SAP closed a critical vulnerability for an issue that was exposed for almost two years. The vulnerability (SAP Security Note 2419592) affects TREX, a SAP NetWeaver standalone search engine, which is deployed in over a dozen SAP products including SAP HANA.
The identified security issue allows an attacker to anonymously perform sensitive operations that can be combined to execute a command on the server remotely.
Originally, the vulnerability was discovered in SAP HANA in 2015 and the corresponding SAP Security Note (2234226) was released in December 2015. The issue was dubbed a potential technical information disclosure and fixed by removing some critical functions.
Later on, Mathieu Geli from ERPScan conducted a further research and revealed that the vulnerability was still exploitable. He found out that TREXNet, an internal communication protocol used by TREX, did not provide an authentication procedure. As the advisory with all technical details was available on the web, it opened the door to attacks on numerous SAP applications via insecure protocol.
“I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the exploit has been easily adapted. SAP fixed some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX,” said Mathieu Geli, Head of SAP Threat Intelligence at ERPScan.
The vulnerability (CVE-2017-7691) allows an attacker to forge a special request to the TREXNet ports to read OS files or create files.
The patch was released on the scheduled SAP Security Day – April 2017, the vendor assessed the issue at CVSS 9.4. According to the rules of responsible disclosure which require a 90-day gap, the researcher cannot disclose any technical detail.