SAP NetWeaver CRM flaws could lead to information disclosure

News by Rene Millman

Security researchers have warned that SAP CRM software has a couple of vulnerabilities that could be combined to compromise user data - the flaw is about as "bad as it gets".

Security researchers have warned that SAP CRM software has a couple of vulnerabilitieis that could be combined to compromise user data.

The SAP NetWeaver platform is used for ERP and automation of business processes, and consists of two modules: AS ABAP and AS JAVA. SAP NetWeaver AS ABAP and AS JAVA can work both independently and on one platform.

According to a blog post, researchers at ERPScan said they found a bug in SAP NetWeaver AS Java, an application platform, which is a part of SAP CRM. This was in February 2016. They reported it to the vendor almost immediately, but the vendor had some issues and failed to exploit the vulnerability. In summer 2017, this vulnerability was considered a duplicate. Not so long after that, there supposedly was an incident.

But researchers had actually identified two severe vulnerabilities in SAP NetWeaver AS Java. 

The first security loophole is a Directory traversal vulnerability in Redwood component. It allows reading any file from the system, for example, the files that are named ‘SecStore' contain critical information like administrator password and database credentials in an encrypted form. With the help of this vulnerability, a hacker may read those encrypted credentials remotely, decrypt them, and read any file in a system without authentication.

The second Directory traversal vulnerability in SAP CRM (CVE-2018-2380, SAP Security Note 2547431 CVSS 6.6.) enables creating a file in the system and record there anything you want. An attacker can create a malicious file containing a web-shell and execute it on the server side.

Researchers outlined an attack scenario. First, an ttacker uses the first directory traversal vulnerability to read administrator credentials in an encrypted form. Then they decrypt the credentials since the algorithm is known and the key is stored in the same directory. The attacker logs in SAP CRM portal. The attacker exploits another directory traversal vulnerability and changes SAP log file path to the web application root path. Finally, using special request, he or she can inject a malicious code (a web-shell) into the log file and call it anonymously from a remote web server.

“The impact of the two vulnerabilities is that attackers can take full control of an SAP CRM system and read all wanted information about company's clients,” said researchers.

"It takes nothing to exploit these vulnerabilities. Perpetrators can remotely read any file in SAP CRM without authentication. We scanned the Internet and found nearly 500 SAP servers that are prone to it,"  said Vahagn Vardanyan, senior security researcher at ERPScan.

Researchers said that users must implement the latest SAP patches to protect systems.

Paul Ducklin, senior technologist at Sophos, told SC Media UK that the question shouldn't be, “‘What do I do in the meantime while I go through my patching process?' The question should be, ‘Why am I still unpatched against an information disclosure vulnerability more than a month after the fix came out?'”

“If you still have a change control committee with internal procedures that means it takes you weeks to figure out whether to patch critical security holes, you need a change in your change control committee,” he said.

Nicholas Griffin, senior cyber security specialist at Performanta, told SC Media UK that the flaw is about as “bad as it gets; not only can an attacker gain full access and control of a company's CRM, but they can fully decrypt administrative credentials which may be reused for other systems”. 

“If that wasn't bad enough, they can also install a backdoor onto the CRM system which could be used to launch further attacks, such as phishing or participating in DDoS botnets. Keeping up with vendor-supplied patches is crucial, but a Web Application Firewall (WAF) can also help to mitigate these classes of vulnerabilities. Layering this with a well-managed and proactive security programme for both vulnerability scanning and penetration-testing will help to ensure a good baseline of defence,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews