[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <SNT115-W49452C1760EF31A5E01CBEA04E0@phx.gbl>
Date: Thu, 11 Feb 2010 11:47:58 -0400
From: Rosa Maria Gonzalez Pereira <analuis13@...mail.com>
To: <research@...psis.com>, <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Onapsis Security Advisory 2010-004] SAP J2EE
Authentication Phishing Vector
Que hago con estos emails, ya tengo miles...
__________________________________________________________________
> Date: Thu, 11 Feb 2010 12:17:04 -0200
> From: research@...psis.com
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] [Onapsis Security Advisory 2010-004] SAP J2EE Authentication Phishing Vector
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Onapsis Security Advisory 2010-004: SAP J2EE Authentication Phishing Vector
>
> This advisory can be downloaded from http://www.onapsis.com/research.html.
> By downloading this advisory from the Onapsis Resource Center, you will
> gain access to beforehand information on upcoming advisories, presentations
> and new research projects from the Onapsis Research Labs.
>
>
> 1. Impact on Business
> =====================
>
> By exploiting this vulnerability, an internal or external attacker would
> be able perform attacks on the Organization's users through weaknesses
> in the
> SAP system.
>
> An attacker would send specially crafted emails to users of the
> Organization's SAP system. After they have been successfully
> authenticated by the
> application, they would be redirected to an attacker's controlled web
> site where he would be able to perform different attacks over their systems
> and/or trick them into providing sensitive information.
>
> - - Risk Level: Medium
>
>
> 2. Advisory Information
> =======================
>
> - - Release Date: 2010-02-10
>
> - - Last Revised: 2010-02-10
>
> - - Security Advisory ID: ONAPSIS-2010-004
>
> - - Onapsis SVS ID: ONAPSIS-000005
>
> - - Researcher: Mariano Nuñez Di Croce
>
>
> 3. Vulnerability Information
> ============================
>
> - - Vendor: SAP
>
> - - Affected Components:
>
> . SAP JAVA CORE 6.40 < SP26
> . SAP JAVA CORE 7.00 < SP02
> . SAP JAVA CORE 7.01 < SP07
> . SAP JAVA CORE 7.02 < SP03
>
> - - Vulnerability Class: Phishing Vector
>
> - - Remotely Exploitable: Yes
>
> - - Locally Exploitable: Yes
>
> - - Authentication Required: No
>
>
> 4. Affected Components Description
> ==================================
>
> The SAP J2EE Engine is a key component of the SAP NetWeaver application
> platform, which enables the development and execution of Java solutions
> in SAP
> landscapes.
>
> The J2EE Engine is the component on which, for example, the SAP
> Enterprise Portal solution is built and executed.
>
>
> 5. Vulnerability Details
> ========================
>
> The Authentication mechanism of the SAP J2EE Engine (which is shared by
> the Enterprise Portal and other solutions) suffers from a phishing vector
> vulnerability, which may allow a remote attacker to perform different
> attacks to the organization's SAP users.
>
> Onapsis is not distributing technical details about this issue to the
> general public at this moment in order to provide enough time to affected
> customers to patch their systems and protect against the exploitation of
> the described vulnerability.
>
>
> 6. Solution
> ===========
>
> SAP has released SAP Note 1175239, which provides a patched version of
> the affected components.
>
> This patch can be downloaded from
> https://service.sap.com/sap/support/notes/1175239 .
>
> Onapsis strongly recommends SAP customers to download the related
> security fix and apply it to the affected components in order to reduce
> business risks.
>
>
> 7. Report Timeline
> ==================
>
> . 2009-11-24: Onapsis provides vulnerability information to SAP.
> . 2009-11-24: SAP confirms reception of vulnerability submission.
> . 2010-02-09: SAP releases security patch.
> . 2010-02-10: Onapsis releases security advisory.
>
>
> 8. About Onapsis Research Labs
> ==============================
>
> Onapsis is continuously investing resources in the research of the
> security of business critical systems and applications.
>
> With that objective in mind, a special unit ? the Onapsis Research Labs
> ? has been developed since the creation of the company. The experts involved
> in this special team lead the public research trends in this matter,
> having discovered and published many of the public security
> vulnerabilities in
> these platforms.
>
> The outcome of this advanced and cutting-edge research is continuously
> provided to the Onapsis Consulting and Development teams, improving the
> quality
> of our solutions and enabling our customers to be protected from the
> latest risks to their critical business information.
>
> Furthermore, the results of this research projects are usually shared
> with the general security and professional community, encouraging the
> sharing of
> information and increasing the common knowledge in this field.
>
>
> 9. About Onapsis
> ================
>
> Onapsis is the leading provider of solutions for the security of
> business-critical systems and applications.
>
> Through different innovative products and services, Onapsis helps its
> global customers to effectively increase the security level of their core
> business platforms, protecting their information and decreasing
> financial fraud risks.
>
> Onapsis is built upon a team of world-renowned experts in the SAP
> security field, with several years of experience in the assessment and
> protection of
> critical platforms in world-wide customers, such as Fortune-500
> companies and governmental entities.
>
> Some of our featured services include SAP Penetration Testing, SAP
> Gateway & RFC security, SAP Enterprise Portal security assessment,
> Security Support
> for SAP Implementations and Upgrades, SAP System Hardening and SAP
> Technical Security Audits.
>
> For further information about our solutions, please contact us at
> info@...psis.com and visit our website at www.onapsis.com.
>
>
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkt0EWAACgkQz3i6WNVBcDUF4QCfWS2QfjR3IiZl1jGmXr5xKsLG
> wZQAoOOSG/YxJxShy6Hlv6dyemGo8M3q
> =Ot1u
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists