HEIDELBERG, Germany, March 15, 2018 /PRNewswire/ -- At the Troopers security conference, an annual event with a special track focused on SAP Security, ERPScan's researchers have disclosed the details of two vulnerabilities that allow compromising SAP CRM system. Since this application stores business-critical data such as clients' personal information, companies may fall victim facing incredible reputational and cost losses.
CRM (or Customer Relationship Management) systems are included among widespread, useful and extremely valuable business applications for every organization. As the ERP Cybersecurity Survey 2017 states, 55% of people polled considered CRM to be the most critical asset. A data breach into CRM can be disastrous as it is able to destroy the trust in the business and tarnish the brand.
An unauthorized access to SAP CRM threatens such data as client lists, prices, contact points, etc. If compromised, this data can be used by competitors to win over customers with lower-priced bids and ruin the whole business eventually.
In the talk titled 'SAP BUGS: The Phantom Security' delivered at Troopers, the researchers shared the information on these security issues, revealed their exploitation and the attack scenario.
"It takes nothing to exploit these vulnerabilities. Perpetrators can remotely read any file in SAP CRM without authentication. We scanned the Internet and found nearly 500 SAP servers that are prone to it." - said Vahagn Vardanyan, senior security researcher of ERPScan.
The security researchers at ERPScan identified directory traversal and log injection vulnerabilities in the solution. The two issues in combination lead to information disclosure, privilege escalation, and complete SAP systems compromise. The two bugs can wreak havoc in any company running SAP CRM.
To help SAP customers protect their critical assets against the security issues, ERPScan developed a special resource with the details of vulnerabilities, an overview of attack process, and a video demonstration.
+31 20 8932892