TREX loophole closed in latest patch


Mathieu Geli, ERPScan

A security glitch in TREX, a NetWeaver search engine deployed in over a dozen SAP products including SAP HANA, has been closed in a recent patch.

The vulnerability, which according to security research firm ERPScan, is one of the most widespread and severe SAP server-side issues so far, was originally discovered in SAP HANA in 2015, with a fix released in SAP Security Note 2234226 shortly thereafter.

However, further testing by ERPScan’s head of SAP Threat Intelligence, Mathieu Geli later revealed that the vulnerability was still able to exploited. Because TREXNet, an internal communication protocol used by TREX, did not provide an authentication procedure, the door was still open to attacks on numerous SAP applications via insecure protocol.

“I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the exploit has been easily adapted. SAP fixed some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX,” Geli said.

The vulnerability, which allows an attacker to forge a special request to the TREXNet ports to read OS files or create files, has now been patched via SAP Security Note 2419592.

On the issue, an SAP spokesperson said, “SAP collaborates frequently with research companies such as ERPScan to ensure a responsible disclosure of vulnerabilities. The vulnerabilities in question have been fixed by SAP and the patches have been made available for download. For details please visit the SAP Product Security Response page. Our recommendation to all our customers is to implement SAP security patches as soon as they are available – typically on the second Tuesday of every month. Timely security patching of SAP systems is the best policy to protect SAP infrastructure from attacks.”

Leave a Reply