BOSTON--(BUSINESS WIRE)--Onapsis, the global experts in business-critical application security, today released new security advisories detailing vulnerabilities in SAP Mobile. Included in the security advisories are three “high risk” vulnerabilities which could be used to gain access to sensitive business information within organizations that rely on SAP Mobile.
Organizations use SAP Mobile to build and deploy applications that allow thousands of users to access SAP business-critical applications via the major mobile vendors including Apple, Samsung, Google, and Microsoft. Depending on an organization’s use of this platform, “high risk” vulnerabilities could be used by cyber attackers to gain access to mission-critical information including customer data, product pricing, financial statements, employee information, supply chains, business intelligence, budgeting, planning and forecasting.
Three “high risk” advisories released detail vulnerabilities found in SAP Mobile Platform Datavault:
- Keystream Recovery
- Allows an attacker with access to a vulnerable mobile device to decrypt credentials and other sensitive information stored within and potentially being able to connect to other business systems to access additional data.
- Predictable Encryption Passwords for Configuration Values
- Allows an attacker with access to a vulnerable mobile device to decrypt and modify sensitive configuration values used by SAP business applications which exposes a broad set of business applications to an attack.
- Predictable Encryption Passwords for Secure Storage
- Allows an attacker with access to a vulnerable mobile device to read sensitive information, including encrypted log in credentials, stored in the device, potentially connecting to business applications and accessing or modifying business information.
These three “high risk” vulnerabilities, recently fixed by SAP and reported by Onapsis, could be abused by attackers to compromise encrypted information stored in the mobile devices. The most typical example of this kind of information are credentials to connect to SAP systems, which hold the most sensitive business information.
“Nation states and organized crime syndicates are targeting SAP business applications because they hold the most sensitive data within a company. This makes it extremely critical for organizations to take proactive measures to protect SAP systems. In a recent study that our research labs put together, we found that over 95% of SAP systems assessed were exposed to vulnerabilities that could lead to full compromise of the company’s business processes and information. We are now seeing SAP security breaches are escalating in the news headlines so it is imperative that SAP security teams work closely with information security teams to solve this mounting problem,” said Ezequiel Gutesman, Director of Research, Onapsis.
The advisories are released by the Onapsis Research Labs, a team of security experts who combine in-depth knowledge and experience to deliver technical analysis with business-context, and provide sound security judgment to the market. The team has released over 140 advisories to date, consulted on impact with over 160 Onapsis enterprise customers and regularly presents at leading security and SAP conferences around the world.
Each advisory details the business-context relevance of an identified vulnerability, including impact on a business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.
The advisories are publicly available at: http://www.onapsis.com/research/advisories.
On Thursday, September 10, 2015, Onapsis will be hosting a webcast on these vulnerabilities For more information, or to register please visit: http://www.onapsis.com/webcasts/preventing-cyberattacks-on-sap-mobile.
About Onapsis
Onapsis provides the most comprehensive solutions for securing business-critical applications. As the leading experts in SAP cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps targeting their enterprise applications.
Headquartered in Boston, MA, Onapsis serves over 160 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E&Y, KPMG and PwC.
Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating SAP applications into existing vulnerability, risk and incident response management programs.
These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP systems. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA and SAP Mobile deployments.
For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn.
