sb-au logo
Story image

Security experts find critical vulnerabilities in SAP’s mail systems

27 Mar 2017

Serious vulnerabilities were exposed in SAP systems worldwide, leaving them open to business data theft, business process disruption, fraud and many other forms of attacks.

ERP Security (ERP-SEC) discovered the vulnerabilities and says they related directly to SAP’s inbound email processing functionality.

Joris van de Vis, ERP-SEC researcher, demonstrated the vulnerabilities at the annual ‘Troopers Security Conference’, which has a special track dedicated to SAP security.

The team worked closely with SAP Product Security Response team to resolve and patch the vulnerabilities. As a result, SAP released Security Note 2308217 to mitigate them.

“SAP collaborates frequently with research companies such as ERP-SEC to ensure a responsible disclosure of vulnerabilities. The vulnerabilities in question have been fixed by SAP and the patches have been made available for download since June 2016. Our recommendation to all our customers is to implement SAP secure patches as soon as they are available - typically on the second Tuesday of every month. Timely security patching of SAP systems is the best policy to protect SAP infrastructure from attacks," a statement from SAP says.

According to SAP’s website, the Security Note 2308217, released in June 2016, is specifically for:

“SAP Web-Survey has an XML external entity vulnerability (CVSS Base Score: 7.5 ). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS filesystem. Install this SAP Security Note to prevent risks.”

Van de Vis says the percentage of affected customers is unclear, but around 50% use inbound mail capabilities in their SAP systems.

“The impact of these vulnerabilities can be severe for SAP customers that use the inbound mail processing functionality as it can be exploited over the internet and without authentication. In some cases we even managed to completely take over SAP systems by sending just one email to them with a specially crafted attachment,” comments van de Vis.

Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More
Story image
Remote staff overestimating knowledge of cybersecurity basics
‘Unconscious incompetence’ is one of the most difficult issues to identify and solve with security awareness training.More
Story image
Just one click – that’s all it takes to let in cyber-crime
So how do organisations ensure that users are not compromised by simply doing their work?  The answer is surprisingly simple, writes Bufferzone Security business strategist for A/NZ Greg Wyman.More
Story image
Fast track your digital transformation with dynamic security services from Fortinet
Jon McGettigan, Fortinet A/NZ Regional Director, explains how enterprises can speed up their network service delivery programmes by embracing Fortinet’s dynamic security services.More
Story image
Why it’s essential to re-write IT security for the cloud era
Key components of network security architecture for the cloud era should be built from the ground up, as opposed to being bolted on to legacy solutions built for organisations functioning only on-premises or from only managed devices.More
Story image
Security training and tech: Empowering staff in a hybrid work environment
As employees travel back and forth between home and the workplace, are they walking through the door with cyber threats sitting on their devices?More