SAP Security News: SAP Addresses E-Recruiting Vulnerability

Sep 21, '17 by Joerg Schneider-Simon

SAP recently issued a security note addressing a vulnerability in the SAP E-Recruiting application:

“When a user registers to the e-recruiting application, he/she receives a link by email to confirm access to the provided email address. However, this measure can be bypassed and attackers can register and confirm e-mail addresses that they do not have access to.”

This vulnerability is one that bowbridge discovered in our examination of SAP E-Recruiting applications and how well most companies’ installations of it stood up to cyberattacks.

In our research, we acknowledged the security importance of a two-step registration process that requires new users to confirm their email addresses before they can access the application. However, as we indicated in our findings:

Results: Fewer than 12% of the E-Recruiting implementations we tested required candidates to confirm their email address before submitting a job application, meaning the vast majority of E-Recruiting portals are easy targets.

An “easy target” is not something any company wishes to be, particularly when it comes to cybersecurity. Unfortunately, cybersecurity gaps in SAP are more common than you might think.

> Learn more: Can SAP E-Recruiting Expose Your Company to Risk?

How SAP E-Recruiting Applications Are Vulnerable

You’re likely wondering what vulnerabilities exist in E-Recruiting. The news isn’t good: E-Recruiting and other public-facing SAP applications are particularly at risk to content-based threats and other cyberattacks.

In our research, we discovered cyberattackers can infiltrate SAP E-Recruiting applications through:

  • Form Data: Applications like E-Recruiting have public-facing forms, which allow job applicants to submit their information and create an account.

    A convenience, yes. However, the lack of security parameters like two-step registration, minimum password requirements or ironclad SSL encryption make it easy for attackers to insert malicious user input — like injection attacks and XSS attacks — into form data.
  • File Uploads: Job applications require documentation. A resume, a cover letter, certifications, samples — it all has to be uploaded into E-Recruiting to be processed. But uploading attachments is a convenient way to upload malicious files.

    Thirty percent of the E-Recruiting installations we tested did not even have filtering on file types. And for those who did, 60% were easily fooled just by changing the file extension.
  • Embedded Active Content: More sophisticated attacks can come in the form of embedded active content, like JavaScript, Java archives, or macros. This content, hidden in simple-looking PDF or Office files, can easily devastate an entire SAP system or steal reams of priceless data.


Why Standard Anti-Virus Is Not Enough to Protect SAP

All these vulnerabilities are bad enough, but it’s made worse by the fact that SAP cannot be protected by standard OS anti-malware programs.

There are two reasons for this: First, uploads to SAP applications are usually transferred through SSL-encrypted connections and stored in SAP’s discrete database instead of OS disk volumes. Because of how they’re transmitted and stored, any deployed anti-malware program never gets the opportunity to “read” them.

Additionally, although SAP has the NW-VSI Virus Scan Interface, standard anti-malware programs cannot connect to it. Instead, tailored SAP security software is needed to bridge the gap.

Keeping your company’s SAP system safe from cyberattack is a vital task. And staying on top of SAP’s vulnerabilities is a task bowbridge takes seriously.

Learn more about the threats to SAP E-Recruiting applications by downloading our free white paper, Cyberattacks and CVs: Can SAP E-Recruiting Expose Your Company to Risk?


Can SAP E-Recruiting Expose Your Company to Risk?