SAP vulnerabilities can take servers offline

A total of eight bugs found in SAP products lead to serious consequences for vulnerable systems.

Eight vulnerabilities have been found in SAP products which can lead not only to information leaks, but also the possibility of taking entire servers offline.


On Wednesday, security researchers from Positive Technologies said the bugs were found in a variety of SAP solutions, including the Web Dynpro Island development -- which is used to create SAP web applications -- the SAP Composite Application Framework Authorization Tool, and the SAP Enterprise Portal, all of which could be potentially dangerous to companies worldwide which use the popular products.

One of the most severe bugs, caused due to an absence of XML validation, was discovered in Web Dynpro Flash Island, which enabled hackers to perform an XML External Entity (XXE) attack, without the need to authenticate, and obtain local files on the SAP server such as private encryption keys and other business-critical data.

The vulnerability could also be utilized to perform a denial-of-service (DoS) attack to take the server offline.

Another vulnerability was discovered in the SAP Enterprise portal. An absence of XML validation allowed attackers obtain local files on the SAP server.

This could lead to information being stolen included private encryption keys, hashes for operating system passwords, and sensitive corporate data.

"Attackers outside of the local network could not gain network access to the OS and database, but could try to use these credentials to hack accounts on other open services or perform a DDoS attack," the researchers note.

An XSS vulnerability was also uncovered in the SAP Enterprise Portal styleservice, and a second XSS bug was also found in the SAP NetWeaver Monitoring application.

In addition, the security team discovered an information disclosure security flaw in the SAP NetWeaver Business Process Management (BPM) solution, which businesses use to jointly compose executable processes using standardized notation.

The same kind of XML validation lack was present in the SAP Composite Application Framework Authorization Tool and a further two were embedded in the SAP NetWeaver Web Services Configuration UI. These issues can not only allow threat actors to read files hosted on servers and steal administration credentials, but also conduct privilege escalation.

The bugs were discovered earlier this year and have been addressed in recent security patches issued by SAP.

"SAP Product Security Response Team collaborates frequently with several research companies like Positive Technologies to ensure a responsible disclosure of vulnerabilities," a SAP spokesperson told ZDNet. "All vulnerabilities in question have been fixed, and security patches are available for download on the SAP Support Portal. We strongly advise our customers to secure their SAP landscape by applying the relevant SAP security notes from the SAP Support Portal immediately."

Vendors should make sure their products are up-to-date to avoid their systems being compromised.