Security Experts:

SAP Afaria Flaw Allowed Attackers to Wipe Mobile Devices

Researchers have disclosed the details of several serious SAP Afaria vulnerabilities that have been patched by the vendor.

Afaria is a mobile device management (MDM) solution developed by Germany-based enterprise software maker SAP.  With roughly 6,300 enterprises using it to manage more than 130 million mobile devices, SAP Afaria is the most popular MDM solution on the market.

Researchers at ERPScan, a company that specializes in protecting SAP and Oracle business-critical ERP systems, identified a series of Afaria vulnerabilities that they had initially planned on disclosing at the Black Hat Asia conference in late March. However, the talk was pulled after SAP failed to release patches in time, and the details of the vulnerabilities were disclosed on Thursday at the Hacker Halted conference in Atlanta.

The most critical of the vulnerabilities identified and reported by ERPScan is an authorization bypass that allowed malicious actors to attack the mobile phones managed by organizations via SAP Afaria.

Afaria allows administrators to perform various actions remotely by sending out an SMS to the mobile devices they manage. These actions include wiping the device, locking it, and disabling its Wi-Fi.

These messages are signed to prevent abuse, but experts determined that attackers could have sent malicious administrative messages to employee mobile phones by forging the SHA256 hash used as an authentication string.

There were only two pieces of information that the attacker needed to obtain in order to send malicious commands from the Afaria server to mobile devices: the phone number and the  International Mobile Station Equipment Identity (IMEI) number.

Alexander Polyakov, CTO of ERPScan, told SecurityWeek that an external attacker can obtain phone numbers from the targeted company’s website or through social engineering. The IMEI, which is a bit more difficult to obtain, can be collected by sniffing the organization’s GSM traffic from a location near the target’s offices, the expert said.

On the other hand, it would have been far easier for a malicious insider to launch such attacks. Phone numbers are in many cases available on the company’s internal portals, and multiple IMEIs can be determined based on a single IMEI.

“Usually, companies buy a batch of mobile devices, so their IMEIs are almost the same, only a few characters are different. This fact facilitates bruteforcing. So, knowing his or her IMEI, one can find out IMEIs of other employees’ devices, generate the signature and send administrative messages to each mobile phone in the organization,” ERPScan explained.

Once they obtained phone numbers and IMEIs, attackers, whether they were insiders or from outside the company, could have sent malicious SMS messages to lock devices or wipe them.

This security hole was reported to SAP on March 12 and it was patched two months later.

Another serious vulnerability found by ERPScan researchers in SAP Afaria is a persistent cross-site scripting (XSS) affecting the product’s administrative console. Since this service is often exposed to the Internet, an attacker could have remotely injected malicious JavaScript code into the console and it would have gotten executed as soon as the admin logged in.

In theory, attackers could have leveraged this flaw to take control of all mobile devices and send them a piece of malware, ERPScan said.

“If an attacker gets control over an employee’s mobile device, not only MDM solution is compromised. Business applications (such as ERP, CRM, HR, BI, and others) are highly connected that allows attackers to escalate privileges in the network easily, thus he gets access to corporate systems which store and process all mission-critical data,” the security firm explained.

The stored XSS was reported to SAP in February and it was patched in August.

In addition to these two vulnerabilities, ERPScan also identified a couple of buffer overflows, a missing authorization issue, and several hardcoded encryption keys in SAP Afaria.

ERPScan reported that the number of vulnerabilities affecting SAP mobile solutions has increased over the past years. The company identified one flaw in 2013, 21 flaws in 2014, and 16 so far in 2015.

Related: SAP Updates Patch 20 Vulnerabilities

Related: SAP Encryption Issues Pose Serious Risk to Organizations

Related: Majority of SAP Attacks Use One of Three Common Techniques

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.