ERPScan security researchers have disclosed details of two vulnerabilities that, when chained together, enabled hackers to compromise SAP CRM systems, gaining access to business-critical data and customers’ personal information, opening organisations to substantial monetary and reputational losses.
The vulnerabilities in SAP Netweaver AS Java, an application platform that is part of SAP CRM, were both patched by SAP last month but the deadly combination of the two vulnerabilities was not fully understood until almost two years after ERPScan initially alerted SAP of the original issue.
Each vulnerability alone was not considered to be particularly severe, receiving CVSS Base Scores v.3 of 6.3 and 7.7; however, when combined, they could lead to information disclosure, privilege escalation, and complete SAP systems compromise, according to ERPScan.
“It takes nothing to exploit these vulnerabilities,” said Vahagn Vardanyan, senior security researcher, ERPScan. “Perpetrators can remotely read any file in SAP CRM without authentication. We scanned the Internet and found nearly 500 SAP servers that are prone to it,” he said.
The ERPScan researchers, who discussed the vulnerabilities in a talk ‘SAP BUGS: The Phantom Security’ at the latest annual Troopers security conference in Heidelburg, identified the two vulnerabilities in SAP Netweaver AS Java as directory traversal and log injection vulnerabilities.
The researchers shared information on the security issues, revealed their exploitation, and provided the attack scenario:
- Attacker uses the first directory traversal vulnerability to read administrator credentials in an encrypted form.
- Attacker decrypts the credentials, since the algorithm is known and the key is stored in the same directory.
- Attacker logs into the SAP CRM portal.
- Attacker exploits the second directory traversal vulnerability and changes the SAP log file path to the web application root path.
- Attacker uses a special request to inject a malicious code (a web-shell) into the log file and call it anonymously from a remote web server.
Commenting on the issue, an SAP spokesperson said, “SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. All vulnerabilities in question have been fixed using security notes 2547431 and 2565622. Both security notes were released as part of February patch day. We strongly advise our customers to secure their SAP landscape by applying the available security patches immediately.”
To help SAP customers protect their critical assets against this security issue, ERPScan has prepared a special resource with the details of vulnerabilities and an overview of attack process including video demonstration: https://erpscan.com/research/hacking-sap-crm/.