Critical vulnerability in SAP Afaria MDM

Advisory describing a critical buffer overflow vulnerability in SAP Afaria MDM server that can disable access to corporate systems for millions of mobile users was published today at the ERPScan’s website.

Press Release

ERPScan, the most respected and credible Business Application Security company providing solutions to assess and secure SAP and Oracle ERP systems, today published details of the vulnerability in SAP Afaria MDM solution. This vulnerability, as well as other critical issues in SAP Afaria, was planned to be presented at the BlackHat APAC security conference in March, but the presentation was revoked by ERPScan because of responsible disclosure rules.

Now, 3 months after SAP released the patch, we provide some details about those vulnerabilities. One of them is a Buffer overflow vulnerability in SAP’s Afaria platform – a most popular MDM solution and the leader in the 2014 Enterprise Mobility Management, Forrester Wave said. Afaria also has been the long-time leader in the market of mobile device management software. As reported by the IDC Corp., Afaria has led the MDM market for 10 straight years, with about 20% market share and 1,000 corporate customers in 2012. According to the latest available information, 6300 customers use this solution.

The Buffer overflow vulnerability in SAP’s Afaria platform can be exploited remotely without authentication and can be used to conduct Denial of Service attack against a company’s MDM solution. According to the information from the SAP’s website, large organizations manage thousands of mobile devices via MDM system. Once a company’s MDM system is compromised, employees won’t be able to perform their daily duties such as procurement, warehouse management, shipping and so on. Far more importantly, top executives are the main users of mobile devices and prefer to view all reports on their iPhones, and their smartphones can also be affected. The vulnerability can be used to execute malicious code on the server, and, as a result, obtain access to all devices and modify their configurations.

This month SAP also patched several vulnerabilities in both SAP Mobile Platform and SAP Afaria MDM discovered by ERPScan researchers.

This year the number of vulnerabilities in mobile platforms is growing rapidly. In 2013, we discovered the first SAP mobile application vulnerability ever, and by 2015 almost 30 issues in SAP Mobile applications have already been closed, and patches for many others are still in progress.

We highly recommend SAP customers to pay attention to these vulnerabilities and apply appropriate patches as well as other patches provided in the recent SAP Security update.

ERPScan’s researcher will deliver a detailed presentation about SAP Afaria security called SAP Afaria. One SMS to hack a company at the HackerHalted conference on September 17. As can be seen from the name of the talk, we are going to disclose another critical issue in SAP Afaria, which can potentially be exploited by SMS. No other details are available at this moment.