Flaw in PwC Security Tool Exposes SAP Systems to Attacks

Researchers discovered what they believe to be a critical vulnerability in a PwC product designed for securing SAP systems, but the vendor has downplayed the risk of attacks.

Experts at ESNC, a Germany-based company that specializes in SAP security, found the remote code execution vulnerability in PwC’s Automated Controls Evaluator (ACE) tool. The ACE product, which is designed to analyze SAP security settings and identify potential weaknesses, requires two ABAP (Advanced Business Application Programming) files to be run on the production system.

According to an advisory published by ESNC, the ACE software vulnerability can be exploited to remotely inject and execute malicious ABAP code on the targeted SAP system.

“Based on the business processes implemented on the SAP systems on which ACE is installed, this security vulnerability may allow an attacker to e.g. manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions,” researchers said in an advisory. “This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money.”

An attack can be launched from the local network and possibly even from the Internet. ESNC researcher Ertunga Arsal told SecurityWeek that the attacker needs to be authenticated on the SAP system in order to exploit the flaw.

“Exploitation is pretty straightforward,” Arsal said. “Malicious ABAP shellcode may be pasted to the vulnerable text input field of the PwC ABAP application to exploit it in its simplest form. It can also be executed via the Internet if the SAP system has public interfaces and ITS services such as WebGui are enabled.”

ESNC reproduced the vulnerability, tracked as CVE-2016-9832, on ACE 8.10.304. The issue has been addressed by PwC in the latest version of the tool.

“The code referenced in this bulletin is not included in the current version of the software which is available to limited clients. The bulletin describes a hypothetical and unlikely scenario – we are not aware of any situation in which it has materialized,” a PwC spokeswoman said in an emailed statement.

ESNC noted in its advisory that it received two cease and desist letters from PwC’s legal team. However, the vendor said the letters were not related to the security analysis itself.

“ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff,” PwC told SecurityWeek.

Related Reading: SAP Patches OS Command Execution Vulnerabilities

Related Reading: Vulnerability Impacts Web-Exposed SAP Systems

Related Reading: SAP Patches Multiple Implementation Flaws