About Juan Perez-Etchegoyen

Juan Perez-Etchegoyen is CTO at Onapsis. His research and consulting experience comprise working in SAP security assessments for world-wide companies in Europe, US and Latin America. In the research field, he is specialized in SAP, Oracle and JD Edwards platforms, having discovered several security vulnerabilities in them. Juan Pablo is in charge of Onapsis X1 development, being actively involved in its evolution and innovative features. He was also invited to hold several trainings and talks regarding Penetration Testing, Database security and specially SAP security in security conferences such as BlackHat, OWASP AppSec, Troopers, DeepSec, Source, HITB and Ekoparty.

Prevent the next Anthem breach by protecting your data warehouses

Each year companies dedicate millions of dollars for IT and security budgets to prevent cyber security breaches. However, these budgets are only effective if part of the budget is allocated to preventing new and advanced threats, closing security gaps in your business infrastructure and monitoring the systems for intrusions and malicious activities.

We have all seen recent  headlines and publications about the Anthem breach and its unprecedented number of 80 million affected customers. According to Anthem’s own FAQ page… “Anthem is doing everything it can to ensure there is no further vulnerability to its database warehouses” [1], and despite the magnitude of the situation, there are no additional details about the products that were compromised during the breach. The Onapsis Research Labs and Incident Response Teams have seen this type of breach before and most often we see that the database warehouses are compromised. This is not hard to do on an SAP system and typically, when organizations do not have the right security measures or controls in place, we have had to assist organizations on a massive scale clean up project.

SAP provides many solutions that are widely adopted for data warehousing, the most famous being SAP BW or SAP Business Warehouse. If you are an SAP customer, you are most likely running some type of SAP BI, BO or BW.

These solutions hold a centralized database of business data, as they receive information from many different business solutions, such as the ERP, CRM, SCM, HCM and SRM, to name a few. Therefore the information stored on these databases represents a high value asset, not only for the company, but also for potential attackers such as state-sponsored, competitors, former employees, criminal organizations, and more. Onapsis continuosly holds presentations about vulnerabilities and mitigations to attacks affecting SAP solutions, and last year we presented on vulnerabilities and attacks affecting business warehousing solutions [2].

Continue reading

Share Button

Latest SAP Security Vulnerabilities – Including an SAP CVSS 10

In this post, I’ll cover some of the latest vulnerabilities reported to SAP by Onapsis and published last week.

Last week we released advisories regarding several vulnerabilities affecting SAP platforms. Some of these vulnerabilities are in fact very critical, and their exploitation could lead to a full-compromise of the entire SAP implementation – even by completely anonymous attackers. Following our responsible disclosure policy, SAP released the relevant SAP Security Notes (patches) for all these vulnerabilities a long time ago, so if you are an SAP customer make sure you have properly implemented them!

These are the advisories for the published vulnerabilities, along with a small description of the real business impact of an exploitation of the vulnerabilities:

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization’s users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through complex social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.

By exploiting this vulnerability, an attacker would be able to perform a sabotage attack over the service used to deploy and change software components in the SAP AS Java. This would prevent legitimate developers and administrators from performing and maintain required business and technical activities.

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization’s users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through the exploitation of vulnerabilities in their systems.

We think it is a very important set of vulnerabilities, as one of them is the first vulnerability ever ranked by SAP with a CVSSv2 risk 10! Actually, Onapsis also reported the second vulnerability ranked with a CVSSv2 10, and this advisory will be released next month.

We are going to be demonstrating some of these vulnerabilities live in our upcoming posts and presentations.

Share Button