Security experts are urging all SAP customers to patch a critical remote code execution bug in SAP GUI, or run the risk of mass ransomware infections.
At the Troopers security conference yesterday, Dutch vendor ERPScan disclosed details of how the remote command execution vulnerability could be used by black hats to infect customers.
The GUI in question allows users in an organization to remotely access the centralized SAP server.
“As the name implies, in case of successful attack, an attacker can execute a command remotely, which essentially enables an unfettered control over endpoint devices where the SAP GUI application is installed,” the firm claimed. “This vulnerability can be used to upload a ransomware on a hacked endpoint and stop business processes.”
Hackers would first need to compromise an SAP NetWeaver ABAP server, although ERPScan said that this may not be too difficult given many flaws stay unpatched for years in some organizations.
They would then develop a malicious SAP transaction to execute a command on SAP GUI, and ensure it is “autoloaded” to execute automatically.
“Each time a user logins to the infected SAP server using SAP GUI, the malicious transaction will be executed calling a program on an endpoint that downloads the ransomware on SAP GUI,” ERPScan added.
“Next time a user tries to run an SAP GUI application, the ransomware will be executed and prevent him or her from logging on SAP Server.”
An attacker could, of course, choose to execute other malware according to their end goal – perhaps replacing ransomware with information-stealing malicious code.
Vahagn Vardanyan, senior security researcher at ERPScan, argued that two factors make the situation even worse for IT bosses.
“Firstly, in this case, the patching process is especially laborious and time-consuming, as the vulnerability affects client side, so an SAP administrator has to apply the patch on every endpoint with SAP GUI in a company and a typical enterprise has thousands of them,” he explained.
“Secondly, each client can have its own unique payment address, which hampers the paying process.”
ERPScan is calling this vulnerability – CVE-2017-6950, which has a CVSS score of 8.0 – one of the most serious to hit SAP customers in several years as the GUI is used by every user in every organization running software from the German ERP giant.
It urged customers to fix it via SAP’s patch update released earlier this month.