SAP CRM users warned over security flaws in SAP NetWeaver AS Java

500 SAP CRM systems still online, unpatched and vulnerable

Enterprise software security specialist ERPScan has warned about two new security flaws in SAP CRM that could be used to compromise customer data.

And, despite SAP patching the flaws in February, ERPScan warned that there are still around 500 servers connected to the internet that haven't been patched yet, and which could be vulnerable to cyber attack.

The two security isses were rated at 6.3 and 7.7 respectively on the CVSS Base Score V.3.

"These systems compile data from a range of different communication channels and allow businesses to store customer data that can be utilized to build meaningful customer relationships, find new customers, and grow revenues," claimed ERPScan in an advisory.

It continued: "That's why, unfortunately, they are prone to security risks and extremely tantalizing for hackers who are looking to net personal information.

"SAP released approximately 396 SAP Security Notes for different SAP CRM vulnerabilities. The security drawbacks in SAP CRM invite security concerns. While they are not given due attention, attackers can catch the chance to sneak into systems and exfiltrate corporate data."

The bugs were found by ERPScan security researchers in February 2016 and reported to SAP. However, SAP failed to realise the significance of the bug report, according to ERPScan after it "failed to exploit the vulnerability" in its own testing, but was exploited 18 months later by an attacker based in China.

"ERPScan researchers identified two severe vulnerabilities in SAP NetWeaver AS Java," the advisory continued.

"The first security loophole is a Directory traversal vulnerability in Redwood component. It allows reading any file from the system, for example, the files that are named ‘SecStore' contain critical information like administrator password and database credentials in an encrypted form. With the help of this vulnerability, a hacker may read those encrypted credentials remotely, decrypt them, and read any file in a system without authentication.

"The second Directory traversal vulnerability in SAP CRM (CVE-2018-2380, SAP Security Note 2547431 CVSS 6.6.) enables creating a file in the system and record there anything you want. An attacker can create a malicious file containing a web-shell and execute it on the server side."

SAP finally issued patches in February to mitigate the risks, but ERPScan believes that there are still around 500 servers, connected to the internet, that haven't been patched yet.