Millions of SAP users exposed to ransomware due to GUI vulnerability

Security flaws in SAP client software demonstrated by researchers at ERPScan

A serious vulnerability in the SAP client GUI could expose millions of end-users of the popular enterprise resource planning (ERP) software to ransomware attacks - and worse.

That is the warning of Vahagn Vardanyan, a senior security researcher at ERP software security specialists ERPScan, demonstrating the flaw for the first time today at the company's Troopers security conference in Heidelberg, Germany today.

The company described the flaw as "the most dangerous SAP issue since 2011". It was fixed in a slew of patches issued by SAP last week, but ERPScan has held off on providing more details about the flaw until now in order to give organisations time to apply the patch.

The vulnerability enables attackers to "make all endpoints with compromised SAP GUI clients automatically install malware that locks their computers when an SAP users logs-in to the system. The next time the user tries to log-in to the SAP GUI application, the malicious software will run and prevent him or her from logging-in to the SAP server", the company explained.

Vardanyan said: There are two factors that worsen the situation. First, in this case, the patching process is especially laborious and time consuming, as the vulnerability affects the client side, so a SAP administrator has to apply the patch on every endpoint with the SAP GUI in a company. A typical enterprise has thousands of them."

Furthermore, he added, each client can have their own unique payment address, which would hamper the payment process if the organisation were to deal with the problem by paying up.

In a research paper published today, the company claimed that exploiting the vulnerability shouldn't be too difficult to anyone with a working technical knowledge of SAP.

"[The] hacker attacks the SAP NetWeaver ABAP server by exploiting one of over 3,800 vulnerabilities identified in SAP. Taking into account that some vulnerabilities stay unpatched for more than six years, it's not a big deal.

"Then, the attacker develops a simply SAP transaction that executes a command on SAP GUI and puts this transaction into autoload so that it will be executed automatically," according to the company's research.

Hence, when the end-user logs-on to their SAP terminal, the payload will be pushed-on to their PC and activated when they next login.