This is a guest post from Mariano Nunez and Juan Perez-Etchegoyen
Juan Perez-Etchegoyen (@jp_pereze) and Mariano Nunez (@marianonunezdc) from Onapsis here, thrilled to be troopers for the third time! In this post we want to share with you a glimpse of what you will see regarding SAP security at this amazing conference.
Last week we released advisories regarding several vulnerabilities affecting SAP platforms. Some of these vulnerabilities are in fact very critical, and their exploitation could lead to a full-compromise of the entire SAP implementation – even by completely anonymous attackers. Following our responsible disclosure policy, SAP released the relevant SAP Security Notes (patches) for all these vulnerabilities a long time ago, so if you are an SAP customer make sure you have properly implemented them!
Specifically, these are the advisories for the published vulnerabilities:
- 2013-02-21 ONAPSIS-2013-006: SAP SMD Agent Code Injection
- 2013-02-21ONAPSIS-2013-005: SAP CCMS Agent Code Injection
- 2013-02-21ONAPSIS-2013-004: SAP J2EE Core Service Arbitrary File Access
- 2013-02-21ONAPSIS-2013-003: SAP Enterprise Portal Cross-Site-Scripting
- 2013-02-21ONAPSIS-2013-002: SAP SDM Denial of Service
- 2013-02-21ONAPSIS-2013-001: SAP Portal PDC Information Disclosure
One of them is the first vulnerability ever ranked by SAP with a CVSSv2 risk of 10! And you are going to see that live at Troopers!
If you want to understand how some of these vulnerabilities can affect your SAP platform, you can’t miss the BIZEC workshop: join us and the leading SAP experts to learn how to protect your SAP systems from cyber-attacks, watching live demonstrations of SAP exploits and the necessary countermeasures you need to apply to prevent them! Be part of open discussions with your peers – the Troopers in full swing!
If all this is not enough to fulfill your appetite for the latest SAP security knowledge, Troopers has a premier for you: the first presentation ever on SAP Forensics! We are going to show you how to analyze if your SAP system was hacked, where attackers may have left their fingertips and what to do about it.
We very much look forward to meeting you at Troopers!
Juan Perez-Etchegoyen & Mariano Nunez @Onapsis