Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

SAP Fixes Remotely Exploitable Vulnerabilities Affecting Multiple Products

SAP has fixed multiple vulnerabilities in compression libraries used in several SAP products discovered by Core Security researchers. Administrators should check the Support Portal for the relevant Security Notes immediately.

SAP has fixed multiple vulnerabilities in compression libraries used in several SAP products discovered by Core Security researchers. Administrators should check the Support Portal for the relevant Security Notes immediately.

Two memory corruption vulnerabilities (CVE-2015-2282, CVE-2015-2278) were found in the compression libraries used by almost all SAP Netweaver products, according to Core Security’s advisory released Wednesday. All SAP Netweaver products that expose services on the network or connect to a SAP system are considered vulnerable to remote exploitation. That list includes SAP Netweaver Application Server ABAP and Java, Java and .NET connectors, ABAP development tools, Hana Studio, SAP GUI, SAP Netweaver RFC SDK, SAP RFC SDK, SAP Content Server and SAP CAR/SAR archive tools. Developers who used the open source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP.

The impact varies depending on the product and the actual configuration, but an attacker could potentially take remote control of an SAP system without credentials, Martin Gallo, senior security consultant with Core Security, told SecurityWeek. If successful, the attacker would be able to access the rest of the network as well as all the data stored within the SAP system and other connected third-party systems.

A remote unauthenticated attacker may be able to connect to SAP Netweaver services like Dispatcher or Gateway and send specially crafted packets to trigger the flaw, according to the advisory. These services are not encrypted by default, so an attacker would be able to perform a man-in-the-middle attack by injecting malicious packets. In another scenario, the user may be tricked into opening a specially crafted archive files (.CAR or .SAR) or connecting to a rogue SAP server, which would result in the attacker gaining control of the victim’s workstation, Gallo said. Attackers may also disrupt critical business processes by launching a denial-of-service attack against the SAP system.

“This specific vulnerability is critical as memory corruption exploits can be very dangerous for SAP systems as they can take the system entirely offline leaving a company’s key business processes and data useless,” JP Perez, CTO of Onapsis, told SecurityWeek. Onapsis Research Labs found these attack vectors “100% effective,” and have been seen in the wild, Perez said.

Several SAP products and programs use proprietary implementations of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm to compress in-transit data, Core Security said in its advisory. Researchers uncovered a stack-based buffer overflow bug in a decompression routine to write output characters, and an out-of-bounds read flaw in the decompression routine performing look-ups of non-simple codes. If triggered, these issues could result in arbitrary code execution and denial of service on the affected SAP system, the advisory said. The vulnerable code has been in these products for more than 15 years, Gallo said.

Core Security’s advisory noted the code had a macro in place to check for the stack overflow issue, but it was not sufficient, and many of the vulnerable products and programs were built with this macro disabled.

Advertisement. Scroll to continue reading.

Building a reliable exploit for the SAP platform is “a difficult but not impossible task,” and skilled attackers with enough motivation would be able to develop one, Onapsis said.

Since the LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs, administrators can check if their applications include these functions by looking at the constants are used in the program, the advisory said.

SAP counts a quarter of million customers worldwide and its applications run critical business applications and processes for 87 percent of Global 2000 companies. However, security personnel rarely have any visibility within the SAP application, and SAP administrators are not aware of the security threats they face, Mariano Nunez, CEO and co-founder of Onapsis told SecurityWeek earlier in the year. SAP systems are a critical part of IT operations in the enterprise, and they contain highly valuable data, making them attractive targets, Nunez said.

Recent research from Onapsis found that more than 95 percent of SAP systems are exposed to vulnerabilities that could allow an attacker to fully compromise a company’s business data and processes. The same research found the average patch window for SAP applications was 18 months. Considering SAP issued 391 security patches in 2014, with almost half classified as “high priority,” a significant number of SAP systems remain unpatched today.

“We are seeing a major uptick in vulnerabilities and exploits against SAP in the market place,” Perez said.

A recent report from digital forensics firm Stroz Friedberg claimed attackers infiltrated USIS, the agency responsible for conducting background checks on federal employees, by exploiting a flaw in an SAP enterprise resource planning application back in 2013. The attackers were able to view personal records on federal employees and contractors with access to classified intelligence and exposed sensitive details on tens of thousands of national security personnel in March last year.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.