Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Flaw in PwC Security Tool Exposes SAP Systems to Attacks

Researchers discovered what they believe to be a critical vulnerability in a PwC product designed for securing SAP systems, but the vendor has downplayed the risk of attacks.

Researchers discovered what they believe to be a critical vulnerability in a PwC product designed for securing SAP systems, but the vendor has downplayed the risk of attacks.

Experts at ESNC, a Germany-based company that specializes in SAP security, found the remote code execution vulnerability in PwC’s Automated Controls Evaluator (ACE) tool. The ACE product, which is designed to analyze SAP security settings and identify potential weaknesses, requires two ABAP (Advanced Business Application Programming) files to be run on the production system.

According to an advisory published by ESNC, the ACE software vulnerability can be exploited to remotely inject and execute malicious ABAP code on the targeted SAP system.

“Based on the business processes implemented on the SAP systems on which ACE is installed, this security vulnerability may allow an attacker to e.g. manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions,” researchers said in an advisory. “This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money.”

An attack can be launched from the local network and possibly even from the Internet. ESNC researcher Ertunga Arsal told SecurityWeek that the attacker needs to be authenticated on the SAP system in order to exploit the flaw.

“Exploitation is pretty straightforward,” Arsal said. “Malicious ABAP shellcode may be pasted to the vulnerable text input field of the PwC ABAP application to exploit it in its simplest form. It can also be executed via the Internet if the SAP system has public interfaces and ITS services such as WebGui are enabled.”

ESNC reproduced the vulnerability, tracked as CVE-2016-9832, on ACE 8.10.304. The issue has been addressed by PwC in the latest version of the tool.

“The code referenced in this bulletin is not included in the current version of the software which is available to limited clients. The bulletin describes a hypothetical and unlikely scenario – we are not aware of any situation in which it has materialized,” a PwC spokeswoman said in an emailed statement.

Advertisement. Scroll to continue reading.

ESNC noted in its advisory that it received two cease and desist letters from PwC’s legal team. However, the vendor said the letters were not related to the security analysis itself.

“ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff,” PwC told SecurityWeek.

Related Reading: SAP Patches OS Command Execution Vulnerabilities

Related Reading: Vulnerability Impacts Web-Exposed SAP Systems

Related Reading: SAP Patches Multiple Implementation Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.