SAP HANA platforms have been just found vulnerable, containing several high risk flaws. Upon exploitation, the vulnerabilities could allow an attacker to take full remote control over the platform, without even needing username and password. The vulnerabilities were discovered by Onapsis.
As explained by Sebastian Bortnik, Head of Research at Onapsis, “this level of access would allow an attacker to perform any action over the business information and processes supported by HANA, including creating, stealing, altering and/ or deleting sensitive information.”
The exploitation of these flaws could cause the organizations involved many severe consequences.
What HANA Components Do the Vulnerabilities Affect?
The flaws affect the SAP HANA User Self Service component which is not enabled by default. Regarding the versions of HANA, here is the exact list:
– SAP HANA SPS 12 (newDB rel 1.00.121.00.1466466057)
– SAP HANA 2 SPS0 (newDB rel 2.00.000.00.1479874437)
– SAP HANA SPS11 (1.00.110.144775). Released in November 2015
– SAP HANA SPS10 (1.00.101.00.1435831848). Released in June 2015
– SAP HANA SPS09 (1.00.91.1418659308). Released in November 2014.
More about the Self Service Tool for SAP HANA
The tool allows users to activate additional features like password change, reset of forgotten password, user self-registration. There are few vulnerabilities found in the component, and they have been tagged with CVSS v3 Base Score of 9.80, Onapsis researchers explain.
If exploited successfully, the vulnerabilities could allow an attacker to impersonate other users, even high privileged ones. As mentioned in the beginning, the platform could be compromised remotely without the need of login credentials.
The researchers discovered the flaws on the latest SAP HANA 2 platform but later realized that some older versions were also vulnerable. Their findings let to the troublesome conclusion that the flaws had been present in the platform for approximately two and a half years. This is when the User Self Service component was first introduced. Unfortunately, this long period of time suggests that the vulnerabilities have already been discovered by malicious attackers to compromise organizations running SAP systems.
Regarding how organizations should deal with these vulnerabilities, Sebastian Bortnik said:
We hope organizations will use this threat intelligence to assess their systems and confirm that they are not currently using this component, and therefore are not affected by these risks. Even if the service is not enabled, we still recommend that these organizations apply the patches in case a change is made to the system in the future.