Hacking SAP CRM: 2 vulnerabilities in SAP NetWeaver AS Java

SAP NetWeaver AS Java is a widely used platform that supports numerous SAP applications, and one of these applications is SAP CRM. A security issue in default component may lead to mass hacking of thousands of companies and millions of dollars losses.

SAP CRM concerns

CRM systems are one of the most valuable applications for every organization. According to the ERP Cybersecurity Survey 2017, 55% of respondents included CRM as the most critical asset.

These systems compile data from a range of different communication channels and allow businesses to store customer data that can be utilized to build meaningful customer relationships, find new customers, and grow revenues. That’s why, unfortunately, they are prone to security risks and extremely tantalizing for hackers who are looking to net personal information.

SAP released approximately 396 SAP Security Notes for different SAP CRM vulnerabilities. The security drawbacks in SAP CRM invite security concerns. While they are not given due attention, attackers can catch the chance to sneak into systems and exfiltrate corporate data.

SAP CRM risks

Some of multiple risks related to SAP CRM systems are listed below.

Client data theft (Espionage)

An unauthorized access to SAP CRM threatens such data as client lists, prices, contact points, etc. If compromised, this data can be used by competitors to win over customers with lower-priced bids and ruin the whole business eventually.

Reputational risks (Sabotage)

Unauthorized changes in SAP CRM can have a negative impact on customer relations. The possible outcomes are contract execution delay, substituted business correspondence or even revised contract terms.

SAP CRM vulnerabilities

Back in February 2016, ERPScan’s researchers found a bug in SAP NetWeaver AS Java, an application platform, which is a part of SAP CRM. They reported it to the vendor almost immediately, but the vendor had some issues and failed to exploit the vulnerability. In summer 2017, this vulnerability was considered a duplicate. Not so long after that, there supposedly was an incident. According to some unofficial sources, a man from China managed to exploit it, though.

In fact, ERPScan researchers identified two severe vulnerabilities in SAP NetWeaver AS Java.

The first security loophole is a Directory traversal vulnerability in Redwood component. It allows reading any file from the system, for example, the files that are named ‘SecStore’ contain critical information like administrator password and database credentials in an encrypted form. With the help of this vulnerability, a hacker may read those encrypted credentials remotely, decrypt them, and read any file in a system without authentication.

The second Directory traversal vulnerability in SAP CRM (CVE-2018-2380, SAP Security Note 2547431 CVSS 6.6.) enables creating a file in the system and record there anything you want. An attacker can create a malicious file containing a web-shell and execute it on the server side.

Attack scenario

The full attack scenario is:

1. An attacker uses the first directory traversal vulnerability to read administrator credentials in an encrypted form.
2. He or she decrypts the credentials since the algorithm is known and the key is stored in the same directory. More about decrypting SecStore can be found here.
3. The attacker logs in SAP CRM portal.
4. The attacker exploits another directory traversal vulnerability and changes SAP log file path to the web application root path.
5. Finally, using special request, he or she can inject a malicious code (a web-shell) into the log file and call it anonymously from a remote web server.

The impact of the two vulnerabilities is that attackers can take full control of an SAP CRM system and read all wanted information about company’s clients.

FAQ