SAP has issued a security patch for the SAP TREX search engine that addresses multiple vulnerabilities discovered by the experts in a 2015 patch released in December 2015.
“SAP, the largest enterprise software maker, closed a critical vulnerability affecting SAP’s search engine TREX. The issue stayed exposed almost 2 years.” reads a blog post published by the company ERPScan that discovered the flaw. “The vulnerable component is included in the old SAP NetWeaver platform as well as in the new SAP HANA one, which makes it one of the most widespread and severe SAP server-side issues so far with CVSS score 9.4 out of 10. The vulnerability was identified by specialists at ERPScan,” “If exploited, the vulnerability would allow a remote attacker to get full control over the server without authorization.”
SAP was affected by a critical code injection vulnerability (SAP Security Note 2419592) that he company addressed with the 2015 patch, unfortunately the problem was not completely solved.
Mathieu Geli from ERPScan discovered that the TREXNet communication protocol implemented in the SAP TREX search engine did not implement an authentication mechanism.
“Originally, the vulnerability was discovered in SAP HANA in 2015 and the corresponding SAP Security Note (2234226) was released in December 2015. The issue was dubbed a potential technical information disclosure and fixed by removing some critical functions.” continues the post. “Later on, Mathieu Geli from ERPScan conducted a further research and revealed that the vulnerability was still exploitable. He found out that TREXNet, an internal communication protocol used by TREX, did not provide an authentication procedure. “
The expert made a reverse engineering of a protocol for HANA and then for the SAP TREX search engine. Both share a common protocol, for this reason the exploit could be easily adapted. He highlighted that SAP fixed just some features related to the core protocol.
“I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the exploit has been easily adapted. SAP fixed some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX.” explained the expert.
The vulnerability, tracked as CVE-2017-7691, could be exploited by an attacker to read or create operating system files by sending a crafted request to TREXNet ports.
The flaw was fized along with other bugs in SAP’s April security release.
(Security Affairs – SAP TREX search engine, hacking)