Several high risk 0-day vulnerabilities affecting SAP HANA found

Onapsis discovered several high risk vulnerabilities affecting SAP HANA platforms. If exploited, these vulnerabilities would allow an attacker, whether inside or outside the organization, to take full control of the SAP HANA platform remotely, without the need of a username and password.

SAP HANA vulnerabilities

“This level of access would allow an attacker to perform any action over the business information and processes supported by HANA, including creating, stealing, altering, and/or deleting sensitive information. If these vulnerabilities are exploited, organizations may face severe business consequences,” said Sebastian Bortnik, Head of Research, Onapsis.

Am I exposed?

The vulnerabilities affect a specific SAP HANA component named SAP HANA User Self Service, which is not enabled by default. The following list details the affected HANA 2 and HANA versions:

  • SAP HANA SPS 12 (newDB rel 1.00.121.00.1466466057)
  • SAP HANA 2 SPS0 (newDB rel 2.00.000.00.1479874437)
  • SAP HANA SPS11 (1.00.110.144775). Released in November 2015
  • SAP HANA SPS10 (1.00.101.00.1435831848). Released in June 2015
  • SAP HANA SPS09 (1.00.91.1418659308). Released in November 2014.

“We hope organizations will use this threat intelligence to assess their systems and confirm that they are not currently using this component, and therefore are not affected by these risks. Even if the service is not enabled, we still recommend that these organizations apply the patches in case a change is made to the system in the future,” continued Bortnik.

Onapsis Research Labs originally discovered the vulnerabilities on the newly released SAP HANA 2 platform, but after additional analysis realized that several older versions were vulnerable as well. Based on this assessment, it was identified that the vulnerabilities had been present in HANA for almost two and a half years, when the User Self Service component was first released. This greatly increases the likelihood that these vulnerabilities have been discovered by attackers to break into organization’s SAP systems.

Technical details coming in 90 days

Onapsis worked closely with SAP’s Product Security & Engineering teams to help them develop the security patches. SAP is releasing the first ever patch for SAP HANA 2. In this case, default installations are affected and an attacker can elevate privileges if exploited.

As part of its responsible disclosure policy, the researchers will release technical details of these vulnerabilities after 90 days to provide SAP customers with time to apply and configure the SAP Security Note #2424173 “Vulnerabilities in the User Self-Service Tools of SAP HANA”, and Security Note #2429069 in their organizations.