The most critical among the flaws were found to involve core HANA TrexNet interfaces. Those interfaces facilitate communication between servers in high-availability situations and are key to supporting large businesses.
The findings are particularly concerning since HANA has continued to grow in importance in the enterprise and, because it supports a very wide swath of third-party mobile apps, is becoming the foundation for all SAP applications.
“HANA is not something that's going under the radar,” Onapsis CTO Juan Perez-Etchegoyen told SCMagazine.com Thursday, adding that it is the “most important product of SAP.” Perez-Etchegoyen said Onapsis's recent findings are troubling not only in how critical many of them are but also “in the high number effected and different attack vectors.”
While SAP has issued patches for most, six of the eight critical vulnerabilities are not patchable and require users to reconfigure systems to mitigate them. If organisations let these vulnerabilities go unchecked, unauthenticated attackers could gain control of their SAP HANA systems and wreak havoc by stealing or manipulating information and disrupting business operations by taking systems offline.
“If organisations don't properly secure configurations, then applications running on HANA could be compromised,” said Perez-Etchegoyen. "The risk is so high, it cannot be ignored.”
The Onapsis CTO stressed that Onapsis is not releasing a zero-day. “Just because there's no patch, it doesn't mean it's a zero day, he said, explaining that SAP has been responsive. “We have had fluid communications with them.”
Perez-Etchegoyen urged chief information security officers (CISOs) to follow Onapsis's recommendations to secure their systems. Primarily, organisations that are running in a high-availability environment should reconfigure TrexNet communications, which are critical to SAP HANA's operation. Onapsis recommended that TrexNet communications be isolated from end users and ensure it can't be accessible through another network. In cases where a single SAP HANA instance is deployed, then the TrexNet interfaces should be listening only on the localhost network interface.
Onapsis also encouraged CISOs to monitor user activity, especially looking for suspicious activity in HTTP traffic and SQL and HTTP logs. Security professional should include SAP in their information security strategies to continuously monitor both SAP and SAP HANA and send preventative and corrective data to SIEM and GRC tools in real time.