Bring your own device (BYOD) tendency is changing the way IT is managed, delivered, and, most importantly, secured. BYOD encourages a company’s employees to work on devices they prefer. So, modern organizations and enterprises may either supply their employees with multi-function mobile devices or allow staff to bring their own handhelds of different types. BYOD sometimes includes specific concepts like bring your own computer (BYOC), bring your own laptop (BYOL), bring your own apps (BYOA), and bring your own PC (BYOPC).
Today we will talk about SAP Afaria Security. We will show how SAP Afaria, an MDM solution from a world-famous software vendor, works and how cybercriminals can attack it in different ways using Stored XSS vulnerability.
In a nutshell, MDM is a set of services that help an administrator of a large company to control the mobile devices (smartphones, tablets, phablets and so on and so forth) of employees, thus establishing the security measures of corporate data stored and processed on those devices. A special application called MDM client is installed on a device and allows administrators to implement settings.
Critical vulnerability in SAP Afaria MDM can put millions of mobile users at risk of losing access to corporate data
Palo Alto, CA – August 19, 2015 Advisory describing a critical buffer overflow vulnerability in SAP Afaria MDM server that can disable access to corporate systems for millions of mobile users was published today at the ERPScan’s website.
ERPScan, the most respected and credible Business Application Security company providing solutions to assess and secure SAP and Oracle ERP systems, today published details of the vulnerability in SAP Afaria MDM solution. This vulnerability, as well as other critical issues in SAP Afaria, was planned to be presented at the BlackHat APAC security conference in March, but the presentation was revoked by ERPScan because of responsible disclosure rules.
SAP has released the monthly critical patch update for May 2015. This patch update closes a lot of vulnerabilities in SAP products, some of them belong to the SAP HANA security area. This month, three critical vulnerabilities found by ERPScan researchers Dmitry Chastukhin and Vahagn Vardanyan were closed.
ERPScan warns SAP Clients about serious vulnerabilities in Microsoft affecting Afaria and other products
As a part of monthly updates Microsoft released security update MS15-034 which closes a vulnerability in driver HTTP.sys. This vulnerability enables an attacker to execute arbitrary code on OS remotely.
This update has a critical status as almost every modern version of Microsoft operating systems (Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2) is vulnerable.
We suppose it is necessary to report this kind of vulnerabilities due to the fact that a part of SAP products uses web server IIS for their work and, as a result, are also vulnerable to this issue.
Mobile devices are actively integrated into business processes. Companies have more and more business applications and mobile devices. Employees increasingly bring their own equipment to the workplace (BYOD policy – Bring Your Own Device) and gain access to critical corporate information.
SAP Mobile Platform (or SMP, formerly called Sybase Unwired Platform, or SUP) is an MEAP (Mobile Enterprise Application Platform) solution. SMP is used for monitoring and controlling applications which are installed on mobile phones and have access to business data. The main goal of SMP is providing business data to mobile devices with enterprise cybersecurity. Platform capabilities allow users to work with data from SAP business applications using mobile applications both online and offline. This data can be accessed through all modern mobile devices. Android, Blackberry, iPhone / iPad and Windows / Windows Mobile devices are used by end users. Installed client applications are connected to SMP. These programs can be found on Play Market, Apple Store, or Windows Store.