SAP says that it has fixed a BusinessObjects security flaw within a component of the software that could have allowed hackers to take control of the system by logging in and using a preset user name and password, according to the company.
The use of a default name and password was a mistake, SAP said.
“It’s obvious, and it should not have happened,” said Tom Schroeer, who heads SAP’s product security response team. The component should have originally been set to require the administrator to create a new password when installing the software, he said.
The flaw, found within the administrative interface for the Web services component of the application, was found by Joshua Abraham, a researcher and consultant with Rapid7, an IT security firm based in Boston.
As a result, an attacker could log on to the interface, upload and execute a malicious Web service, and gain control over the BusinessObjects system, according to Abraham.
“We were actually able to leverage one of the interfaces into the BusinessObjects system to gain remote control, full control,” Abraham said.
SAP assigned the flaw its highest rating possible, Schroeer said, not because the company believed customers were at immediate risk, it said, but because Rapid7 planned to make a presentation on its findings at an SAP security conference in Barcelona, Spain, and the company needed to alert customers before the information was made public.
Rapid7 told SAP about the problem in August. One month later, SAP notified its customers as a part of its next monthly security “Patch Day” update, which the company posts on its website. Schroeer said that SAP advised customers to either change the password or download a patch that closes off that particular component of BusinessObjects if they weren’t using it.
It was impossible to know if all of SAP’s BusinessObjects customers addressed the security gap, only that SAP had done its best to let them know what they needed to do, Schroeer said. And no customer has been attacked as a result of the gap in security that the company is aware of, he added.
Rapid7 also assigned the issue its highest priority rating, in large part because SAP had failed to mention the use of a default name and password in the supporting documentation.
“That is the heart of the problem,” he said. Had SAP done so, the problem wouldn’t have been as serious.
SAP purchased BusinessObjects in 2007, and although it immediately incorporated the business analytics software into its portfolio, it’s possible that the current flaw is left over from the original code, Abraham said.
“That’s probably why we’re seeing these types of flaws in SAP BusinessObjects. But they still shouldn’t exist, based on the fact that it’s three years after they purchased BusinessObjects,” he said.