Security Experts:

SAP Fixes Remotely Exploitable Vulnerabilities Affecting Multiple Products

SAP has fixed multiple vulnerabilities in compression libraries used in several SAP products discovered by Core Security researchers. Administrators should check the Support Portal for the relevant Security Notes immediately.

Two memory corruption vulnerabilities (CVE-2015-2282, CVE-2015-2278) were found in the compression libraries used by almost all SAP Netweaver products, according to Core Security's advisory released Wednesday. All SAP Netweaver products that expose services on the network or connect to a SAP system are considered vulnerable to remote exploitation. That list includes SAP Netweaver Application Server ABAP and Java, Java and .NET connectors, ABAP development tools, Hana Studio, SAP GUI, SAP Netweaver RFC SDK, SAP RFC SDK, SAP Content Server and SAP CAR/SAR archive tools. Developers who used the open source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP.

The impact varies depending on the product and the actual configuration, but an attacker could potentially take remote control of an SAP system without credentials, Martin Gallo, senior security consultant with Core Security, told SecurityWeek. If successful, the attacker would be able to access the rest of the network as well as all the data stored within the SAP system and other connected third-party systems.

A remote unauthenticated attacker may be able to connect to SAP Netweaver services like Dispatcher or Gateway and send specially crafted packets to trigger the flaw, according to the advisory. These services are not encrypted by default, so an attacker would be able to perform a man-in-the-middle attack by injecting malicious packets. In another scenario, the user may be tricked into opening a specially crafted archive files (.CAR or .SAR) or connecting to a rogue SAP server, which would result in the attacker gaining control of the victim's workstation, Gallo said. Attackers may also disrupt critical business processes by launching a denial-of-service attack against the SAP system.

"This specific vulnerability is critical as memory corruption exploits can be very dangerous for SAP systems as they can take the system entirely offline leaving a company's key business processes and data useless," JP Perez, CTO of Onapsis, told SecurityWeek. Onapsis Research Labs found these attack vectors "100% effective," and have been seen in the wild, Perez said.

Several SAP products and programs use proprietary implementations of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm to compress in-transit data, Core Security said in its advisory. Researchers uncovered a stack-based buffer overflow bug in a decompression routine to write output characters, and an out-of-bounds read flaw in the decompression routine performing look-ups of non-simple codes. If triggered, these issues could result in arbitrary code execution and denial of service on the affected SAP system, the advisory said. The vulnerable code has been in these products for more than 15 years, Gallo said.

Core Security's advisory noted the code had a macro in place to check for the stack overflow issue, but it was not sufficient, and many of the vulnerable products and programs were built with this macro disabled.

Building a reliable exploit for the SAP platform is "a difficult but not impossible task," and skilled attackers with enough motivation would be able to develop one, Onapsis said.

Since the LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs, administrators can check if their applications include these functions by looking at the constants are used in the program, the advisory said.

SAP counts a quarter of million customers worldwide and its applications run critical business applications and processes for 87 percent of Global 2000 companies. However, security personnel rarely have any visibility within the SAP application, and SAP administrators are not aware of the security threats they face, Mariano Nunez, CEO and co-founder of Onapsis told SecurityWeek earlier in the year. SAP systems are a critical part of IT operations in the enterprise, and they contain highly valuable data, making them attractive targets, Nunez said.

Recent research from Onapsis found that more than 95 percent of SAP systems are exposed to vulnerabilities that could allow an attacker to fully compromise a company's business data and processes. The same research found the average patch window for SAP applications was 18 months. Considering SAP issued 391 security patches in 2014, with almost half classified as "high priority," a significant number of SAP systems remain unpatched today.

“We are seeing a major uptick in vulnerabilities and exploits against SAP in the market place," Perez said.

A recent report from digital forensics firm Stroz Friedberg claimed attackers infiltrated USIS, the agency responsible for conducting background checks on federal employees, by exploiting a flaw in an SAP enterprise resource planning application back in 2013. The attackers were able to view personal records on federal employees and contractors with access to classified intelligence and exposed sensitive details on tens of thousands of national security personnel in March last year.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.