Security experts at ERPScan discovered that chaining the exploits for two security vulnerabilities in SAP NetWeaver Application Server Java patched last month, an attacker can hack customer relationship management (CRM) systems.
CRMs are critical systems in business that are used to manage sensitive data such as clients’ personal information, prices, contact points.
The flaws are a directory traversal issue and a log injection vulnerability, their combination could lead to information disclosure, privilege escalation, and full compromise SAP CRM installations.
The flaws considered singularly are not particularly severe, they received CVSS Base Scores v.3 respectively of 6.3 and 7.7.
“The security researchers at ERPScan identified directory traversal and log injection vulnerabilities in the solution. The two issues in combination lead to information disclosure, privilege escalation, and complete SAP systems compromise. The two vulnerabilities can wreak havoc in any company running SAP CRM.” explained Vahagn Vardanyan, senior security researcher of ERPScan.
According to ERPScan, there are more than 500 vulnerable SAP CRM systems exposed online.
The experts provided details about the full attack scenario is that is composed of the following steps:
ERPScan shared details of the vulnerabilities with SAP helping it for the development of the security patches.
ERPScan researchers disclosed details of the vulnerabilities during a talk at the Troopers security conference. The researchers explained how remote attackers can chain the flaws read any file on unpatched SAP CRM without authentication.
SAP urged customers to apply the updates, further info is available on a website published by ERPScan.
(Security Affairs – SAP CRM, hacking)