SAP has patched two serious vulnerabilities affecting users of their SAP BASIS and SAP BusinessObjects enterprise software.
The vulnerabilities were uncovered by researchers at security firm Onapsis. According to Onapsis, the most serious of the vulnerabilities impacts BusinessObjects users and can be used to potentially access and modify information stored on the SAP BusinessObjects server.
“SAP Business Objects allows a remote user, potentially using a Guest account if enabled, to perform CORBA calls to resources that should be restricted by correctly checking the privileges of the user performing the request,” Onapsis said in an advisory. “Using CORBA calls it is possible to escalate privileges from any valid user to System privileges in BusinessObjects. The System Account can perform any action in BusinessObjects. An unauthenticated attacker (if Guest user is enabled, so no credentials are required) can obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN via CORBA. This token can be used, also via CORBA, to perform actions as SYSTEM, thus escalating privileges.”
The vulnerability is remotely exploitable, and impacts BusinessObjects Edge 4.1.
The second vulnerability is rated “high” by Onapsis and impacts authorization checks for SAP BASIS. If exploited successfully, the vulnerability enables an authenticated attacker to access background processing that automates routine tasks. If this process is tampered with, the attacker would be able to compromise the SAP system’s ability to properly run business-critical reports and programs, Onapsis notes.
“The Batch input Recorder is part of the SAP background processing which automates routine tasks and helps the user optimize his organization’s SAP computing resources,” according to the Onapsis advisory. “Using background processing, the user can tell the SAP System to run programs for him. Background processing lets the user move long-running or resource-intensive program runs to times when the system load is low. It also lets the user delegate to the system the task of running reports or programs. Transaction SHDB (batch input recorder) does not perform any authority check to display recordings performed by any user.”
The issue impacts SAP NetWeaver 7.00, 7.01, 7.02, 7.10, 7.11, 7.20, 7.30, 7.31 and 7.40.
“Advanced threats targeting SAP systems that run business-critical applications are increasing at an alarming rate,” said Ezequiel Gutesman, director of research at Onapsis Research Labs, in a statement. “These security advisories are the latest example of how key systems are vulnerable to attack and have to be a main focus of an organization’s security strategy. Additionally, it is now an executive imperative to understand the risks associated with SAP security posture and potential business impact.”