0-day XSS vulnerability on SAP website put customers’ data at risk of theft by hackers

Palo Alto, CA – May 8, 2015 ERPScan’s Security Research and Threat Intelligence division has identified information leak of highly-critical 0-day vulnerability in SAP.com on a public resource.

On the 4th of May 2015 security researcher v0raz reported on xssposed.org website about 0-day XSS (Cross-Site Scripting) vulnerability on sap.com (it has 4 vulnerabilities reported by security researchers). The vulnerability remained unpatched for at least 3 days, putting sap.com users, visitors and administrators at risk of being compromised by malicious hackers.

XSS vulnerability on SAP website put customers’ data at risk of being stolen by hackers. Information data such as cookies, personal data, authentication credentials, and browser history are probably the less dangerous consequences of XSS attacks. In a worst case scenario, XSS attacks can even give a full control of a website and ability to intrude corporate networks and all mission critical assets.

Customers security is of primary concern to us. Our Security Research and Intelligence team continuously analyzes all public resources for any data leakage related to mission-critical systems such as SAP or Oracle ERP systems and business applications. We alerted SAP Security Response Team immediately and they are working on it. We would also like to alert all customers and strongly recommend to them, and to the users of SAP websites to not open any seemingly malicious links from untrusted sources while they are logged into SAP Website until the time this vulnerability is patched.

– adds Taran Kambo, VP of Customer Success at ERPScan.

XSS attacks are becoming more and more sophisticated these days and are being used in collusion with spear phishing, social engineering, and drive-by attacks.

One of the most important angles of SAP Security apart from vulnerabilities in SAP platforms is the security of custom programs. Companies develop custom programs on top of their systems as SAP is more like a framework on which organizations build their own systems using different languages and platforms such as ABAP, JAVA and XSJS or UI5 framework. These customization’s mean that every SAP system in an organization is unique. Apart from major platform vulnerabilities and configuration issues (such as Password policies, Default users, Encryption, unnecessary services, Verb Tampering vulnerabilities, RFC Connections and SAP Gateway attacks) that exist in almost every SAP Installation, companies may have issues in custom programs which have the same importance as that of SAP platform security. Usually about 50% of SAP implementations code base is actually custom programs which extend or modify SAP functionality.

Eventually once needs to be sure that all 3 layers of SAP Security (Platform Security, Custom code security and Segregation of Duties) are covered to provide a view of the wholistic picture.

– adds Alexander Polyakov, CTO ERPScan

These custom programs usually have vulnerabilities such as XSS, Missing Authorization checks, and Directory Traversal (Top 3 most rampant vulnerabilities according our “Analysis of 3000 vulnerabilities in SAP” report published by ERPScan 6 months ago). This top 3 list remains up-to-date despite slight changes. These 3 issues cover 66% of all the most frequent vulnerabilities in Source code of SAP Systems.

XSS actually is the most common one, and as part of our job in helping companies to be secure, we regularly publish guidelines how to secure SAP from different angles. ERPScan’s aim is to alert SAP and our clients of every SAP Security event and help companies to deal with them.

We were able to swiftly react to this incident, combining our existing knowledgebase provided in our solutions and efforts of our Research team. On 6th of May, we published a guideline on how to prevent SAP NetWeaver ABAP, JAVA and SAP HANA Security from XSS attacks by implementing listed solutions.

– adds Alexander Polyakov, ERPScan, CTO.

The recent guideline is the ultimate 27-pages report on how to secure SAP Systems from all types of XSS attacks.

Along with general information about XSS vulnerabilities, this report provides comprehensive information on how to:

  • Prevent source code issues during developing;
  • Minimize attack likelihood by configuring application securely during implementation;
  • Maximize visibility by properly configuring logs to identify cyberattacks or an attack attempt.

For a detailed guide please follow this link, and our blog, here we will keep posting our latest research. Don’t forget to implement latest SAP Security Notes every month. Identifying a problem is easy, but to provide a working solution is often easier said than done, but resolving such tough challenges is what ERPScan is all about.

About ERPScan

ERPScan is the most respected and credible Business Application Security provider. Founded in 2010, the company operates globally and enables large Oil and Gas, Financial and Retail organizations to secure their mission-critical processes. Named as an ‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP Solution providers” and distinguished by 30+ other awards, ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to assist in improving the security of their latest solutions.

We ‘follow the sun’ and function in two hubs, located in the Palo Alto and Amsterdam to provide threat intelligence services, agile support and operate local offices and partner network spanning 20+ countries around the globe.