News
Critical vulnerability in SAP Afaria MDM can put millions of mobile users at risk of losing access to corporate data
August 2015 by
A critical buffer overflow vulnerability in SAP Afaria MDM server that
can disable access to corporate systems for millions of mobile users was
published today at the ERPScan’s website.
ERPScan, the most respected and credible Business Application Security
company providing solutions to assess and secure SAP and Oracle ERP
systems, today published details of the vulnerability in SAP Afaria MDM
solution. This vulnerability, as well as other critical issues in SAP
Afaria, was planned to be presented at the BlackHat APAC security
conference in March, but the presentation was revoked by ERPScan because
of responsible disclosure rules.
Now, 3 months after SAP released the patch, we provide some details
about those vulnerabilities. One of them is a Buffer overflow
vulnerability in SAP’s Afaria platform – a most popular MDM solution and
the leader in the 2014 Enterprise Mobility Management, Forrester Wave
said. Afaria also has been the long-time leader in the market of mobile
device management software. As reported by the IDC Corp., Afaria has led
the MDM market for 10 straight years, with about 20% market share and
1,000 corporate customers in 2012. According to the latest available
information, 6300 customers use this solution.
The Buffer overflow vulnerability in SAP’s Afaria platform can be
exploited remotely without authentication and can be used to conduct
Denial of Service attack against a company’s MDM solution. According to
the information from the SAP’s website, large organizations manage
thousands of mobile devices via MDM system. Once a company’s MDM system
is compromised, employees won’t be able to perform their daily duties
such as procurement, warehouse management, shipping and so on. Far more
importantly, top executives are the main users of mobile devices and
prefer to view all reports on their iPhones, and their smartphones can
also be affected. The vulnerability can be used to execute malicious
code on the server, and, as a result, obtain access to all devices and
modify their configurations.
This month SAP also patched several vulnerabilities in both SAP Mobile
Platform
<http://erpscan.com/advisories/erpsc...>
and SAP Afaria MDM
<http://erpscan.com/advisories/erpsc...>
discovered by ERPScan researchers.
This year the number of vulnerabilities in mobile platforms is growing
rapidly. In 2013, we discovered the first SAP mobile application
vulnerability ever, and by 2015 almost 30 issues in SAP Mobile
applications have already been closed, and patches for many others are
still in progress.
We highly recommend SAP customers to pay attention to these
vulnerabilities and apply appropriate patches as well as other patches
provided in the recent SAP Security update.
ERPScan’s researcher will deliver a detailed presentation about SAP
Afaria security called "SAP Afaria. One SMS to hack a company" at the
HackerHalted conference on September 17. As can be seen from the name of
the talk, we are going to disclose another critical issue in SAP Afaria,
which can potentially be exploited by SMS. No other details are
available at this moment.
