Security experts at ERPScan discovered that chaining the exploits for two security vulnerabilities in SAP NetWeaver Application Server Java patched last month, an attacker can hack customer relationship management (CRM) systems.
CRMs are critical systems in business that are used to manage sensitive data such as clients’ personal information, prices, contact points.
The flaws are a directory traversal issue and a log injection vulnerability, their combination could lead to information disclosure, privilege escalation, and full compromise SAP CRM installations.
The flaws considered singularly are not particularly severe, they received CVSS Base Scores v.3 respectively of 6.3 and 7.7.
“The security researchers at ERPScan identified directory traversal and log injection vulnerabilities in the solution. The two issues in combination lead to information disclosure, privilege escalation, and complete SAP systems compromise. The two vulnerabilities can wreak havoc in any company running SAP CRM.” explained Vahagn Vardanyan, senior security researcher of ERPScan.
According to ERPScan, there are more than 500 vulnerable SAP CRM systems exposed online.
The experts provided details about the full attack scenario is that is composed of the following steps:
ERPScan shared details of the vulnerabilities with SAP helping it for the development of the security patches.
ERPScan researchers disclosed details of the vulnerabilities during a talk at the Troopers security conference. The researchers explained how remote attackers can chain the flaws read any file on unpatched SAP CRM without authentication.
SAP urged customers to apply the updates, further info is available on a website published by ERPScan.
(Security Affairs – SAP CRM, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.