May-20-2016 Talk at CONFidence, Krakow “SAP, DoS, DoS, race conditions => RCE” by Dmitry Chastuhin
Every month SAP releases about two dozens of so-called SAP Security Notes addressing one or more vulnerabilities in its solutions. The vendor rates the patches by priority; the most critical ones receive “Hot news” or “High priority” rating while others are considered not so dangerous. As companies have to deal with hundreds and even thousands of SAP notes, they try to prioritize them by CVSS base score or other similar metrics not paying attention to other factors such as other vulnerabilities which could increase risks.
Dmitry Chastukhin, Director of security consulting at ERPScan, will tell and show how to get control over an SAP system by using a chain of minor security issues (one configuration mistake, two denial of service vulnerabilities ,  and race condition).
CONFidence was created in 2005 and shortly became one of the main events for hackers and IT security experts in Poland. Its technical lectures and practical workshops are source of knowledge and opportunity to improve skills and exchange practical experience.
Every year the conference gathers together more than 500 attendees including top IT security specialists from government, numerous industries, and universities to discuss latest trends in cybercrime and security.