Details on New Critical Cyber Security Vulnerabilities on HANA-Based Applications

As released earlier today, we’ve published 21 new security advisories detailing unprecedented vulnerabilities affecting all SAP HANA based applications, including SAP S/4HANA and SAP Cloud Solutions running on HANA. Among these are eight “critical risk” vulnerabilities, six of them comprising by-design vulnerabilities in SAP HANA, which require system configuration changes in order to be mitigated. Without these changes, unauthenticated attackers could take full control of vulnerable SAP HANA systems, including stealing, deleting or changing business information, as well as taking the platform offline to disrupt key business processes. This is the first time that advisories with the highest level of criticality, combined with the largest number of vulnerabilities, have been issued for SAP HANA.

As the next-generation database and application platform for the world’s most widely used business software, organizations use SAP HANA to transform transactions, analytics, text analysis, predictive and spatial processing so businesses can operate in real-time. SAP HANA is also the foundation for SAP’s Cloud Platform and allows businesses to quickly build, extend, and integrate modern mobile enabled business apps.

These vulnerabilities pose a potential risk to thousands of SAP customers running different versions of SAP HANA including several Forbes Global 2000 companies across all industries including oil and gas, pharmaceuticals, government and other key sectors.

Quantifying risk in business critical systems should consider the below three aspects:

These are valid for any type of system

  • 1. How much sensitive information is stored inside them
    • This is commonly referred to as ‘sensitive records’ which could consist of personal information, credit card data and trade secrets.
  • 2. The cost of fixing a breach affecting some portion of these records
    • This includes IT costs for fixing the affected systems, legal expenses including compensation to affected third parties and the amount of records that were compromised.
  • 3. The business cost of losing that information.
    • This is the most difficult aspect to measure and includes things such as trade secrets being sold to competitors, business disruption and strategic information being leaked.

Our analysis includes the following key observations:

  • By default, any installation of SAP HANA up to version SPS7 ships with the TrexNet interface open to the external network. In versions after SPS7, the interface was not open to the external network however it does not implement any encryption or authentication mechanism.
  • After SPS10, SAP introduced SSL authentication, which requires additional configuration efforts, in order to have it properly working. Organizations who do not properly configure their SAP HANA environments to have these interfaces communicate with each other on an isolated network separate from the external one and who do not implement transport-level encryption and authentication between the SAP HANA systems will be exposed to these flaws.
  • Critical unauthenticated remote command execution flaws exists in the HANA XS engine and the HANA MDS component, potentially leading to a full system compromise, remotely and without any access credentials. The information stored on systems connected to the internet could be exposed to any attacker who can access the HANA systems through a browser. Cloud-based and on-premise systems could be exposed.
  • If the SAP HANA system is not properly patched, attackers using simply a web browser could, in a remote and unauthenticated way, retrieve technical HANA traces, potentially disclosing user passwords, leading to a full system compromise.

Eight ‘critical risk’ advisories released for SAP HANA detail the following:

Note: Our Research Team determines our CVSS scores based on the technical specifications of the vulnerabilities that are submitted to SAP, and strongly considers the real impact to the business.

  • SAP HANA Remote Code Execution (HTTP Login based)
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could completely compromise the system, and would be able to access and manage any business-relevant information or processes.
    • Onapsis CVSS: 10
    • Vendor CVSS: 9.8
  • SAP HANA Remote Code Execution (SQL Login based)
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could completely compromise the system, and would be able to access and manage any business-relevant information or processes.
    • Onapsis CVSS: 10
    • Vendor CVSS: 9.8
  • SAP HANA TrexNet Remote Command Execution
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could completely compromise the system and would be able to access and manage any business-relevant information or process.
    • Onapsis CVSS: 10
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote Python Execution
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could completely compromise the system, and would be able to access and manage any business-relevant information or processes.
    • Onapsis CVSS: 10
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote Directory Deletion
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could delete business-relevant information from the SAP HANA System and could also render the system unavailable.
    • Onapsis CVSS: 9.4
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote File Deletion
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could delete any business-relevant information from the SAP HANA System, affecting the integrity of the data, as well as potentially rendering the system unavailable.
    • Onapsis CVSS: 9.4
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote File Move
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could relocate the information stored in the SAP HANA System to make it easily accessible. This could potentially render the system unavailable due to a non-integral file system.
    • Onapsis CVSS: 9.4
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote File Write
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could override business-relevant information in the SAP HANA System and could also render the system unavailable due to corrupted data.
    • Onapsis CVSS: 9.4
    • Vendor CVSS: 6.6

It is imperative that the industry starts getting serious about SAP cybersecurity. This set of critical vulnerabilities is one of the most profound that we’ve reported in terms of damage that an unauthenticated attacker could cause an organization. If exploited, any business information stored or managed by an SAP HANA-based system could be extracted, tampered and deleted, including customer data, product pricing, financial statements, employee information, supply chains, business intelligence, intellectual property, budgeting, planning and forecasting. Furthermore, the system could be completely shut down by an attacker.

Six ‘high risk’ advisories released for SAP HANA detail the following:

  • SAP HANA TrexNet Remote Process Kill
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could render the SAP HANA system completely unavailable due to system shutdown. Any business process or information hosted in the system will became automatically unavailable.
    • Onapsis CVSS: 8.5
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote Denial of Service
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could render the SAP HANA system completely unavailable due to a system shutdown. Any business process or information hosted in the system will became automatically unavailable.
    • Onapsis CVSS: 8.5
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote File Read
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could read arbitrary business-relevant information from the SAP HANA System.
    • Onapsis CVSS: 7.8
    • Vendor CVSS: 6.6
  • SAP HANA EXECUTE_SEARCH_RULE_SET Stored Procedure Memory corruption
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could read arbitrary business-relevant information from the SAP HANA System.
    • Onapsis CVSS: 7.8
    • Vendor CVSS: 6.8
  • SAP HANA TrexNet Remote Directory Copy
    • Business Risk: By exploiting this vulnerability a remote authenticated attacker could render the SAP HANA Platform unavailable to other users until the next process restart.
    • Onapsis CVSS: 7.5
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote File Copy
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could copy business-relevant information from the SAP HANA System, allowing it to be easily accessed and render the system unavailable.
    • Onapsis CVSS: 7.5
    • Vendor CVSS: 6.6

Seven ‘medium risk’ advisories released for SAP HANA detail the following:

Note: many CVSS calculations are lower than the one provided by SAP, and the reason is that this vulnerability was fixed by SAP in a single SAP Security Note, with a “general” CVSS of 6.6

  • SAP HANA TrexNet Remote Directory Creation
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could render the system unavailable and potentially overwrite information.
    • Onapsis CVSS: 6.4
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote File Creation
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could potentially render the system unavailable.
    • Onapsis CVSS: 6.4
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote Environment Disclosure
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could obtain technical information that could be used by an attacker to facilitate a targeted attack.
    • Onapsis CVSS: 5.0
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote Files List
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could obtain technical information of the SAP HANA System which could help facilitate further attacks against the system.
    • Onapsis CVSS: 5.0
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet Remote Traces List
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could obtain technical information of the SAP HANA System which could help to facilitate further attacks against the system.
    • Onapsis CVSS: 5.0
    • Vendor CVSS: 6.6
  • SAP HANA TrexNet TNS Information Disclosure
    • Business Risk: By exploiting this vulnerability, an unauthenticated attacker could obtain technical information of the SAP HANA System which could help facilitate further attacks against the system.
    • Onapsis CVSS: 5.0
    • Vendor CVSS: 6.6
  • SAP HANA Remote Trace Disclosure
    • Business Risk: By exploiting this vulnerability in the SAP HANA Platform a remote unauthenticated attacker could read remote logs containing technical information about the system which could help facilitate further attacks against the system.
    • Onapsis CVSS: 5.0
    • Vendor CVSS: 5.0

Members of the Onapsis Research Labs discovered all vulnerabilities detailed above. Our Research team was the first to identify and work with SAP to help fix vulnerabilities on HANA, and have released over 250 advisories to date, with over 35 affecting SAP HANA. Additionally members of our Research Labs have consulted on impact with over 180 Onapsis enterprise customers, and regularly present at leading security and SAP conferences around the world.

In PDF form, each advisory details the business-context relevance of an identified vulnerability, including impact on a business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes. Each advisory also includes Initial Base CVSS v2 and CVSS v3 scores.

Onapsis advises its customers to apply the following fixes recommended by SAP for the below security notes: 2197428, 2197397, 2165583, 2175928 and 2148854.

All advisories can be downloaded here: https://www.onapsis.com/research/security-advisories

Also, our Research Labs will be delivering a webcast on Nov. 12th and 9am ET and 2pm ET to outline the risks, detail the vulnerabilities and provide insight into the recommended actions to safeguard SAP systems: https://www.onapsis.com/news-and-events/webcasts/A-Deep-Dive-Into-SAP-HANA.

Leave a comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Subscribe to our monthly newsletter, the Defender's Digest!