The information about a 0-day SAP vulnerability was published on LinkedIn on October 28, 2016. A researcher disclosed details of the vulnerability in SAP system that he had identified and stated as 0-day. As it turns out, the vulnerability was already patched by SAP on 13th of September by SAP Note 2344524, so technically it’s not a 0-day vulnerability, but 0-day details of the vulnerability, so to speak. However, as it takes time to implement a patch, most of SAP users may be still susceptible to attack by this issue.
Usually, SAP asks researchers to hold publication of vulnerability details for 3 months after the fix is out (as we do), this time gap allows customers to implement patches. In this case, the vulnerability description became available within 1.5 months after the patch release.
What’s interesting that this vulnerability was initially reported by ERPScan’s researcher on 12th of July . ERPScan decided not to reveal any details until 3 months after the patch release, according to the rules of responsible disclosure.
Since description has been already published and many customers are potentially at risk, we are describing here the most important facts regarding this issue and how to fix it.
The vulnerability allows an external attacker to remotely obtain the list of SAP users from the system by exploiting an information disclosure vulnerability in the following service:
This service is actually an example of application to create a time-off request. This service should not be activated in production systems, however, it’s installed by default and, in reality, few SAP customers disable the component.
The vulnerability allows obtaining usernames, user IDs and even emails if this information was provided by a user. The information related to username and email can be used for a phishing attack by sending a malware to these users.
Currently, there are at least 941 of SAP Systems exposed to the Internet with this vulnerability.
It’s not the first vulnerability of this kind in SAP web service. ERPScan has recently helped to close 2 similar issues in other applications. To make matters worse, an SAP system has 1000+ of such applications enabled by default. Thus, there is a need for detailed analysis of all exposed web services.
ERPScan Security Monitoring Suite can detect all web services which can be accessed anonymously without an authentication, no matter if they contain critical data or not. This check against all anonymously available services was available in ERPScan since 2012. In addition, ERPScan Security Monitoring Suite has all updates to detect this particular vulnerability as well as attack signature for this issue, so that customers may use the solution to enhance the functionality of their IDS/IPS solutions.