Alert: New SAP Security Notes on CRM and SRM Applications

Aug 29, '17 by Joerg Schneider-Simon

Many businesses rely on SAP CRM (Customer Relationship Management) and SRM (Supplier Relationship Management) applications to manage workflows, standardize processes and centralize data. But, while these applications are eminently useful, they might be putting your business at risk.

On August 8 2017, SAP released its monthly critical patch update. According to the ERPScan blog, CRM in particular received a good deal of negative attention:

Unfortunately, this application also contains numerous security drawbacks; a total of 393 SAP Security Notes fixed different vulnerabilities in SAP CRM. This month, 3 SAP Notes belong to the SAP CRM application area.

These notes include:

  • An SQL injection vulnerability in the SAP CRM WebClient User Interface (SAP Security Note 2450979)
  • A cross-site scripting (XSS) vulnerability in the SAP CRM WebClient User Interface (SAP Security Note 2425744)
  • A cross-site scripting (XSS) vulnerability in the SAP CRM IPC Pricing (SAP Security Note 2481262)

In addition, multiple vulnerabilities were found in the SAP SRM Live Auction Application (SAP Security Note 2493099).

>Learn more: Injection attacks

>Learn more: XSS attacks

What’s noteworthy is the potentially catastrophic impact should a business fall prey to any of these cyberattacks. As reported by ERPScan:

For example, the SQL injection vulnerability in SAP CRM WebClient User Interface … allows a remote attacker to conduct corporate espionage by sending a special request and steal all the customer data such as customer datasets, pricing, sales, or prospective bids.

Considering the ERP Cybersecurity Survey 2017 showed that both CRM and SRM are considered the most important SAP modules, the danger here is quite real. Possible consequences of a successful cyberattack include not just stolen data, but also damaged systems, lost productivity and the resultant harm to your company’s reputation.

How Is This Happening?

At the moment, XSS attacks are the most common vulnerability type for both applications.

There are two ways in which XSS attacks gain access to CRM and SRM applications: through maliciously crafted user input into the application’s WebUI, and through file uploads. In normal business conditions, the ability to upload contracts, purchase orders, invoices, schematics, photos or credit applications is immensely convenient and provides a useful paper trail if disputes arise.

However, cyberattackers are increasingly using this as an opening to access critical files, data and permissions. Many XSS attacks involve hidden JavaScript embedded in these PDF documents or Microsoft Office files. Attackers can bypass traditional file-type filters by simply changing the file extension.

>Learn more: Malicious file uploads

And because files uploaded into SAP aren’t processed or stored into regular disk volumes or operating system files, they go completely undetected by even the most advanced OS anti-virus programs.

How to Protect Yourself?

If CRM and SRM applications aren’t managed well, things can easily fall into chaos with missed opportunities, botched orders and wasted resources. As a basic measure, businesses should always check the monthly critical patch update from SAP and apply any security updates as soon as they’re made available.

For added security on all your critical SAP applications, it’s vital to use a solution that is compatible with SAP and can detect and quarantine malicious files before they have a chance to wreak havoc.

At bowbridge, we are happy to review your existing SAP cybersecurity practices to make sure your system is fully protected without losing functionality.

Want to know more about how security threats can hide within innocuous-seeming documents like PDF files? Our in-depth webinar helps you understand and mitigate the risks.

View our Webinar: SAP Security Threats Hidden in PDF Uploads