Vulnerability Management

Bugs in SAP HANA allowed remote code execution

Security researchers have detailed 15 security vulnerabilities that could enable hackers to escalate privileges, execute remote code and modify database information in SAP HANA and SAP Trex.

The bugs were discovered by Onapsis, which released security advisories about the flaws. Included in the advisories is a “critical risk” vulnerability that could be used to gain high privileges allowing unrestricted access to business information, and to modify arbitrary database information. The researchers said collectively, the flaws poses a risk to over 10,000 SAP customers.

“This set of advisories is unique as most of the vulnerabilities attackers can leverage are undervalued. Meaning, the way in which they can be exploited is not always obvious and can go undetected. For example, one of the critical vulnerabilities that can be exploited creates an error message which includes sensitive information about its environment, users, or associated data,” said Sebastian Bortnik, head of Research at Onapsis.

One critical risk in SAP HANA was a vulnerability in the code that could enable a remote unauthenticated attacker could receive high privileges on the HANA system with unrestricted access to any business information.

Other high risk flaws allowed arbitrary audit injection via HTTP requests which an attacker could tamper the audit logs, hiding evidence of an attack to a HANA system. There were flaws that let hackers tamper the audit logs, access and modify any information indexed by the SAP system and a remote code execution flaw that enabled an unauthenticated attacker could access and modify any information indexed by the SAP system.

There were also a number of bugs in SAP Trex allowing arbitrary file writes, remote directory traversal and remote file reads of the product.

In a blog post, Onapsis security researcher Nathan Sanchez, said that is important to remember to “always keep up to date your SAP HANA Platform with the latest security patches and properly configure the platform according to the SAP HANA Security guide”.

In a statement to, a SAP spokesman said that the SAP Product Security Response Team “collaborates frequently with research companies like Onapsis to ensure a responsible disclosure of vulnerabilities.”

“All SAP HANA and Trex vulnerabilities disclosed in Onapsis current press release have been fixed already and published between August 2015 and January 2016. Security patches are available for download on the SAP Service Marketplace. We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately.”

Alex Ayers, co-founder and consulting director of Turnkey Consulting told SC that a common use case for HANA is to improve financial and operational reporting. “It is feasible that detailed financial transactional data could be lost along with customer and vendor related records.  If the HANA database is supporting an SAP system that runs HR processes or is being used to report on HR data then potentially sensitive personal data may be at risk,” he said.

Liviu Arsene, Senior e-Threat Analyst, Bitdefender, told SC that some of the mentioned vulnerabilities that relate to user authentication messages and brute-force attacks on usernames and passwords can be relatively easy to fix.

“Some of these issues can even be fixed by simply properly configuring the platform according to security guidelines issued by SAP HANA or other security vendors. Of course, properly configuring firewalls as not to allow only authorised personnel and applications to connect to the database is also recommended,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.