Understanding the SAP HANA User Self Service Vulnerabilities
CNBC Discusses Business Impact for SAP Users
As part of our commitment to protect our customers’ business critical applications and key business data, the Onapsis Research Labs continuously analyze threats and attack vectors affecting SAP applications. As a result of these proactive efforts, we have identified multiple vulnerabilities that could be leveraged by attackers to perform two critical attacks in SAP HANA, depending on the active services. These attacks consist of a full system compromise without any type of previous authentication.
While SAP has provided a patch for these vulnerabilities, we understand that organizations may not be able to immediately implement, or take a system offline to configure this patch. In the meantime, the following document serves as a work around to mitigate or reduce risk to your SAP HANA environment.
Frequently Asked Questions about the SAP HANA User Self Service Vulnerability
Q1: How critical are these vulnerabilities?
A1: These attacks range from a full system compromise without any type of previous authentication, to a privilege escalation attack where an attacker already has a low privilege user and can gain access to the most powerful user in the database. Critical data and information (ie. financial information, PII, credit cards, HR and customer data, business trade secrets, etc) can be stolen, altered or deleted by an attacker. It is important to mention that none of these attacks need any interaction from the SAP HANA administrator users.
Q2: How do I know if I am exposed?
A2: The following list details the affected HANA 2 and HANA versions:
- SAP HANA SPS 12 (newDB rel 1.00.121.00.1466466057)
- SAP HANA 2 SPS0 (newDB rel 2.00.000.00.1479874437)
- SAP HANA SPS11 (1.00.110.144775). Released in November 2015
- SAP HANA SPS10 (1.00.101.00.1435831848). Released in June 2015
- SAP HANA SPS09 (1.00.91.1418659308). Released in November 2014.
It is important to note that these vulnerabilities affect a specific HANA component called “HANA User Self Service”. Fortunately, this component is not enabled by default when installing HANA. Therefore, the first thing to do is to check whether this component is being used or not in your environment.
Hopefully you will find that the component is not active at your organization’s HANA systems, and therefore you will not be at risk today. If you need assistance in checking this, you can contact our SAP experts for help.
In any case, we highly recommend implementing the security patches released by SAP as soon as possible, as this component may be enabled in the future.
Q3: Where can I find the patches released by SAP?
A3: Organizations can protect themselves by applying the below SAP Security Note which contains mitigation steps for 10 vulnerabilities (requires SAP login):
- SAP Security Note: #2424173
- SAP Security Note #2429069
Q4: What data and processes can be compromised if these vulnerabilities are exploited?
A4: The attacker can login to the SAP HANA system as the SYSTEM user. The SYSTEM user is the most powerful user in the platform, and has unrestricted access to the entire SAP HANA application. Once logged in, the attacker has full control of the system and is able to access and modify any information available, as well as breaking the application to disrupt any business process running on HANA.
Q5: How did the Onapsis Research Labs discover these vulnerabilities?
A5: As part of Onapsis’ commitment to protect SAP and Oracle business-critical applications from the latest cyber threats, the Onapsis Research Labs analyzes SAP and Oracle solutions, working to identify and help eliminate security risks that may be endangering our customers’ businesses. Based on our customers and partners strategic initiatives, SAP HANA and HANA 2 platforms fall under this continuous risk assessment efforts, which analyzes multiple components. After analyzing these services, our team identified multiple vulnerabilities, that could be leveraged by attackers to perform critical attacks, depending on the active services.
Q6: What is SAP HANA 2?
A6: “SAP HANA 2 is the new generation of the SAP HANA platform. It offers new functionalities for database management, data management, analytical intelligence, and application development, and was designed specifically with companies embracing the digital transformation in mind”
Q7: Have these vulnerabilities been compromised in any SAP customers?
A7: We have no evidence of these vulnerabilities being exploited in the wild to date, different than in the case related with the recent DHS US-CERT Alert. However, the vulnerabilities are present in SAP HANA versions since at least October 2014, which increases the likelihood of them having been discovered and weaponized to target SAP customers.
Q8: How are these vulnerabilities more critical than others released for SAP HANA?
A8: These vulnerabilities are more critical based on the level of access to the system an attacker could achieve. By exploiting these vulnerabilities, an attacker could perform a full system compromise without any type of previous authentication and through HTTP(s), and could also perform a privilege escalation attack where an attacker already has a low privileged user and can gain access to the most powerful user in the database.
Q9: How do I mitigate these vulnerabilities in my SAP landscape?
A9: Organizations should implement the corresponding security notes #2424173, and #2429069. If for some reason you can not implement the referenced security note, you can disable the User Self Service functionality, if business processes allows that. If you are neither able to implement the security note, or disable the functionality then you would need to deploy the Onapsis Security Platform to detect and prevent these vulnerabilities being exploited in your HANA environment
Q10: Is there a way to detect if my organization has been compromised through these attacks?
A10: The Onapsis Security Platform is able to detect and prevent active exploitation of these vulnerabilities in SAP HANA systems. If you are concerned that these vulnerabilities may have been targeted in your environment, please contact Onapsis for more details.
Q11: Why is Onapsis not disclosing technical details of these vulnerabilities?
A11: Onapsis follows coordinated disclosure practices and works closely with SAP to allow SAP customers adequate time to patch affected systems. Onapsis may provide more technical information to the market in the future.
SAP’s Response to the Vulnerability Submission
Q12: When did you notify SAP about these vulnerabilities and how quickly did they patch?
A12: The Onapsis Research Labs reported these vulnerabilities to SAP in January. SAP worked diligently to patch the vulnerabilities and remained in constant communication with Onapsis to confirm they fully understood the technical aspects in order to create the correct patch. Below, you can see a timeline and dates of correspondence between Onapsis and SAP.
- January 2017: Onapsis Submits Vulnerabilities to SAP
- March 14, 2017:SAP Releases Security Note #2424173 and #2429069
SAP has greatly reduced the time to patch over the past year, for vulnerabilities identified by Onapsis. We also want to highlight that these particular patches have been released significantly quicker than SAP’s average time to patch, demonstrating SAP’s commitment and improvements in responding to threats once they become aware of them.
About Onapsis’ HANA cybersecurity expertise
Q13: How many vulnerabilities in SAP HANA has the Onapsis Research Labs helped SAP fix to date?
A13: As the leading SAP partner in cybersecurity, Onapsis has reported and helped secure over 80 security vulnerabilities to SAP for SAP HANA. To date, this accounts for over 70% of the total SAP HANA security patches released to date.
Q14: How does the Onapsis Research Labs work with SAP?
A14: When the Onapsis Research Labs identifies a potential weakness, we immediately notify SAP so they can begin fixing the vulnerability. The Onapsis Research Labs provides all necessary information to the vendor in order to confirm they have what they need to produce the patch.
Q15: Are Onapsis customers protected from these vulnerabilities?
A15: Yes, Onapsis customers have received early notification about these vulnerabilities since January, after reporting the vulnerabilities to SAP. Furthermore, our Research Labs developed an Advanced Threat Protection (ATP) solution for these vulnerabilities in our product, the Onapsis Security Platform, so they could be protected while the patches were being developed and they could implement them on their systems. For more information contact us at [email protected]