[Full-disclosure] [Onapsis Security Advisory 2010-004] SAP J2EE Authentication Phishing Vector
Rosa Maria Gonzalez Pereira
analuis13 at hotmail.com
Thu Feb 11 15:47:58 GMT 2010
Que hago con estos emails, ya tengo miles...
> Date: Thu, 11 Feb 2010 12:17:04 -0200
> From: research at onapsis.com
> To: full-disclosure at lists.grok.org.uk
> Subject: [Full-disclosure] [Onapsis Security Advisory 2010-004] SAP J2EE Authentication Phishing Vector
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Onapsis Security Advisory 2010-004: SAP J2EE Authentication Phishing Vector
> This advisory can be downloaded from http://www.onapsis.com/research.html.
> By downloading this advisory from the Onapsis Resource Center, you will
> gain access to beforehand information on upcoming advisories, presentations
> and new research projects from the Onapsis Research Labs.
> 1. Impact on Business
> By exploiting this vulnerability, an internal or external attacker would
> be able perform attacks on the Organization's users through weaknesses
> in the
> SAP system.
> An attacker would send specially crafted emails to users of the
> Organization's SAP system. After they have been successfully
> authenticated by the
> application, they would be redirected to an attacker's controlled web
> site where he would be able to perform different attacks over their systems
> and/or trick them into providing sensitive information.
> - - Risk Level: Medium
> 2. Advisory Information
> - - Release Date: 2010-02-10
> - - Last Revised: 2010-02-10
> - - Security Advisory ID: ONAPSIS-2010-004
> - - Onapsis SVS ID: ONAPSIS-000005
> - - Researcher: Mariano Nuñez Di Croce
> 3. Vulnerability Information
> - - Vendor: SAP
> - - Affected Components:
> . SAP JAVA CORE 6.40 < SP26
> . SAP JAVA CORE 7.00 < SP02
> . SAP JAVA CORE 7.01 < SP07
> . SAP JAVA CORE 7.02 < SP03
> - - Vulnerability Class: Phishing Vector
> - - Remotely Exploitable: Yes
> - - Locally Exploitable: Yes
> - - Authentication Required: No
> 4. Affected Components Description
> The SAP J2EE Engine is a key component of the SAP NetWeaver application
> platform, which enables the development and execution of Java solutions
> in SAP
> The J2EE Engine is the component on which, for example, the SAP
> Enterprise Portal solution is built and executed.
> 5. Vulnerability Details
> The Authentication mechanism of the SAP J2EE Engine (which is shared by
> the Enterprise Portal and other solutions) suffers from a phishing vector
> vulnerability, which may allow a remote attacker to perform different
> attacks to the organization's SAP users.
> Onapsis is not distributing technical details about this issue to the
> general public at this moment in order to provide enough time to affected
> customers to patch their systems and protect against the exploitation of
> the described vulnerability.
> 6. Solution
> SAP has released SAP Note 1175239, which provides a patched version of
> the affected components.
> This patch can be downloaded from
> https://service.sap.com/sap/support/notes/1175239 .
> Onapsis strongly recommends SAP customers to download the related
> security fix and apply it to the affected components in order to reduce
> business risks.
> 7. Report Timeline
> . 2009-11-24: Onapsis provides vulnerability information to SAP.
> . 2009-11-24: SAP confirms reception of vulnerability submission.
> . 2010-02-09: SAP releases security patch.
> . 2010-02-10: Onapsis releases security advisory.
> 8. About Onapsis Research Labs
> Onapsis is continuously investing resources in the research of the
> security of business critical systems and applications.
> With that objective in mind, a special unit ? the Onapsis Research Labs
> ? has been developed since the creation of the company. The experts involved
> in this special team lead the public research trends in this matter,
> having discovered and published many of the public security
> vulnerabilities in
> these platforms.
> The outcome of this advanced and cutting-edge research is continuously
> provided to the Onapsis Consulting and Development teams, improving the
> of our solutions and enabling our customers to be protected from the
> latest risks to their critical business information.
> Furthermore, the results of this research projects are usually shared
> with the general security and professional community, encouraging the
> sharing of
> information and increasing the common knowledge in this field.
> 9. About Onapsis
> Onapsis is the leading provider of solutions for the security of
> business-critical systems and applications.
> Through different innovative products and services, Onapsis helps its
> global customers to effectively increase the security level of their core
> business platforms, protecting their information and decreasing
> financial fraud risks.
> Onapsis is built upon a team of world-renowned experts in the SAP
> security field, with several years of experience in the assessment and
> protection of
> critical platforms in world-wide customers, such as Fortune-500
> companies and governmental entities.
> Some of our featured services include SAP Penetration Testing, SAP
> Gateway & RFC security, SAP Enterprise Portal security assessment,
> Security Support
> for SAP Implementations and Upgrades, SAP System Hardening and SAP
> Technical Security Audits.
> For further information about our solutions, please contact us at
> info at onapsis.com and visit our website at www.onapsis.com.
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> -----END PGP SIGNATURE-----
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
News, entertainment and everything you care about at Live.com. Get it now!
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.