As released earlier today, we’ve published 21 new security advisories detailing unprecedented vulnerabilities affecting all SAP HANA based applications, including SAP S/4HANA and SAP Cloud Solutions running on HANA. Among these are eight “critical risk” vulnerabilities, six of them comprising by-design vulnerabilities in SAP HANA, which require system configuration changes in order to be mitigated.
In honor of national cyber-security awareness month, we’re kicking off a new blog series focusing entirely around securing SAP HANA. In this series, we will discuss everything from what SAP HANA is, to newly discovered vulnerabilities, security best practices, and recommendations for remediation. Today, we'll start with a blog post meant to educate the security professional about the SAP HANA Platform.
As many of you know, the Onapsis Research Labs regularly releases security advisories detailing the latest known vulnerabilities on SAP applications. Recently, our team has discovered 10 new vulnerabilities that affect SAP HANA. Among these are two “high risk” vulnerabilities which could be used to abuse management interfaces, access corporate data or modify any system configurations, and render systems unusable.
Today Onapsis released new security advisories detailing vulnerabilities in SAP Mobile. Included in the security advisories are three “high risk” vulnerabilities which could be used to gain access to sensitive business information within organizations that rely on SAP Mobile.
2014 has been an incredible year for SAP security. Advanced threats targeting SAP systems that run business-critical applications are rising at an alarming rate. This year alone there have been 391 security notes to date, with 46% ranking as 'high priority' vulnerabilities. Out of these, our Research Labs reported 44 new vulnerabilities and 35 advisories affecting SAP platforms and related products such as SAP HANA, BusinessObjects, and SAP Business Suite running CRM and ERP.
This week, SAP AG published a hot news item titled: "SAP Security Note 2067859 (Potential Exposure to Digital Signature Spoofing)", which alerts users about a potential vulnerability in certain cryptographic libraries used in SAP NetWeaver Application Server ABAP and SAP HANA. By abusing these libraries, an attacker could potentially spoof (i.e., successfully masquerade as a legitimate user) Digital Signatures produced in vulnerable systems.
SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month.
In the last posts we have already presented a variety of approaches for SAP security assessment. Today we will address a more complex path an attacker might follow. In order to understand what is going on we must first dive deeper in some SAP concepts and components.
The SAP Management Console (SAP MC) is the centralized system management component. It allows you to monitor and control each SAP instance, display log and trace files, profiles and other parameters. You can also monitor system alerts and deep information about memory usage and processes in the system (e.g. Java VM® garbage collection and heap memory).