WAGENINGEN, Netherlands: March 24, 2017 — Research by ERP-SEC has led to the discovery of several critical vulnerabilities related to the inbound email processing functionality of SAP systems. This affects customers worldwide and leaves them vulnerable to risks like theft of business-data, business process disruption, fraud, etc.
The vulnerabilities were demonstrated at the Troopers Security Conference, an annual Security Conference with a special track dedicated to SAP Security. Joris van de Vis, researcher at ERP-SEC demonstrated full compromises of SAP systems that use these inbound email capabilities.
In close cooperation with the SAP Product Security Response team the vulnerabilities were resolved effectively and patches have been released to mitigate the vulnerabilities. SAP has released Security Note 2308217 in order to mitigate the vulnerabilities.
As stated by Joris van de Vis, “The impact of these vulnerabilities can be severe for SAP customers that use the inbound mail processing functionality as it can be exploited over the internet and without authentication. In some cases we even managed to completely take over SAP systems by sending just one email to them with a specially crafted attachment. The precise percentage of affected customers is unclear, but a quick check under some of our customers shows around 50 percent of them use the inbound mail capabilities of their SAP systems.”