Palo Alto, CA - March 24, 2015 ERPScan is making an official apology to all BlackHat attendees who were looking forward to hear our talk called "Attacking SAP Mobile". We were planning to present the newly discovered ways of attacking the SAP Mobile infrastructure. Some details about the vulnerabilities in SAP Mobile Platform, SAP Afaria, and SAP Mobile Applications were to be revealed at the conference. Our main intention was to show that some of those vulnerabilities can be exploited to gain total control over any mobile phone in the company by means of attacking SAP Afaria MDM server.
Unfortunately, for some of the reported vulnerabilities the timeframe was too short to release the respective security patches, therefore SAP has asked ERPScan to not exploit any unfixed vulnerabilities in the interest of its customers and partners and in accordance with SAP's Disclosure Guidelines for SAP Security Advisories.
Unresolved vulnerabilities can cause harm to our clients, so we have no choice but to make the decision not to present them at the BlackHat Singapore conference.
However, we would like to attract everybody's attention to the critical SAP vulnerabilities found by our researchers in SAP Mobile Platform and SAP Mobile applications that have already been published and thus can affect the organizations where the relevant security patches are still not applied.
Updates released in March 2015:
- SAP Mobile Platform – XXE
- SAP Sybase SQL Anywhere – Denial of Service
- SAP Afaria 7 XcListener – Authorization Bypass
- SAP Afaria 7 XcListener – Buffer Overflow
Updates released in February 2015:
Also, see the following article to find out more about the risks that can affect your organization.