[ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for
SAP Security

Please refer to https://www.esnc.de for the original security
advisory, updates, and additional information.

----------------------------------------------------------------------
1. Business Impact
----------------------------------------------------------------------

According to PwC website:
- "Using the proprietary ACE software, we perform diagnostics of SAPas
inherent risks and backdoors (such as configuration, customization and
security settings) which could be exploited to commit fraud";
- "The purpose of this tool is to analyze SAP security settings and
identify privileged access and potential segregation of duties issues
accurately and efficiently"; and
- "The ABAP files introduce no changes to the production systems and settings".

PwC ACE software has a remotely exploitable security vulnerability
which allows injection and execution of malicious ABAP code on the
remote SAP system.

Based on the business processes implemented on the SAP systems on
which ACE is installed, this security vulnerability may allow an
attacker to e.g. manipulate accounting documents and financial
results, bypass change management controls, and bypass segregation of
duties restrictions. This activity may result in fraud, theft or
manipulation of sensitive data including PII such as customer master
data and HR payroll information, unauthorized payment transactions and
transfer of money.

The attacks may be executed from the local network via SAPGui, or from
the public Internet via http/https ICF services such as WebGui and
Report, if the systems are accessible.

An attacker can misuse PwC ACE security vulnerability in order to:
- make changes to the production systems and their settings including
manipulating or corrupting ABAP programs shipped by SAP and making the
system and data inoperable;
- plant an SAP backdoor for accessing the system and sensitive data later; and
- shut down the SAP systems and cause downtime.

An in-depth analysis is required to determine whether the system or
the financial data is already compromised via this security
vulnerability.

Risk Level: High


----------------------------------------------------------------------
2. Advisory Information
----------------------------------------------------------------------

- ESNC Security Advisory ID: ESNC-2041217
- CVE ID: CVE-2016-9832
- Original security advisory and updates:
https://www.esnc.de/security-advisories/vulnerability-in-pwc-ace-for-sap-security
- Reporting Date: 19.08.2016
- Vulnerability location: User input
- Affected versions: 8.10.304 (and possibly others, contact vendor for
accurate information)
- Vendor Patch Date: Contact vendor
- Public Advisory Date: 07.12.2016
- Researcher: Ertunga Arsal and Mert Suoglu


----------------------------------------------------------------------
3. Vulnerability Information
----------------------------------------------------------------------

- Vendor: PricewaterhouseCoopers (PwC)
- Affected Software: ACE-ABAP 8.10.304
- Vulnerability Class: System Compromise, Remote Arbitrary Code
Execution, ABAP Injection
- CVSS v3 base score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/ S:C/C:H/I:H/A:H)
- Remotely Exploitable: Yes
- Authentication Required: Yes
- Additional Notes: An exploit for this vulnerability is available for
ESNC Security Suite Penetration Testing Module customers per
individual request. Information about ABAP injection can be found at
https://www.enterprise-threat-monitor.com/code-security-vulnerabilities-abap-injection


----------------------------------------------------------------------
4. Vulnerability Timeline
----------------------------------------------------------------------

19.08.2016 PwC contacted
22.08.2016 Meeting with PwC, informed them about the impact and the
details of the vulnerability and responsible disclosure
05.09.2016 Asked PwC about updates and whether a patch is available
13.09.2016 Received a Cease & Desist letter from PwC lawyers
18.11.2016 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about
this matter including risk, affected versions, how to obtain a patch
22.11.2016 Received another Cease & Desist letter from PwC lawyers
07.12.2016 Public disclosure


----------------------------------------------------------------------
5. Solution & Recommendations
----------------------------------------------------------------------

Enterprise Threat Monitor customers which are running the latest 0-day
threat definitions have protection and mitigation capabilities for
this vulnerability since August, 2016.

For SAP systems which contain sensitive information, we recommend
checking the misuse of this ABAP program and existence of ABAP
backdoors, if a vulnerable ACE version was installed previously.

We recommend removing vulnerable versions of ACE.


----------------------------------------------------------------------
About ESNC
----------------------------------------------------------------------

ESNC GmbH, Germany is an independent company specialized in SAP
security audit, SAP penetration testing, ABAP security analysis, SAP
vulnerability assessment, and SAP SIEM integration services for
protecting SAP systems from data breaches and for detecting and
responding to the SAP specific attacks timely.

Its flagship product ESNC Security Suite is used by many large
enterprises for compliance controls, vulnerability scanning their SAP
ABAP, Java and Hana systems, and for running ABAP code security
analysis to reduce risks affecting critical business processes and
data.

ESNC Security Suite's real-time SAP security monitoring module
Enterprise Threat Monitor allows SAP specific enterprise threat
detection and integrating SAP security with SIEM solutions such as IBM
QRadar, HP ArcSight, and Splunk Enterprise.

For more information about our products and services, please visit our
web page at https://www.esnc.de or
https://www.enterprise-threat-monitor.com