Onapsis Discovers and Helps Mitigate New Critical Cyber Security Vulnerabilities Affecting All SAP HANA-Based Applications, Including SAP S/4HANA and SAP Cloud Solutions
By Business Wire News
Onapsis™, the global experts in SAP and Oracle business-critical application security, today released 21 new security advisories detailing an unprecedented number of vulnerabilities affecting all SAP HANA-based applications, including SAP S/4HANA and SAP Cloud solutions running on HANA. Highlighted in the security advisories from Onapsis Research Labs™ are eight “critical risk” vulnerabilities, six of them comprising by-design vulnerabilities in SAP HANA which require system configuration changes in order to be mitigated. Without these changes, unauthenticated attackers could take full control of vulnerable SAP HANA systems, including stealing, deleting or changing business information, as well as taking the platform offline to disrupt key business processes. This is the first time that advisories with the highest level of criticality, combined with the largest number of vulnerabilities, have been issued for SAP HANA.
These vulnerabilities pose a potential risk to over 10,000 SAP customers running different versions of SAP HANA, including many Forbes Global 2000 companies across all industries such as oil and gas, pharmaceuticals, government and other key sectors. Experts have estimated that an SAP breach and outage could cost certain organizations up to $22 million per minute, including disruption of manufacturing and distribution of core products as well as loss of IP and data. Exploitation of SAP HANA vulnerabilities could significantly impact the global economy as it presents avenues of attacks for nation-states, economic espionage, financial fraud or sabotage of key business systems.
“The next big wave of attacks is aimed at business-critical applications running on SAP and Oracle as they are the ultimate economic targets for cyber crime. They are also currently the biggest blind spot for many Chief Information Security Officers (CISOs). SAP-related breaches are increasingly in the spotlight as witnessed in the first widely and publicly reported breach involving USIS, a supplier of OPM and DHS,” said Mariano Nunez, CEO, Onapsis. “Onapsis is a dedicated SAP partner and is committed to working closely with SAP and its customers to help safeguard their crown jewels and reduce business risks affecting their organizations. Thanks to our cutting-edge research, SAP released security patches and guidelines so that customers can now be protected. We are potentially helping avoid a large-scale breach that could have major consequences for SAP customers and are allowing them to continue to realize the value of their SAP HANA investment.”
Onapsis customers who leverage the Onapsis Security Platform’s Advanced Threat Protection service have had protection against these threats since the vulnerabilities were discovered, helping them protect against zero-day SAP exploits and leverage the solution to deploy compensating controls for these hard-to-fix vulnerabilities.
The new HANA security advisories issued by Onapsis Research Labs include eight critical vulnerabilities, six high-risk vulnerabilities and seven medium-risk vulnerabilities. Many of the critical vulnerabilities are related to the core HANA TrexNet interfaces that orchestrate inter-server communication in high availability scenarios to support large-scale businesses. Because HANA is also becoming the underlying technology for all SAP applications, including SAP S/4HANA, and the SAP HANA Cloud Platform, and because it supports a vast third-party mobile application ecosystem, the attack surface expands exponentially with varying business impact.
SAP security experts within the Onapsis Research Labs have worked with hundreds of Global 2000 organizations to quantify the impact of these and other high-impact vulnerabilities through a capability called Business Risk Illustration (BRI). This service efficiently analyzes threats on the availability, integrity and confidentiality of SAP business data and processes.
“It is imperative that the industry starts getting serious about SAP cybersecurity. This set of critical vulnerabilities is one of the most profound that we’ve reported in terms of damage that an unauthenticated attacker could cause an organization. If exploited, any business information stored or managed by an SAP HANA-based system could be extracted, tampered and deleted, including customer data, product pricing, financial statements, employee information, supply chain, business intelligence, intellectual property, budgeting, planning and forecasting. Furthermore, the system could be completely shut down by an attacker,” said Juan Perez-Etchegoyen, CTO, Onapsis.
Top Recommendations for CISOs
Some of these vulnerabilities cannot be fixed by applying patches and the affected HANA TrexNet service cannot be shut down. A proper reconfiguration of the system is the only fix and must be implemented correctly. In addition to reviewing the SAP security notes issued, Onapsis Research Labs recommends SAP clients remedy these issues by completing the following steps:
- Step 1. Correctly configure the TrexNet communications. If running in a high-availability environment, these communications are critical for SAP HANA to work. Make sure that the network where this communication takes place is isolated from end users and not accessible through any other network. Also make sure that proper transport-level encryption and authentication is implemented. If only one SAP HANA instance is deployed, make sure all the TrexNet interfaces are listening on the localhost network interface only.
- Step 2. Monitor user activity. Some of the critical vulnerabilities could be exploited by legitimate users and attackers trying to connect to the vulnerable components (SQL and HTTP). Monitor HTTP traffic by looking for suspicious activity. Also analyze both the HTTP and SQL logs by looking for suspicious inputs.
- Step 3: Ensure detection and response measures are in place. Expand SAP into your information security strategy to include continuous monitoring of SAP and SAP HANA systems and to deliver real-time preventative, detective and corrective information to existing SIEM or GRC tools.
The remaining critical vulnerabilities, which are not related to the TrexNet protocol, should be patched according to the SAP Security Notes. SAP has issued the following security notes related to the described vulnerabilities: 2165583, 2148854, 2175928, 2197397 and 2197428. Onapsis encourages SAP customers to review and apply them as soon as possible.
About Onapsis Research Labs™
SAP and Oracle Security Threat Intelligence is produced by Onapsis Research Labs, a team of leading security experts who combine in-depth knowledge and experience to deliver technical analysis with business context, and provide sound security judgment to the market. The team works closely with SAP and Oracle product security teams to responsibly deliver the information to customers and has released over 250 advisories to date, with over 35 affecting SAP HANA; has consulted on impact with over 180 Onapsis enterprise customers; and regularly presents at leading security and SAP conferences around the world. Onapsis was the first to deliver “SAP Security In Depth” publications that provide detailed analysis on security risks impacting SAP and SAP HANA. The latest SAP Security In-Depth, Volume XII:SAP HANA System Security Review Part 1, is now available for download: https://www.onapsis.com/research/publications/volume-xii-sap-hana-system-security-review-part-1.
Details of each advisory can be found on the Onapsis Security Blog, which includes reference to the SAP Security Notes, CVSS Scores, business-context relevance of identified vulnerabilities, a description of the affected components and steps to resolution.
- Onapsis Security Blog: https://www.onapsis.com/blog
- The advisories are publicly available at: http://www.onapsis.com/research/advisories
- Onapsis Research Labs will be delivering a webcast on Nov. 12th at 9am ET and 2pm ET to outline the risks, detail the vulnerabilities and provide insight into the recommended actions to safeguard SAP systems: https://www.onapsis.com/news-and-events/webcasts/A-Deep-Dive-Into-SAP-HANA
Onapsis provides the most comprehensive solutions for securing SAP and Oracle business-critical applications. As the leading experts in SAP and Oracle cybersecurity, Onapsis enables security and audit teams to have visibility, confidence and control of advanced threats, cyber risks and compliance gaps affecting their enterprise applications.
Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E&Y, KPMG and PwC.
Onapsis solutions include the Onapsis Security Platform (OSP), which is the most widely used SAP-certified cybersecurity solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.
These solutions are powered by the Onapsis Research Labs, which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms.
Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.