cross-site scripting attack can be used to temporarily deface or modify displayed content for targeted users of the website
· Solution: SAP has released SAP Note 1993349 to provide patched versions of the affected components
2. SAP HANA IU5 SDK authentication bypass
· Onapsis risk level assessment: Medium (two out of four)
· Initial Base CVSS v2: 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
· Affected components: SAP HANA Extended Application Services
· Details: SAP HANA Extend Application Services (XL) based applications can be set to have ‘public’ access (i.e. no authentication required). Despite this configuration changing to ‘non-public’ in the SAP HANA IU5 SDK Application, no authentication is needed to access these applications, which still allow public access
· Solution: SAP has released SAP Note 1964428 to provide patched versions of the affected components
3. SAP HANA XS missing encryption in form-based authentication
· Onapsis risk level assessment: Low (one out of four)
· Initial Base CVSS v2: 2.9 (AV:A/AC:M/AU:N/C:P/I:N/A:N)
· Affected components: SAP HANA Extended Application Services. SAP HANA does not enforce any encryption in form-based authentication, enabling anonymous users to get information such as valid credentials from captured network traffic and gain access to the system
· Details: SAP HANA Extend Application Services (XS) based applications can be set to ‘form based authentication’ access using SSL. When this configuration is set, the authentication mechanism does not properly enforce the required level of encryption