SAP Encryption Issues Pose Serious Risk to Organizations: Researchers

Thursday, June 18, 2015

Eduard Kovacs

Af7244bb99debb4a1152fa49a993a05c

The use of static keys and other encryption issues expose numerous organizations that rely on SAP products to malicious hacker attacks, researchers have warned.

Dmitry Chastukhin, director of professional services at ERPScan, a company that specializes in protecting SAP and Oracle business-critical ERP systems against cyberattacks, revealed today at the Black Hat Sessions conference in the Netherlands that SAP solutions such as SAP HANA and the SAP Mobile platform are exposed to attacks not just because of vulnerabilities, but also due to some serious encryption-related problems.

SAP is one of the world’s largest software makers. Its products are used by 291,000 customers across 190 countries, according to the company’s website. SAP’s enterprise software includes solutions for customer relationship management (CRM), enterprise resource planning (ERP), product lifecycle management (PLM), supply chain management (SCM), and supplier relationship management (SRM).

Over the past period, researchers have uncovered numerous vulnerabilities in the company’s business applications, including SAP ASE, SAP HANA, SAP BusinessObjects, and SAP Netweaver. Recent studies have shown that pivoting, portal attacks, and database warehousing are the three most common techniques used to compromise SAP systems.

Vulnerabilities pose a serious risk to SAP customers and the vendor often releases patches to address them, but experts have pointed out that encryption issues can also be highly problematic.

Read the rest of this article on SecurityWeek.com.

11545
General Operating Systems SPAM Viruses & Malware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.