Critical risk identified in SAP HANA: Onapsis

Onapsis

Photo: iStockphoto

Application security provider Onapsis has released 15 security advisories affecting SAP HANA and SAP Trex, which includes two “critical risk” vulnerabilities.

“This set of advisories is unique as most of the vulnerabilities attackers can leverage are undervalued. Meaning, the way in which they can be exploited is not always obvious and can go undetected. For example, one of the critical vulnerabilities that can be exploited creates an error message which includes sensitive information about its environment, users or associated data,” said Sebastian Bortnik, head of research, Onapsis.

The critical risk affecting SAP HANA could expose systems to a user brute force attack, which allows a remote unauthenticated attacker to receive high privileges on the HANA system and gain unrestricted access to any business information and to modify arbitrary database information.

The advisory also identified a critical risk to SAP TREX systems, a remote command execution vulnerability allowing an unauthenticated attacker to access and modify any information indexed by the SAP system.

Other “high risk” vulnerabilities affecting SAP HANA included arbitrary audit injections via HTTP requests and SQL protocol, which would enable attackers to tamper with audit logs, and a potential remote code execution vulnerability.

In response to the advisories, an SAP spokesperson commented: “SAP Product Security Response Team collaborates frequently with research companies like Onapsis to ensure a responsible disclosure of vulnerabilities. All SAP HANA and Trex vulnerabilities disclosed in Onapsis current press release have been fixed already and published between August 2015 and January 2016. Security patches are available for download on the SAP Service Marketplace. We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately.”

The advisories are available at www.onapsis.com/research/security-advisories.

Leave a Reply