Security

This article is more than 1 year old

SAP fixes gaping authentication bypass flaw after 3 YEARS

ERPScan reveals wide open door for miscreants

Wed 12 Oct 2016 // 13:38 UTC

A critical SAP vulnerability stayed unpatched for three years prior to its resolution this week, according to application security specialists.

SAP monthly security updates issued on Tuesday addressed a total of 48 vulnerabilities, among them an authentication bypass vulnerability in a service called P4.

The service provides a remote control of SAP’s JAVA platform, for example, all SAP Portal systems. The authentication bypass vulnerability in P4 created a possible mechanism for hackers to read sensitive information.

SAP first tried to fix the flaw three years ago but the patch was flawed, leaving numerous systems vulnerable, according to ERPScan.

“This issue was first reported and patched in 2012,” Alexander Polyakov, CTO and co-founder of ERPScan, told El Reg. “However, during one of our penetration tests, the ERPScan team found out that the issue still affected almost all new versions of the service. For example, the service pack 0.9 for the version 7.2 which is vulnerable, was released in 2013.”

The vulnerable P4 service is usually exposed to the internet, a factor that makes potential exploitation easier. “Scanning conducted by our researchers revealed that there are at least 256 vulnerable services accessible online,” Polyakov reported.

SAP recent patching history offers a precedent for delayed resolution of security problems. For example, the enterprise software firm only resolved a not-especially-serious information disclosure flaw in July – again, three years after it first cropped up. There’s no evidence that any customers experienced a problem as a result of the delay.

El Reg invited SAP to comment on ERPScan’s implied criticism of its delay in delivering a proper fix for the authentication bypass flaw.

The software firm said: “SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. Security patches are available for download on the SAP Service Marketplace.

"We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately.”

More details of SAP’s October 2016 patch batch – alongside further comment on the tardy resolution of the P4 authentication bypass vulnerability – can be found in a blog post by ERPScan here. ®

Topics

Special Features

Vendor Voice

Resources

Security

SAP fixes gaping authentication bypass flaw after 3 YEARS

ERPScan reveals wide open door for miscreants

More about

More about

Narrower topics

Broader topics

More about

More about

More about

Narrower topics

Broader topics

TIP US OFF

Other stories you might like

Delinea Secret Server customers should apply latest patches

SAP transformation program a 'euphemism' for job cuts, claims European Works Council

UK county council misses deadline for £7.3M RISE with SAP system launch

Industrial systems integrating digitalisation

North American S/4HANA migrations ramping among SAP users

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Exploit code for Palo Alto Networks zero-day now public

JetBrains keeps mum on 26 'security problems' fixed after Rapid7 spat

Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

Got an unpatched LG 'smart' television? It could be watching you back

Ivanti commits to secure-by-design overhaul after vulnerability nightmare

Hotel check-in terminal bug spews out access codes for guest rooms

About Us

Our Websites

Your Privacy