A Java application from SAP that allows downloading of software packages and support notes needs patching following the discovery of a serious security flaw.
Core Security found that an attacker who manages to get access to a user's configuration file in SAP’s Download Manager might be able to obtain the stored proxy password.
More ReadingSome old SAP systems have default kernel user accounts. Guess what happened next?Your unpatchable, insecure Android mobe will feel right at home in the Internet of Stuff eraHackers turn to angr for automated exploit discovery and patchingSAP plugs critical software flaw that could let hackers into factoriesMixing ERP and production systems: Oil industry at risk, say infosec bods
The information leak is not remotely exploitable. SAP has resolved the issue with update software earlier this week, allowing Core to go public with a low-down on the vulnerability.
Core Security Consulting Services’ Martin Gallo, who discovered the SAP vulnerability, said: "SAP system and BASIS administrators often use the SAP Download Manager program to download software packages and fixes. We found that this program stores credentials information on the local user's directories using an encryption mechanism that can be easily bypassed.”
“While recent versions of the program had stopped storing SAP's Marketplace credentials, proxy authentication information is still kept on the program's configuration file. This represents a risk on the enterprise environment where proxy authentication is integrated with other systems, for example using Active Directory's credentials, if the configuration file is compromised,” he added.
Core’s advisory - which contain proof of concept exploit code - can be found here. A SAP spokesman told El Reg that “this [flaw] was reported to us and is already fixed”.
SAP published a Security Note – number 2282338 – accessible to SAP clients (public the unwashed masses) via its Support Portal.
An updated version of SAP Download Manager can be found here. ®