A software developed by PricewaterhouseCoopers for SAP systems, the Automated Controls Evaluator (ACE), is affected by a critical security flaw.
The vulnerability was discovered by the security firm ESNC who analyzed the tool. The Automated Controls Evaluator (ACE) is a diagnostic SAP tool that extracts security and configuration data from SAP systems in order to analyze them in order to discover backdoors (such as configuration, customization and security settings) and misconfiguration that could be exploited by attackers to commit fraud.”
“The purpose of this tool is to analyze SAP security settings and identify privileged access and potential segregation of duties issues accurately and efficiently”; and – “The ABAP files introduce no changes to the production systems and settings”. states the PricewaterhouseCoopers website.
The researchers from ESNC have discovered that the PwC ACE software is affected by a remotely exploitable security flaw that could be exploited to inject and execute malicious ABAP code on the remote SAP system. The potential impact on the companies that uses the tool is critical, the vulnerability may allow an attacker bypass change management control, bypass segregation of duty restrictions, and of course, manipulate accounting documents and financial results exposing the business to fraudulent activities.
“This security vulnerability may allow an attacker to manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions,” states the advisory published by ESNC.
“This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money.” “The attacks may be executed from the local network via SAPGui, or from the public Internet via http/https ICF services such as WebGui and Report, if the systems are accessible.”
The vulnerability affects version 8.10.304, and potentially also earlier versions might also be affected.
A PricewaterhouseCoopers spokeswoman tried to downplay the issue by explaining that the company is not aware of any problem with his software.
“The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients,” a PwC spokeswoman told The Reg. “The bulletin describes a hypothetical and unlikely scenario – we are not aware of any situation in which it has materialized.”
The Reg highlighted the difficulties faced by ESNC in reporting the issue to PricewaterhouseCoopers. The flaw was reported in August, but PwC initially didn’t provide a response, then its lawyers sent an email to the security researchers to “desist” their investigation.
Below the Vulnerability Timeline shared by ESNC
This is a wrong approach to cyber security.
(Security Affairs – PricewaterhouseCoopers SAP tool, hacking)