For the first time, Onapsis has released security advisories outlining “critical risk” vulnerabilities – its most serious security risk level – for SAP HANA.
The security firm has identified in 21 advisories vulnerabilities affecting all SAP HANA-based applications, including SAP S/4HANA and SAP Cloud solutions running on HANA. Eight of the vulnerabilities are “critical risk”, with six requiring system configuration changes to close.
Many of the critical vulnerabilities related to the core HANA TrexNet interfaces that orchestrate inter-server communication in high availability scenarios to support large-scale businesses.
According to Onapsis, without making the required configuration changes, systems are vulnerable to unauthenticated attackers taking control, to steal, delete or change business information, as well as take the platform offline to disrupt key business processes.
“The next big wave of attacks is aimed at business-critical applications running on SAP and Oracle as they are the ultimate economic targets for cyber crime. They are also currently the biggest blind spot for many Chief Information Security Officers (CISOs). SAP-related breaches are increasingly in the spotlight as witnessed in the first widely and publicly reported breach involving USIS, a supplier of OPM and DHS,” said Mariano Nunez, CEO, Onapsis.
There are more than 10,000 SAP customers running HANA in its various forms. SAP has now released security patches and guidelines for customers to ensure their systems are protected.
“It is imperative that the industry starts getting serious about SAP cybersecurity. This set of critical vulnerabilities is one of the most profound that we’ve reported in terms of damage that an unauthenticated attacker could cause an organisation,” said Juan Perez-Etchegoyen, CTO, Onapsis.
“If exploited, any business information stored or managed by an SAP HANA-based system could be extracted, tampered and deleted, including customer data, product pricing, financial statements, employee information, supply chain, business intelligence, intellectual property, budgeting, planning and forecasting. Furthermore, the system could be completely shut down by an attacker.”
Recommendations for CISOs
According to Onapsis, some of these vulnerabilities cannot be fixed by applying patches and the affected HANA TrexNet service cannot be shut down. A proper reconfiguration of the system is the only fix and must be implemented correctly.
In addition to reviewing the SAP security notes, Onapsis Research Labs recommends SAP clients remedy these issues by completing the following steps:
- Step 1. Correctly configure the TrexNet communications. If running in a high-availability environment, these communications are critical for SAP HANA to work. Make sure that the network where this communication takes place is isolated from end users and not accessible through any other network. Also make sure that proper transport-level encryption and authentication is implemented. If only one SAP HANA instance is deployed, make sure all the TrexNet interfaces are listening on the local host network interface only.
- Step 2. Monitor user activity. Some of the critical vulnerabilities could be exploited by legitimate users and attackers trying to connect to the vulnerable components (SQL and HTTP). Monitor HTTP traffic by looking for suspicious activity. Also analyze both the HTTP and SQL logs by looking for suspicious inputs.
- Step 3. Ensure detection and response measures are in place. Expand SAP into your information security strategy to include continuous monitoring of SAP and SAP HANA systems and to deliver real-time preventative, detective and corrective information to existing SIEM or GRC tools.
The remaining critical vulnerabilities, which are not related to the TrexNet protocol, should be patched according to the SAP Security Notes. SAP has issued the following security notes related to the described vulnerabilities: 2165583, 2148854, 2175928, 2197397 and 2197428, and SAP customers should review and apply them as soon as possible.