Two vulnerabilities that allow compromise the widely used SAP CRM system was disclosed by information security training researchers of the platform ERPScan.
CRM is considered as a most critical asset by businesses. A data breach into CRM can be disastrous as it can destroy trust in the business and severely tarnish the brand as well as raising compliance issues.
ERPScan made the disclosure at the Troopers security conference. The research indicates that over 500 vulnerable systems are currently available on the internet without a fix. The vulnerability exploits a flaw in the SAP NetWeaver platform, used to automate business processes.
Executing an attack involves using a directory traversal vulnerability to read administrator credentials. Having logged into the CRM portal the traversal vulnerability can be used again to inject malicious code, the hacker can then call it anonymously from a remote server. This could allow attackers to take full control of a SAP CRM system and read all available information about a company’s clients, information security training analysts said.
“It takes nothing to exploit those vulnerabilities,” says Vahagn Vardanyan, information security training researcher at ERPScan. “Perpetrators can remotely read any file in SAP CRM without authentication. We scanned the Internet and found nearly 500 SAP servers that are prone to it.”
Since the story was published SAP has issued a statement, “SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. All vulnerabilities in question have been fixed using security notes 2547431 and 2565622. Both security notes were released as part of February patch day. We strongly advise our customers to secure their SAP landscape by applying the available security patches immediately.”
Information security training professionals recommended that SAP users apply all available patches as soon as possible and monitor their systems for malicious behavior and anomalies.
You can find out more about the attack and how it works on the ERPScan website, in the video below.