On 13th of February 2018, SAP released its scheduled set of SAP Security Notes. It includes a fix for vulnerabilities in SAP CRM. The security issues were rated at 6.3 and 7.7 by CVSS Base Score v.3. But their combined impact is much bigger.
SAP NetWeaver AS Java is a widely used platform that supports numerous SAP applications, and one of these applications is SAP CRM. A security issue in default component may lead to mass hacking of thousands of companies and millions of dollars losses.
SAP CRM concerns
CRM systems are one of the most valuable applications for every organization. According to the ERP Cybersecurity Survey 2017, 55% of respondents included CRM as the most critical asset.
SAP CRM risks
Some of multiple risks related to SAP CRM systems are listed below.Client data theft (Espionage)
An unauthorized access to SAP CRM threatens such data as client lists, prices, contact points, etc. If compromised, this data can be used by competitors to win over customers with lower-priced bids and ruin the whole business eventually.Reputational risks (Sabotage)
Unauthorized changes in SAP CRM can have a negative impact on customer relations. The possible outcomes are contract execution delay, substituted business correspondence or even revised contract terms.SAP CRM vulnerabilities
Back in February 2016, ERPScan’s researchers found a bug in SAP NetWeaver AS Java, an application platform, which is a part of SAP CRM. They reported it to the vendor almost immediately, but the vendor had some issues and failed to exploit the vulnerability. In summer 2017, this vulnerability was considered a duplicate. Not so long after that, there supposedly was an incident. According to some unofficial sources, a man from China managed to exploit it, though. In fact, ERPScan researchers identified two severe vulnerabilities in SAP NetWeaver AS Java. The first security loophole is a Directory traversal vulnerability in Redwood component. It allows reading any file from the system, for example, the files that are named ‘SecStore’ contain critical information like administrator password and database credentials in an encrypted form. With the help of this vulnerability, a hacker may read those encrypted credentials remotely, decrypt them, and read any file in a system without authentication. The second Directory traversal vulnerability in SAP CRM (CVE-2018-2380, SAP Security Note 2547431 CVSS 6.6.) enables creating a file in the system and record there anything you want. An attacker can create a malicious file containing a web-shell and execute it on the server side.Attack scenario
The full attack scenario is:-
- An attacker uses the first directory traversal vulnerability to read administrator credentials in an encrypted form.
- He or she decrypts the credentials since the algorithm is known and the key is stored in the same directory. More about decrypting SecStore can be found here.
- The attacker logs in SAP CRM portal.
- The attacker exploits another directory traversal vulnerability and changes SAP log file path to the web application root path.
- Finally, using special request, he or she can inject a malicious code (a web-shell) into the log file and call it anonymously from a remote web server.
FAQ
How can I protect my SAP system?
It’s required to implement the latest SAP patches. As it is impossible to close all bugs, it is recommended to continuously assess your system, detect malicious behavior and anomalies, and respond to them accordingly.
How can I start my journey to overall SAP cybersecurity?
To go into SAP security, we recommend following EAS-SEC SAP Cybersecurity framework.
What are resources to learn more about SAP CRM vulnerability?
-
- Technical details – [ERPSCAN-18-003] and [ERPSCAN-18-004]
- How to install a patch in J2EE – SAP notes implementation in Java stack
- SAP Threat Intelligence report – February 2018
- SAP Security Notes 2547431 and 2565622
- SAP Security for CISO: SAP NetWeaver J2EE Platform Security