Thursday, July 28, 2016

15 Vulnerabilities in SAP HANA Outlined | Threatpost | The first stop for security news

15 Vulnerabilities in SAP HANA Outlined | Threatpost | The first stop for security news: "SAP recently fixed 15 different vulnerabilities that existed in the database management system HANA and subsequent communication channels used by the software. All told the vulnerabilities affect just north of 10,000 SAP customers running different versions of the system, according to researchers at Onapsis, who disclosed the bugs Thursday.


Nine of the bugs affected HANA, the cloud-based business platform that has been increasingly targeted by attackers as of late. Another six affected TREXnet, an internal communication channel that feeds into HANA. 

One of the most pressing vulnerabilities, a SYSTEM user brute force attack, affected HANA. According to the advisory, if exploited, a remote attacker could achieve high privileges on a system and gain unrestricted access to any business information. 

Four other bugs marked “high risk” also existed in HANA. Two of them – an injection via HTTP request bug and SQL injection bug – could let an attacker tamper with the audit logs to hide evidence of an attack. The other two, both remote code execution bugs, could let an attacker access and modify stored SAP data. 

The scariest TREX bug, a critical remote code execution bug, could allow an attacker access and modify any information indexed by an affected SAP system."