A chain of vulnerabilities to hack SAP CRM

Heidelberg, Germany – March 14, 2018 – Today at the Troopers security conference, an annual event with a special track focused on SAP Security, ERPScan’s researchers have disclosed the details of two vulnerabilities that allow compromising SAP CRM system. Since this application stores business-critical data such as client’s personal information, companies may fall victim and face incredible reputational and cost losses.

CRM (or Customer Relationship Management) systems are included among widespread, useful and extremely valuable business applications for every organization. As the ERP Cybersecurity Survey 2017 states, 55% of people polled considered CRM as the most critical asset. A data breach into CRM can be disastrous as it is able to destroy the trust in the business and tarnish the brand.

An unauthorized access to SAP CRM threatens such data as client lists, prices, contact points, etc. If compromised, this data can be used by competitors to win over customers with lower-priced bids and, ruin the whole business eventually.

In the talk titled ‘SAP BUGS: The Phantom Security’ delivered at Troopers, the researchers shared the information on these security issues, revealed their exploitation and the attack scenario.

It takes nothing to exploit those vulnerabilities. Perpetrators can remotely read any file in SAP CRM without authentication. We scanned the Internet and found nearly 500 SAP servers that are prone to it.

Vahagn Vardanyan, senior security researcher of ERPScan

The security researchers at ERPScan identified directory traversal and log injection vulnerabilities in the solution. The two issues in combination lead to information disclosure, privilege escalation, and complete SAP systems compromise. The two vulnerabilities can wreak havoc in any company running SAP CRM.

To help SAP customers protect their critical assets against this vulnerability, ERPScan prepared a special resource with the details of vulnerabilities and an overview of attack process.