CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Vulnerabilities in SAP HANA Impact Over 10,000 Customers: Report

Vulnerabilities in SAP HANA represent a risk to more than 10,000 SAP customers running different versions of the popular business-critical application, security firm Onapsis warns.

Vulnerabilities in SAP HANA represent a risk to more than 10,000 SAP customers running different versions of the popular business-critical application, security firm Onapsis warns.

The security firm released a series of security advisories this week detailing multiple vulnerabilities affecting the SAP HANA and SAP Trex applications, including Critical and High risk security flaws. The most important of these bugs is a User Brute Force Attack in SAP HANA, which could allow an attacker to access business information.

According to Onapsis, a remote unauthenticated attacker exploiting this vulnerability could receive high privileges on the HANA system and could also modify arbitrary database information. Tracked as CVE-2016-6144, the vulnerability has a CVSS v3 score of 9.0, Onapsis says.

Some of the high risk vulnerabilities affecting SAP HANA include two Arbitrary Audit Injections, one via HTTP Requests and another via SQL Protocol, both of which would allow an attacker to tamper the audit logs, hiding the evidence of an attack to a HANA system. Onapsis also revealed remote code execution flaws in SAP HANA, which could allow an unauthenticated attacker to access and modify any information indexed by the SAP system.

Depending on the SAP HANA implementation a company uses, these vulnerabilities could provide attackers with access to mission-critical information, including customer data, product pricing, financial statements, employee information, supply chains, business intelligence, budgeting, planning and forecasting, Onapsis says.

Another critical flaw disclosed by Onapsis today is a Remote Code Execution vulnerability in SAP TREX. An unauthenticated attacker can exploit this security issue to access and modify any information indexed by the SAP system, the security firm says. Tracked as CVE-2016-6147, the bug has a CVSS v3 score of 10.0.

Additionally, Onapsis disclosed high risk flaws in SAP TREX, including an Arbitrary File Write that could allow an unauthenticated attacker to modify any information indexed by the SAP system and Remote Directory Traversal and Remote File Read flaws that could allow a remote unauthenticated attacker to access arbitrary business information from the SAP system.

“This set of advisories is unique as most of the vulnerabilities attackers can leverage are undervalued. Meaning, the way in which they can be exploited is not always obvious and can go undetected. For example, one of the critical vulnerabilities that can be exploited creates an error message which includes sensitive information about its environment, users, or associated data,” said Sebastian Bortnik, Head of Research, Onapsis.

Advertisement. Scroll to continue reading.

Last week, SAP released its security patches for July 2016, addressing 24 clickjacking flaws in multiple products. In June, the company resolved 21 vulnerabilities across its portfolio, after it patched 10 security issues in May, including a five-year-old issue that was used in attacks against 36 global organizations.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.