Critical flaw found in SAP software
The ACSC has warned of a critical flaw in SAP software that could potentially allow attackers to take control of trusted SAP applications.
The vulnerability can be exploited remotely over HTTP without the need of a username or password. Due to these characteristics, it has been given the highest possible score of 10 on the Common Vulnerability Scoring System.
Once attackers have gained control, they would be able to read, modify or delete every database record or file in the system, according to Onapsis.
“Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates,” the company said.
SAP has issued security patches for the vulnerability, which the ACSC urges uses of the products to implement as soon as possible.
Potentially vulnerable SAP solutions include all SAP Java-based solutions, including its popular ERP, CRM and supply chain management software. Onapsis estimates that as many as 40,000 SAP customers worldwide might be affected by the bug.
As a mitigation measure, the ACSC is recommending that organisations unable to immediately apply the patches disable the LM Configuration Wizard service.
If this cannot be completed immediately, the ACSC recommends organisations monitor SAP Netweaver systems and logs for any unusual activities.
Claroty said it has found and reported critical vulnerabilities in three popular VPN products...
Most security professionals lack the tools to detect known security threats and close known...
The new company, CyAmast, is based on software developed by Dr Hassan Habibi and his research...