Severe SAP HANA vulnerabilities allow hackers to take full control

Security flaws within the SAP HANA platform include remote exploits leading to full takeovers of systems.


Onapsis has revealed a total of 21 vulnerabilities in the SAP HANA platform including flaws which allow attackers to remotely control victim machines.

Revealed on Monday, the lengthy list of discovered SAP HANA vulnerabilities posted by cybersecurity firm Onapsis includes eight critical flaws and other less serious risks to SAP HANA clients.

The SAP HANA platform is a database management and analytics system for use on-premises or in the cloud by the enterprise. Over 10,000 businesses use the system and so should take note of the critical flaws which are the most dangerous to data and infrastructure and could result in data theft, remote code execution and spying by threat actors.

The critical flaws discovered in the platform impact all SAP HANA-based applications, including SAP S/4HANA and SAP Cloud solutions running on HANA. In total, eight of the flaws are deemed critical, six of them hard-coded by-design vulnerabilities which will need system configuration settings changes to eradicate. Onapsis says:

"Without these changes, unauthenticated attackers could take full control of vulnerable SAP HANA systems, including stealing, deleting or changing business information, as well as taking the platform offline to disrupt key business processes.

This is the first time that advisories with the highest level of criticality, combined with the largest number of vulnerabilities, have been issued for SAP HANA."

In addition, the company has found six high-risk security flaws and seven medium-risk vulnerabilities. The majority of the severe flaws relate to the core HANA TrexNet interfaces which controls inter-server communications within the enterprise.

Unfortunately, TrexNet underpins all SAP applications as well as a mobile app ecosystem, and so a security breach relating to this system could end in disaster for SAP and clients alike. To make matters worse, a number of the vulnerabilities are HTTP based, allowing attackers to remotely break into the platform without any user ID or password.

According to Onapsis, an SAP breach or outage could cost key organizations up to $22 million per minute, including the disruption of manufacturing, the loss of IP and data.

"Exploitation of SAP HANA vulnerabilities could significantly impact the global economy as it presents avenues of attacks for nation-states, economic espionage, financial fraud or sabotage of key business systems," Onapsis states.

Onapsis works closely with German firm SAP to patch up flaws before they become public domain or used against clients. After being notified in February, SAP has released software fixes for the latest public disclosure.

Read on: Top picks