Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Flaw in PwC Security Tool Exposes SAP Systems to Attacks

Researchers discovered what they believe to be a critical vulnerability in a PwC product designed for securing SAP systems, but the vendor has downplayed the risk of attacks.

Researchers discovered what they believe to be a critical vulnerability in a PwC product designed for securing SAP systems, but the vendor has downplayed the risk of attacks.

Experts at ESNC, a Germany-based company that specializes in SAP security, found the remote code execution vulnerability in PwC’s Automated Controls Evaluator (ACE) tool. The ACE product, which is designed to analyze SAP security settings and identify potential weaknesses, requires two ABAP (Advanced Business Application Programming) files to be run on the production system.

According to an advisory published by ESNC, the ACE software vulnerability can be exploited to remotely inject and execute malicious ABAP code on the targeted SAP system.

“Based on the business processes implemented on the SAP systems on which ACE is installed, this security vulnerability may allow an attacker to e.g. manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions,” researchers said in an advisory. “This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money.”

An attack can be launched from the local network and possibly even from the Internet. ESNC researcher Ertunga Arsal told SecurityWeek that the attacker needs to be authenticated on the SAP system in order to exploit the flaw.

“Exploitation is pretty straightforward,” Arsal said. “Malicious ABAP shellcode may be pasted to the vulnerable text input field of the PwC ABAP application to exploit it in its simplest form. It can also be executed via the Internet if the SAP system has public interfaces and ITS services such as WebGui are enabled.”

ESNC reproduced the vulnerability, tracked as CVE-2016-9832, on ACE 8.10.304. The issue has been addressed by PwC in the latest version of the tool.

“The code referenced in this bulletin is not included in the current version of the software which is available to limited clients. The bulletin describes a hypothetical and unlikely scenario – we are not aware of any situation in which it has materialized,” a PwC spokeswoman said in an emailed statement.

ESNC noted in its advisory that it received two cease and desist letters from PwC’s legal team. However, the vendor said the letters were not related to the security analysis itself.

“ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff,” PwC told SecurityWeek.

Related Reading: SAP Patches OS Command Execution Vulnerabilities

Related Reading: Vulnerability Impacts Web-Exposed SAP Systems

Related Reading: SAP Patches Multiple Implementation Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.