SAP CRM servers vulnerable to online attack
Researchers at cyber security platform ERPScan have disclosed details of two vulnerabilities that allow compromise of the widely used SAP CRM system.
CRM is considered as a most critical asset by businesses. A data breach into CRM can be disastrous as it can destroy trust in the business and severely tarnish the brand as well as raising compliance issues.
ERPScan made the disclosure at the Troopers security conference. The research indicates that over 500 vulnerable systems are currently available on the internet without a fix. The vulnerability exploits a flaw in the SAP NetWeaver platform, used to automate business processes.
Executing an attack involves using a directory traversal vulnerability to read administrator credentials. Having logged into the CRM portal the traversal vulnerability can be used again to inject malicious code, the hacker can then call it anonymously from a remote server. This could allow attackers to take full control of a SAP CRM system and read all available information about a company’s clients.
"It takes nothing to exploit those vulnerabilities," says Vahagn Vardanyan, senior security researcher at ERPScan. "Perpetrators can remotely read any file in SAP CRM without authentication. We scanned the Internet and found nearly 500 SAP servers that are prone to it."
It's recommended that SAP users apply all available patches as soon as possible and monitor their systems for malicious behavior and anomalies.
You can find out more about the attack and how it works on the ERPScan website and in the video below.
Update March 16:
Since we first published this story SAP has issued a statement, "SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. All vulnerabilities in question have been fixed using security notes 2547431 and 2565622. Both security notes were released as part of February patch day. We strongly advise our customers to secure their SAP landscape by applying the available security patches immediately."