Tool Opens SAP Systems to Attack

Wednesday, December 14, 2016 @ 01:12 PM gHale

There is a critical vulnerability in a PricewaterhouseCoopers (PwC) product designed for securing SAP systems, researchers said.

The remote code execution vulnerability is in PwC’s Automated Controls Evaluator (ACE) tool, said researchers at ESNC, a Germany-based company that specializes in SAP security.

RELATED STORIES
Internet Facing SAP Vulnerability
Ancient SAP Hole Affects More Than Thought
SAP Mfg Industry Hole Patched
Security: Ease the Pain …

The ACE product, designed to analyze SAP security settings and identify potential weaknesses, requires two ABAP (Advanced Business Application Programming) files to run on the production system.

The ACE software vulnerability can end up exploited to remotely inject and execute malicious ABAP code on the targeted SAP system, according to an advisory published by ESNC.

“Based on the business processes implemented on the SAP systems on which ACE is installed, this security vulnerability may allow an attacker to e.g. manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions,” researchers said in the advisory. “This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money.”

An attack can end up launched from the local network and possibly even from the Internet.

ESNC reproduced the vulnerability, tracked as CVE-2016-9832, on ACE 8.10.304.

PwC took care of the issue in its latest version of the tool.



Leave a Reply

You must be logged in to post a comment.