Vulnerabilities / Threats

11/9/2015
02:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

6 Critical SAP HANA Vulns Can't Be Fixed With Patches

Onapsis releases 21 SAP HANA security advisories, including some Trexnet vulnerabilities that require upgrades and reconfigurations.

Researchers at Onapsis today released an unprecedented 21 security advisories for all SAP HANA-based applications, including eight critical vulnerabilities, six of which cannot be fixed by simple patches.

Collectively, the critical vulnerabilities can be exploited remotely and enable attackers to execute code, move files, delete data, completely compromise the system, access and manage business-relevant data and processes, and render all SAP systems unavailable.

SAP HANA is the in-memory processing technology that powers some of the biggest big-data analytics projects, as well as SAP's other business products, including customer relationship management (CRM), enterprise resource planning (ERP), and product lifecycle management (PLM) systems.

Onapsis CTO Juan Pablo Perez-Etchegoyen says most enterprises are "not just running one SAP product. Typically, they're running the whole suite. ... What happens if one of these systems goes down, when you have so many processes going to this system?"

The impact of an SAP outage or compromise will vary by company and by what SAP applications they use, says Etchegoyen, but one Onapsis customer told him last year that a SAP outage could cost its company $22 million per minute.

Six of the critical vulnerabilities of gravest concern are due to a configuration problem, and therefore cannot be fixed just by patching, he says. They affect the TREXnet protocol, used by the HANA Database's TREX servers -- NameServer, Preprocessor, IndexServer, StatisticsServer, WebDispatcher, XSEngine, or CompileServer -- to communicate with one another. If the TREXnet communication is not secured with authentication, attackers can exploit a variety of vulnerabilities by sending specially crafted packets to these TREX server ports. Those vulnerabilities are:

  • Trexnet remote file write -- override relevant info and render system unavailable due to corrupted data
  • Trexnet remote directory deletion -- delete info and render system unavailable
  • Trexnet remote file deletion -- delete data, affect integrity, and potentially render system unavailable
  • Trexnet file move -- relocate info stored in system so it's easy to access; it could also potentially render the system unavailable due to a non-integral file system
  • Trexnet remote command execution -- completely compromise the system and would be able to access and manage any business-relevant information or processes, execute commands with admin privileges
  • Trexnet remote Python execution -- completely compromise the system and would be able to access and manage any business-relevant information or processes; executing arbitrary Python modules in SAP HANA with admin privileges

To close those holes, users need to upgrade to the latest version of the software and reconfigure their settings to enable strong authentication and encryption measures on TREXnet.

There are another two critical vulnerabilities in the HANA Database due to incorrect calculation of buffer size:

  • HTTP remote code execution. By sending specially crafted HTTP packets to SAP HANA XSServer, a remote, unauthenticated attacker could completely compromise the system, access and manage business-relevant information and processes. This could be achieved remotely and potentially through the Internet, affecting on-premise and cloud-based HANA solutions.
  • SQL remote code execution. By sending specially crafted packets to SQL interfaces, attackers could compromise the platform, executing arbitrary code or performing a denial of service attack, completely compromise system, access and manage business-relevant information and processes.

In addition to the critical ones, Onapsis' release also contains six high-severity and seven medium-severity vulnerabilities.

Exacerbating the problem is the fact that while many of businesses' core processes run on SAP systems, information security teams have very little visibility into these systems and how they're secured, according to Etchegoyen. 

"We still have these two teams separated," says Etchegoyen. "That's something we're trying to evangelize. They need to have more communication between those two teams."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security's Shared Responsibility Is Foggy
Ben Johnson, Co-founder and CTO, Obsidian Security,  9/14/2017
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.