Open/Close Menu Securing your Business Critical Applications

Sometimes, we choose to categorically ignore incoming calls only to return the call later or atimes take them later should the caller dial again; In most cases , we have valid reasons for our actions, either owed to the time the call came in, nature of call or even the caller; for instance, there could be cases of work related calls coming in during our vacations or perhaps non-work related calls coming in during work periods. Whilst ignoring these calls may cost us as little as an explanation (if at all it turns out as necessary to warrant an explanation), Ignoring your SAP Security could cost you far more than you can imagine.


Our reality today:

It is no news that Criminals keep developing new tools for IT exploitation. Even people without IT skills now have necessary information, enough to perform a hack your SAP systems by making use of the google search and / OR  services like SHODAN.


There is no doubt today that standard security settings may not be effective for the SAP environment your company runs, and customizing the settings may often come across as “too complicated”; this ofcourse results in system vulnerabilities remaining unnoticed, hence, it is only a matter of time before hackers exploit them in gaining access to your company data. The good news is  while securing your SAP systems may appear as complex, it is definitely not impossible!


Last Week, precisely on 11th of August 2015, SAP Security Patch Day saw the release of 22 security notes. Additionally, there are 4 updates to previously released Patch Day Security Notes. The most common vulnerability addressed was related to Cross Site Scripting (XSS), followed closely by information Disclosures/Leakages, and a range of other issues. Below is a chart showing the Security Note as against the Vulnerability Type for 2015 so far.

Chart Showing Security Notes Vs Vulnerability Type – AUG2015

In June, Our partners at ERPScan disclosed a vulnerability in the SAP HANA database, which held the bulk of its data in memory for maximum performance using persistent disk storage to provide a fallback in case of failure, where the data was automatically saved from memory to the disk at regular savepoints, leaving it vulnerable to an attacker.


The team also revealed that the SAP Mobile Platform had a similar static key encryption problem as SAP HANA, where application passwords were stored in encrypted form with a known static key.


The other critical vulnerabilities addressed in the August updates include:

  • 2037304: SAP ST-P has a Remote Command Execution vulnerability (CVSS Base Score: 8.5), where an attacker can use Remote Command Execution to run commands remotely.
  • 2169391: SAP NetWeaver AFP Servlet has a Reflected File Download vulnerability (CVSS Base Score: 7.5), where attackers can gain complete control over a targeted system.
  • 2175928: SAP HANA has a Running Process Remote Termination vulnerability (CVSS Base Score: 6.8), where an attacker can use this vulnerability to terminate the process of a vulnerable component.
  • 2165583: SAP HANA has an incorrect system configuration vulnerability (CVSS Base Score: 6.6), where SAP HANA internal services could be accessed without authentication if the HANA system is insecurely configured and no other security measures are in place.


The chat above shows a pictorial view of Security Notes vs Priority Distribution between Mar – August 2015


From the information above, it is but only obvious! Ignoring or Answering your SAP Security could HARM or ARM you


DeltaGRiC Consulting helps African businesses running businesses critical applications like SAP and Oracle to analyses weaknesses in their SAP environment using ERPScan Monitoring Suite. Our Consultants look at the systems from within and scan them for security issues. The findings of this audit is then presented in a detailed report, including hands-on recommendations. The report can either be used as a working method to improve SAP security, or as a means to verify your existing security baseline.


Kindly note that whilst this publication contains references to the products of SAP SE. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP SE in Germany and in several other countries all over the world, SAP SE may not be held responsible for the proper use of mis-use of the contents


Wouldn’t you rather speak with us today?!

© 2015 - 2018 DeltaGRiC Consulting | Your Enterprise Application Security Assurance!