Fb-Button  - standard facebook ico - Hacking SAP CRM by chaining 2 flaws in SAP NetWeaver AS JavaSecurity Affairs

Security experts at ERPScan explained that 2 recently patched it is possible to hack SAP CRM systems and access sensitive .

Security experts at ERPScan discovered that chaining the exploits for two security vulnerabilities in SAP Application Server Java patched last month, an attacker can hack customer relationship management (CRM) systems.

CRMs are critical systems in business that are used to manage sensitive data such as clients’ personal information, prices, contact points.

The flaws are a directory traversal issue and a log injection vulnerability, their combination could lead to information disclosure, privilege escalation, and full compromise SAP CRM installations.

The flaws considered singularly are not particularly severe, they received CVSS Base Scores v.3 respectively of 6.3 and 7.7.

“The security researchers at ERPScan identified directory traversal and log injection vulnerabilities in the solution. The two issues in combination lead to information disclosure, privilege escalation, and complete SAP systems compromise. The two vulnerabilities can wreak havoc in any company running SAP CRM.” explained Vahagn Vardanyan, senior security researcher of ERPScan.

SAP flaw  - SAP systems - Hacking SAP CRM by chaining 2 flaws in SAP NetWeaver AS JavaSecurity Affairs

According to ERPScan, there are more than 500 SAP CRM systems exposed online.

The experts provided details about the full attack scenario is that is composed of the following steps:

  1. An attacker uses the first directory traversal vulnerability to read administrator credentials in an encrypted form.
  2. He or she decrypts the credentials since the algorithm is known and the is stored in the same directory. More about decrypting SecStore can be found here.
  3. The attacker logs in SAP CRM portal.
  4. The attacker exploits another directory traversal vulnerability and changes SAP log file path to the application root path.
  5. Finally, using special request, he or she can inject a malicious code (a web-shell) into the log file and call it anonymously from a remote web server.

ERPScan shared details of the vulnerabilities with SAP helping it for the development of the security patches.

ERPScan researchers disclosed details of the vulnerabilities during a talk at the Troopers security conference. The researchers explained how remote attackers can chain the flaws read any file on unpatched SAP CRM without authentication.

SAP urged customers to apply the updates, further info is available on a website published by ERPScan.

Pierluigi Paganini

(Security Affairs – SAP CRM, )

Source link


Please enter your comment!
Please enter your name here