Palo Alto, CA - December 23, 2013 ERPScan reports multiple vulnerabilities in SAP EMR Unwired, a mobile SAP solution for medical facilities. This is the first time that vulnerabilities in mobile SAP applications have been discovered by external researchers. The vulnerabilities were found in two mobile applications by Dmitry Evdokimov, the Director of ERPScan Research Group. Among them were unauthorized access, hardcoded password for key store, and information disclosure.
ERPScan notified SAP Product Security Response Team about the discovered issues in April 2013. They are closed by SAP Security Note 1864518, which is highly recommended to be installed as soon as possible. Based on our partnership agreement with SAP, we decided to not disclose this information before the vulnerabilities were resolved.
"As always, SAP AG is responsibly concerned for the security of their products, including pre-release ones. In accordance with global best practices of business application security, SAP AG works closely with independent security researchers and, following the progressive SDLC methodology, strives to resolve possible vulnerabilities in its products as soon as possible," – comments Dmitry Chastukhin, the SAP Pentesting Director of ERPScan.
Checks for the described issues are already available in ERPScan Security Monitoring Suite.