SAP closed a vulnerability which puts millions of Workstations at risk of ransomware attack

Amsterdam, Netherlands – March 22, 2017, today at the Troopers security conference, an annual event with a special track focused on SAP Security, researchers at ERPScan have disclosed details of a vulnerability in the SAP GUI application which could lead to a ransomware attack. As this application is installed on every workstation within a company using SAP, millions of users may fall victim.

The identified vulnerability allows an attacker to make all endpoints with compromised SAP GUI clients automatically install a malware that locks their computers when SAP users login into the system. Next time the users try to log into the SAP GUI application, the malicious software will run and prevent him or her from logging on SAP Server.

There are two factors that worsen the situation. Firstly, in this case, patching process is especially laborious and time-consuming, as the vulnerability affects client side, so an SAP administrator has to apply the patch on every endpoint with SAP GUI in a company and a typical enterprise has thousands of them. Secondly, each client can have its own unique payment address, which hampers the paying process.

commented Vahagn Vardanyan, Senior security researcher at ERPScan.

To help SAP customers protect their critical assets against this vulnerability, ERPScan released a post with detailed information. We collected all the details of SAP Ransomware vulnerability on one page, including FAQ, detailed overview of attack process, and remediation steps.

According to the latest survey from Crowd Research Partners, the damage of Cyberattack on an SAP system may cost up to $50 million.

The vulnerability was patched by the vendor a week ago (on 14th of March). However, it may take organizations years to apply even a simple patch, the complex patching process this vulnerability requires may take even longer.

SAP GUI is the most common application that SAP users work with to connect to the SAP Server be it either old SAP R/3, traditional SAP ERP system or new SAP HANA S/4. While in new systems such as SAP HANA S/4 it’s possible to connect using a web browser, millions of SAP users still use SAP GUI to do so as it is a habitual way.

This vulnerability may be the most dangerous since 2011 (verb tampering attack was disclosed at BlackHat) as it affects not only every company that uses SAP but every user within this company. It is probably the only discovered vulnerability that potentially affects every of almost 300000 companies that use SAP.