European software giant SAP said Tuesday it had patched multiple vulnerabilities in its cloud-based enterprise platform HANA that could have allowed hackers to fully compromise databases and business applications without a valid username or password.
HANA runs SAP’s latest database, cloud and other more traditional business apps. According to Onapsis, the security company that uncovered the “zero day” vulnerabilities, they rank among the most critical ever found in the software.
“We have identified multiple vulnerabilities that could be leveraged by attackers to perform two critical attacks in SAP Hana, depending on the active services,” Onapsis said in a threat report. “These attacks consist of a full system compromise without any type of previous authentication.”
SAP claims 87% of the top 2,000 global companies as customers. According to Reuters, vulnerabilities in big business software are more lucrative to attackers than those affecting consumer applications as programs like Hana “store data and run transactions which are the lifeblood of businesses.”
Onapsis reported 10 Hana vulnerabilities to SAP less than 60 days ago, which the German software maker fixed in near-record time, Reuters said. The patch issued on Tuesday was rated by SAP as 9.8 on a scale of 10, “very high” in terms of relative risk to its customers.
According to Threat Post, Hana “has been increasingly targeted by hackers over the last year.” The bugs uncovered by Onapsis affect User Self Service, or USS, a component that allows users to carry out tasks such as account creation or password recovery.
“While the service comes disabled by default, some users activate it in order to allow external users access to internal capabilities — something that exposes the component to the internet,” Threat Post noted.
Sebastian Bortnik, Onapsis head of research, said the vulnerability “would allow an attacker to perform any action over the business information and processes supported by Hana, including creating, stealing, altering, and/or deleting sensitive information.”
Even if USS is not enabled, he said, “we still recommend that [businesses] apply the patches in case a change is made to the system in the future.”