[ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security Please refer to https://www.esnc.de for the original security advisory, updates, and additional information. ---------------------------------------------------------------------- 1. Business Impact ---------------------------------------------------------------------- According to PwC website: - "Using the proprietary ACE software, we perform diagnostics of SAP’s inherent risks and backdoors (such as configuration, customization and security settings) which could be exploited to commit fraud"; - "The purpose of this tool is to analyze SAP security settings and identify privileged access and potential segregation of duties issues accurately and efficiently"; and - "The ABAP files introduce no changes to the production systems and settings". PwC ACE software has a remotely exploitable security vulnerability which allows injection and execution of malicious ABAP code on the remote SAP system. Based on the business processes implemented on the SAP systems on which ACE is installed, this security vulnerability may allow an attacker to e.g. manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions. This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money. The attacks may be executed from the local network via SAPGui, or from the public Internet via http/https ICF services such as WebGui and Report, if the systems are accessible. An attacker can misuse PwC ACE security vulnerability in order to: - make changes to the production systems and their settings including manipulating or corrupting ABAP programs shipped by SAP and making the system and data inoperable; - plant an SAP backdoor for accessing the system and sensitive data later; and - shut down the SAP systems and cause downtime. An in-depth analysis is required to determine whether the system or the financial data is already compromised via this security vulnerability. Risk Level: High ---------------------------------------------------------------------- 2. Advisory Information ---------------------------------------------------------------------- - ESNC Security Advisory ID: ESNC-2041217 - CVE ID: CVE-2016-9832 - Original security advisory and updates: https://www.esnc.de/security-advisories/vulnerability-in-pwc-ace-for-sap-security - Reporting Date: 19.08.2016 - Vulnerability location: User input - Affected versions: 8.10.304 (and possibly others, contact vendor for accurate information) - Vendor Patch Date: Contact vendor - Public Advisory Date: 07.12.2016 - Researcher: Ertunga Arsal and Mert Suoglu ---------------------------------------------------------------------- 3. Vulnerability Information ---------------------------------------------------------------------- - Vendor: PricewaterhouseCoopers (PwC) - Affected Software: ACE-ABAP 8.10.304 - Vulnerability Class: System Compromise, Remote Arbitrary Code Execution, ABAP Injection - CVSS v3 base score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/ S:C/C:H/I:H/A:H) - Remotely Exploitable: Yes - Authentication Required: Yes - Additional Notes: An exploit for this vulnerability is available for ESNC Security Suite Penetration Testing Module customers per individual request. Information about ABAP injection can be found at https://www.enterprise-threat-monitor.com/code-security-vulnerabilities-abap-injection ---------------------------------------------------------------------- 4. Vulnerability Timeline ---------------------------------------------------------------------- 19.08.2016 PwC contacted 22.08.2016 Meeting with PwC, informed them about the impact and the details of the vulnerability and responsible disclosure 05.09.2016 Asked PwC about updates and whether a patch is available 13.09.2016 Received a Cease & Desist letter from PwC lawyers 18.11.2016 Informed that 90 days have passed and ESNC is planning to release a security advisory; asked for any details PwC can share about this matter including risk, affected versions, how to obtain a patch 22.11.2016 Received another Cease & Desist letter from PwC lawyers 07.12.2016 Public disclosure ---------------------------------------------------------------------- 5. Solution & Recommendations ---------------------------------------------------------------------- Enterprise Threat Monitor customers which are running the latest 0-day threat definitions have protection and mitigation capabilities for this vulnerability since August, 2016. For SAP systems which contain sensitive information, we recommend checking the misuse of this ABAP program and existence of ABAP backdoors, if a vulnerable ACE version was installed previously. We recommend removing vulnerable versions of ACE. ---------------------------------------------------------------------- About ESNC ---------------------------------------------------------------------- ESNC GmbH, Germany is an independent company specialized in SAP security audit, SAP penetration testing, ABAP security analysis, SAP vulnerability assessment, and SAP SIEM integration services for protecting SAP systems from data breaches and for detecting and responding to the SAP specific attacks timely. Its flagship product ESNC Security Suite is used by many large enterprises for compliance controls, vulnerability scanning their SAP ABAP, Java and Hana systems, and for running ABAP code security analysis to reduce risks affecting critical business processes and data. ESNC Security Suite's real-time SAP security monitoring module Enterprise Threat Monitor allows SAP specific enterprise threat detection and integrating SAP security with SIEM solutions such as IBM QRadar, HP ArcSight, and Splunk Enterprise. For more information about our products and services, please visit our web page at https://www.esnc.de or https://www.enterprise-threat-monitor.com