As reported by Kaspersky Lab’s blog Threatpost, an incredibly dangerous vulnerability affecting SAP HANA has been patched. SAP HANA is described by SAP as “an in-memory data platform that is deployable as an on-premise appliance, or in the cloud” for real-time analytics. The patch was announced for HANA on March 14 and is advised to be implemented as quickly as possible.
The seriousness of the vulnerability earned an astronomical CVSS threat rating of 9.8.
The vulnerability in question was discovered by researchers at Onapsis. In their threat report, the specific threat was detailed as affecting the “User Self Service (USS)” component of SAP HANA. The seriousness of the vulnerability, categorized as ATP-SAP-2017-03-14, earned an astronomical CVSS threat rating of 9.8. The reason for such a high score was the fact that ATP-SAP-2017-03-14 allows for remote access of sensitive data without a username or password.
The vulnerability also gives the possibility for attackers to become the highest-level user through privilege escalation. This would lead to, as Onapsis states, a hacker performing “any action over business information and processes supported by HANA, including creating, stealing, altering and/or deleting sensitive information.” The vulnerability is also accessible over both HTTP and HTTPS protocols, which only adds to the likelihood of attack.
Keeping all of this in mind, Onapsis listed the vulnerable SAPA HANA versions as: SAP HANA SPS09 (1.00.91.14118659308), SAP HANA SPS10 (1.00.101.00.1435831848), SAP HANA SPS11 (1.00.110.144775), SAP HANA SPS 12 (newDB rel 1.00.121.00.1466466057) and above, and SAP HANA 2 SPS0 (newDB rel 2.00.000.00.1479874437). If you are utilizing any of these, researchers state that should your organization be unwilling to patch, two options are available.
The first is disabling the USS by leveraging “the XS Admin tool to deactivate the User Self Service component.” This will neutralize any option of executing the vulnerability from any source. The second method Onapsis recommended if your company does not want to disable USS is implementing “a protection at a network filtering device and only allow access from trusted networks.”
Take care of this vulnerability as soon as possible.
Photo credit: Krisztian Bocsi/Bloomberg via Getty Images