Vulnerabilities in SAP HANA represent a risk to more than 10,000 SAP customers running different versions of the popular business-critical application, security firm Onapsis warns.
The security firm released a series of security advisories this week detailing multiple vulnerabilities affecting the SAP HANA and SAP Trex applications, including Critical and High risk security flaws. The most important of these bugs is a User Brute Force Attack in SAP HANA, which could allow an attacker to access business information.
According to Onapsis, a remote unauthenticated attacker exploiting this vulnerability could receive high privileges on the HANA system and could also modify arbitrary database information. Tracked as CVE-2016-6144, the vulnerability has a CVSS v3 score of 9.0, Onapsis says.
Some of the high risk vulnerabilities affecting SAP HANA include two Arbitrary Audit Injections, one via HTTP Requests and another via SQL Protocol, both of which would allow an attacker to tamper the audit logs, hiding the evidence of an attack to a HANA system. Onapsis also revealed remote code execution flaws in SAP HANA, which could allow an unauthenticated attacker to access and modify any information indexed by the SAP system.
Depending on the SAP HANA implementation a company uses, these vulnerabilities could provide attackers with access to mission-critical information, including customer data, product pricing, financial statements, employee information, supply chains, business intelligence, budgeting, planning and forecasting, Onapsis says.
Another critical flaw disclosed by Onapsis today is a Remote Code Execution vulnerability in SAP TREX. An unauthenticated attacker can exploit this security issue to access and modify any information indexed by the SAP system, the security firm says. Tracked as CVE-2016-6147, the bug has a CVSS v3 score of 10.0.
Additionally, Onapsis disclosed high risk flaws in SAP TREX, including an Arbitrary File Write that could allow an unauthenticated attacker to modify any information indexed by the SAP system and Remote Directory Traversal and Remote File Read flaws that could allow a remote unauthenticated attacker to access arbitrary business information from the SAP system.
“This set of advisories is unique as most of the vulnerabilities attackers can leverage are undervalued. Meaning, the way in which they can be exploited is not always obvious and can go undetected. For example, one of the critical vulnerabilities that can be exploited creates an error message which includes sensitive information about its environment, users, or associated data,” said Sebastian Bortnik, Head of Research, Onapsis.
Last week, SAP released its security patches for July 2016, addressing 24 clickjacking flaws in multiple products. In June, the company resolved 21 vulnerabilities across its portfolio, after it patched 10 security issues in May, including a five-year-old issue that was used in attacks against 36 global organizations.