March 24, 2017
A remote code execution flaw in the SAP Windows client opens the door for ransomware attacks targeting enterprises that rely on various SAP products to manage and keep track of their business operations.
SAP, a German company that makes enterprise software used by over 335,000 customers in 190 countries, has patched the issue last week.
Windows SAP client flaw could lead to ransomware
Discovered by ERPScan, a company that operates several cybersecurity products for SAP's vast software platform, the issue affects the Windows GUI application that SAP customers install on their computers, at work, and sometimes at home. This application allows employees to log into their company's SAP accounts and work from inside a dedicated app, instead of a browser.
The flaw discovered by ERPScan experts, tracked as CVE-2017-6950 and fixed in the SAP Security Note 2407616, allows an attacker to execute malicious code on the user's computer, through the SAP Windows client.
The only condition is that an attacker must take over a SAP ABAP (Advanced Business Application Programming) server and send malicious code to the SAP Windows client.
According to ERPScan experts, this isn't as hard as most people think, as there are over 3,800 vulnerabilities currently affecting SAP products, most of which remain unpatched for an average of six years.
Ransomware attack on SAP users (via ERPScan)
Detailing a theoretical attack, experts argue that a malicious actor that has taken over a SAP ABAP server can add a SAP transaction into the server's autoload feature.
The next time a SAP Windows client user authenticates, the server will deliver the autoload SAP transaction, which will contain an exploit that leverages CVE-2017-6950 and runs malicious code on the user's machine.
The malicious code could vary in nature, but an attacker could instruct the victim's workstation to download and install ransomware.
Taking into account that compromising one SAP ABAP server opens the door to installing ransomware on hundreds or thousands of enterprise workstations, ransomware operators are highly incentivized to carry out such attacks.