Story image

Security experts find critical vulnerabilities in SAP’s mail systems

27 Mar 17

Serious vulnerabilities were exposed in SAP systems worldwide, leaving them open to business data theft, business process disruption, fraud and many other forms of attacks.

ERP Security (ERP-SEC) discovered the vulnerabilities and says they related directly to SAP’s inbound email processing functionality.

Joris van de Vis, ERP-SEC researcher, demonstrated the vulnerabilities at the annual ‘Troopers Security Conference’, which has a special track dedicated to SAP security.

The team worked closely with SAP Product Security Response team to resolve and patch the vulnerabilities. As a result, SAP released Security Note 2308217 to mitigate them.

“SAP collaborates frequently with research companies such as ERP-SEC to ensure a responsible disclosure of vulnerabilities. The vulnerabilities in question have been fixed by SAP and the patches have been made available for download since June 2016. Our recommendation to all our customers is to implement SAP secure patches as soon as they are available - typically on the second Tuesday of every month. Timely security patching of SAP systems is the best policy to protect SAP infrastructure from attacks," a statement from SAP says.

According to SAP’s website, the Security Note 2308217, released in June 2016, is specifically for:

“SAP Web-Survey has an XML external entity vulnerability (CVSS Base Score: 7.5 ). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS filesystem. Install this SAP Security Note to prevent risks.”

Van de Vis says the percentage of affected customers is unclear, but around 50% use inbound mail capabilities in their SAP systems.

“The impact of these vulnerabilities can be severe for SAP customers that use the inbound mail processing functionality as it can be exploited over the internet and without authentication. In some cases we even managed to completely take over SAP systems by sending just one email to them with a specially crafted attachment,” comments van de Vis.

Wine firm uses AR to tell its story right on the bottle
A Central Otago wine company is using augmented reality (AR) and a ‘digital first’ strategy to change the way it builds its brand and engages with customers.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Protecting organisations against internal fraud
Most companies tend to take a basic approach that focuses on numbers and compliance, without much room for grey areas or negotiation.
Telesmart to deliver Cloud Calling for Microsoft Teams
The integration will allow Telesmart’s Cloud Calling for Microsoft Teams to natively enable external voice connectivity from within Teams collaborative workflow environment.
Jade Software & Ambit take chatbots to next level of AI
“Conversation Agents present a huge opportunity to increase customer and employee engagement in a cost-effective manner."
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
GirlBoss wins 2018 YES Emerging Alumni of the Year Award
The people have spoken – GirlBoss CEO and founder Alexia Hilbertidou has been crowned this year’s Young Enterprise Scheme (YES) Emerging Alumni of the Year.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.