A patch is available for a number of critical vulnerabilities discovered this week in SAP's Web tools package....
The flaws could allow remote attackers to access files on vulnerable systems.
SAP said that only users who ''uncharacteristically use the database outside the firewall'' might experience a problem as a result of the vulnerabilities.
The flaws were discovered by Cambridge, Mass.-based AtStake Inc., the security consulting firm that discovered the issues.
The most critical vulnerabilities are in the Web-tools component of SAP database versions prior to 7.4.03.30. In those versions, the Web tools can be exploited remotely, said Chris Wysopal, vice president of AtStake research.
"There are probably thousands of installations of SAP DB, and those customers would be vulnerable to these issues," Wysopal said. "An enterprise should take action right away, either by upgrading or using a firewall to block access from that port so only trusted systems can access it."
Upgrading or patching version 7.4.03.30 will fix vulnerabilities in the database and Web tools, he said.
William Wohl, SAP's vice president of public relations, said that the vulnerability has been addressed and that a fix is available to SAP DB customers.
"Although we take all security concerns seriously; in this case only those customers who would have been using this product outside a firewall could this have potentially been an issue," Wohl said.
Also, Wohl noted that the SAP database, while available at no charge to SAP customers, is not "the most prevalent database used by our customers."
Wysopal said AtStake discovered the vulnerability while conducting a network penetration test at a client site. The security issues were not difficult to find and could be easily exploited, especially on installations that connect the database to the Internet, he said.
An attacker can take advantage of a directory traversal vulnerability within the database and retrieve any file off the host drive on which the Web-tools component resides, he said. The SAP Web servers run all local systems by default on Windows NT, 2000 and XP platforms, so all files are retrievable, he said.
Any user who has access to the SAP DB Web tools can access the Web Agent Administration pages without authentication by simply requesting a similar URL. Because of the flaws, an attacker operating the Web Agent Administration feature can then configure a large range of options, including global settings, services and communication services.
Wysopal said the Web Database Manager uses URL-based session IDs that are generated in a predictable manner. A remote user can guess the session ID to gain access to the session.
FOR MORE INFORMATION:
Patches for these vulnerabilities can be found at the SAP database Web site.
Check out SearchSAP.com's Topic on security issues.
To provide feedback on this article, contact Robert Westervelt.