Flaw found in thousands of SAP servers

By

Vulnerabilities to be demonstrated at Black Hat.

Thousands of SAP servers on the internet could be affected by vulnerabilities that bypass authentication checks, a researcher will demonstrate at the Black Hat 2011 conference.

Flaw found in thousands of SAP servers

Alexander Polyako, chief technology officer at ERPScan, found flaws in the J2EE engine of SAP NetWeaver software that could allow an attacker to assign themselves administrative privileges.

"For example, it is possible to create a user and assign to the administrators group using two unauthorised requests to the system," Polyako said.

"It is also dangerous because that attack is possible on systems protected by two-factor authentication."

The company demonstrated the vulnerabilities with a tool that searches for SAP servers with undisclosed keywords.

It found that "more than half of [detected] servers could be hacked" using the vulnerability.

The vulnerabilities could affect many more SAP servers built with custom configuration, according to Polyako.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

WestJet probes cyber security incident

WestJet probes cyber security incident

Log In

  |  Forgot your password?