Palo Alto, CA – April 12, 2017 – SAP, the largest enterprise software maker, closed a critical vulnerability affecting SAP’s search engine TREX. The issue stayed exposed almost 2 years. The vulnerable component is included in the old SAP NetWeaver platform as well as in the new SAP HANA one, which makes it one of the most widespread and severe SAP server-side issues so far with CVSS score 9.4 out of 10. The vulnerability was identified by specialists at ERPScan, a leading provider of cybersecurity solutions for ERP systems. If exploited, the vulnerability would allow a remote attacker to get full control over the server without authorization.
The vulnerability (SAP Security Note 2419592) affects TREX, a SAP NetWeaver standalone search engine, which is deployed in over a dozen SAP products including SAP HANA. The identified security issue allows an attacker to anonymously perform sensitive operations that can be combined to execute a command on the server remotely.
Originally, the vulnerability was discovered in SAP HANA in 2015 and the corresponding SAP Security Note (2234226) was released in December 2015. The issue was dubbed a potential technical information disclosure and fixed by removing some critical functions. Later on, Mathieu Geli from ERPScan conducted a further research and revealed that the vulnerability was still exploitable. He found out that TREXNet, an internal communication protocol used by TREX, did not provide an authentication procedure. As the advisory with all technical details was available on the web, it opened the door to attacks on numerous SAP applications via insecure protocol.
“I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the exploit has been easily adapted. SAP fixed some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX.”
– commented Mathieu Geli, Head of SAP Threat Intelligence at ERPScan.
The vulnerability (CVE-2017-7691) allows an attacker to forge a special request to the TREXNet ports to read OS files or create files. The patch was released on the scheduled SAP Security Day – April 2017, the vendor assessed the issue at CVSS 9.4. According to the rules of responsible disclosure which require a 90-day gap, the researcher cannot disclose any technical detail.
ERPScan is the most respected and credible Business Application Cybersecurity provider. Founded in 2010, the company operates globally and enables large Oil and Gas, Financial, Retail, and other organizations to secure their mission-critical processes. Named an ‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP Solution providers” and distinguished by 40+ other awards, ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to assist in improving the security of their solutions.
ERPScan’s primary mission is to close the gap between technical and business security, and provide solutions for CISOs to evaluate and secure SAP and Oracle ERP systems and business-critical applications from both, cyberattacks and internal fraud. Our clients are large enterprises, Fortune 2000 companies and managed service providers whose requirements are to monitor and manage security of vast SAP and Oracle landscapes on a global scale.
We function in two hubs, located in Palo Alto and Amsterdam to provide threat intelligence services, agile support and operate local offices and partner network spanning 20+ countries.