Sensitive Info Disclosure Hole in NetWeaver

Monday, June 2, 2014 @ 12:06 PM gHale


There is a vulnerability in SAP NetWeaver that could allow attackers to gain access to Central User Administration tables, researchers said.

Details on the vulnerability (CVE-2014-3787) in the service-oriented and integration platform remained secret by Russian security firm PT Security which conducted regular tests on SAP kit.

RELATED STORIES
SCADA Hack Uncovered
Security Provider Hacked
Utility Attacked
iPhone Hack Attack Spreading

The Central User Administration feature streamlined management of multiple users accounts that were managed on different clients. SAP was among the most popular business applications used by three quarters of Forbes 500 companies.

Dmitry Gutsko said the sensitive information disclosure vulnerability affected NetWeaver versions 7.20 and earlier.

“By successfully exploiting the vulnerability, an attacker can read any tables from SAP Central User Administration via accessing the affiliated system, which may lead to disclosure of user data stored in all CUA systems,” Gutso said in a disclosure.

Users, the researchers said, should apply the latest NetWeaver security patches to fix the flaw.

Last year ERP Scan founder Alexander Polyakov found hundreds of organizations ran vulnerable and old versions of SAP and exposed deployments to the Internet.

Polyakov found customers ran versions of NetWeaver j2EE that contained critical holes that allowed attackers to execute commands without authentication.

And in January this year the security company reported a critical XML External Entity (XXE) vulnerability within SAP NetWeaver’s GRMGApp which was open to unauthorized access.



Leave a Reply

You must be logged in to post a comment.