A critical flaw in SAP's Internet Graphics Server opens up SAP systems to remote hackers who can gain user privileges
and access sensitive SAP files.
Martin O'Neal, a security consultant and director at U.K.-based security firm Corsaire Ltd, discovered the vulnerability during a routine assessment of a new SAP installation for a client.
O'Neal described the flaw as critical and said it is likely in every live installation of SAP. The flaw was discovered on the Unix platform, but can be likely used to gain access on other platforms as well, O'Neal said.
"Once hacked, you can get a hold of any file on the file system," O'Neal said, in an interview with SearchSAP.com. "It's indicative of development issues -- the failure to understand fundamental problems with designing and building a Web server."
SAP released an advisory to customers urging them to upgrade the server to version 6.40, patch 11 or higher versions.
O'Neal said there are two workarounds. If a company needs a Web-based interface, it should conduct a server upgrade, he said. An enterprise can also disable the HTTP interface, which results in eliminating the flaw, he said.
The SAP Internet Graphics Server is used in conjunction with SAP R/3 software and renders graphics to a device-dependent format. It works in conjunction with SAP Business Warehouse queries to make interactive charts and reports using Web services to integrate with a variety of third-party products.
The flaw was discovered in March, and SAP has remained tight-lipped over the issue, refusing to speak with Corsaire or share information on a fix with the security firm, O'Neal said.
"We don't know the results of their investigations or if their fix remedies the problem," O'Neal said. "When asked to see copy of their advisory SAP sent to their own clients, they said we couldn't see it."
SAP spokesman Bill Wohl said SAP conducted a review process and wanted to wait until final testing was completed on the test before making contact with Corsaire.
"We have just completed the last step in our process, which is to test the patch and make sure that it solves the issue," Wohl said. "It was only until testing was complete that we feel comfortable going back to the security service that discovered the issue."
Wohl also said the vulnerability allows initial access to the data of configuration of the operating system upon which the SAP Internet Graphics Server is based. Actual R/3 data is not exposed, Wohl said. Very few SAP customers use the Internet Graphics Server, he said.
Whol said SAP security bulletins to customers remain confidential to further protect SAP systems from attack. Details on the vulnerability are described in the SAP Note 862169.