lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 7 Dec 2016 15:31:44 +0100
From: ESNC Security <>
Subject: [FD] [ESNC-2041217] Critical Security Vulnerability in PwC ACE
 Software for SAP Security

*[ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP

Please refer to for the original security advisory,
updates, and additional information.

*1. Business Impact*

According to PwC website:
- "Using the proprietary ACE software, we perform diagnostics of SAP’s
inherent risks and backdoors (such as configuration, customization and
security settings) which could be exploited to commit fraud";
- "The purpose of this tool is to analyze SAP security settings and
identify privileged access and potential segregation of duties issues
accurately and efficiently"; and
- "The ABAP files introduce no changes to the production systems and

PwC ACE software has a remotely exploitable security vulnerability which
allows injection and execution of malicious ABAP code on the remote SAP

Based on the business processes implemented on the SAP systems on which ACE
is installed, this security vulnerability may allow an attacker to e.g.
manipulate accounting documents and financial results, bypass change
management controls, and bypass segregation of duties restrictions. This
activity may result in fraud, theft or manipulation of sensitive data
including PII such as customer master data and HR payroll information,
unauthorized payment transactions and transfer of money.

The attacks may be executed from the local network via SAPGui, or from the
public Internet via http/https ICF services such as WebGui and Report, if
the systems are accessible.

An attacker can misuse PwC ACE security vulnerability in order to:
- make changes to the production systems and their settings including
manipulating or corrupting ABAP programs shipped by SAP and making the
system and data inoperable;
- plant an SAP backdoor for accessing the system and sensitive data later;
- shut down the SAP systems and cause downtime.

An in-depth analysis is required to determine whether the system or the
financial data is already compromised via this security vulnerability.

*Risk Level: High*

*2. Advisory Information*

- ESNC Security Advisory ID: ESNC-2041217
- CVE ID: CVE-2016-9832
- Original security advisory and updates:
- Reporting Date: 19.08.2016
- Vulnerability location: User input
- Affected versions: 8.10.304 (and possibly others, contact vendor for
accurate information)
- Vendor Patch Date: Contact vendor
- Public Advisory Date: 07.12.2016
- Researcher: Ertunga Arsal and Mert Suoglu

*3. Vulnerability Information*

- Vendor: PricewaterhouseCoopers (PwC)
- Affected Software: ACE-ABAP 8.10.304
- Vulnerability Class: System Compromise, Remote Arbitrary Code Execution,
ABAP Injection
- CVSS v3 base score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/ S:C/C:H/I:H/A:H)
- Remotely Exploitable: Yes
- Authentication Required: Yes
- Additional Notes: An exploit for this vulnerability is available for ESNC
Security Suite Penetration Testing Module customers per individual request.
Information about ABAP injection can be found at

*4. Vulnerability Timeline*

19.08.2016 PwC contacted
22.08.2016 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
05.09.2016 Asked PwC about updates and whether a patch is available
13.09.2016 Received a Cease & Desist letter from PwC lawyers
18.11.2016 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
22.11.2016 Received another Cease & Desist letter from PwC lawyers
07.12.2016 Public disclosure

*5. Solution & Recommendations*

Enterprise Threat Monitor customers which are running the latest 0-day
threat definitions have protection and mitigation capabilities for this
vulnerability since August, 2016.

For SAP systems which contain sensitive information, we recommend checking
the misuse of this ABAP program and existence of ABAP backdoors, if a
vulnerable ACE version was installed previously.

We recommend removing vulnerable versions of ACE.

*About ESNC*

ESNC GmbH, Germany is an independent company specialized in SAP security
audit, SAP penetration testing, ABAP security analysis, SAP vulnerability
assessment, and SAP SIEM integration services for protecting SAP systems
from data breaches and for detecting and responding to the SAP specific
attacks timely.

Its flagship product ESNC Security Suite is used by many large enterprises
for compliance controls, vulnerability scanning their SAP ABAP, Java and
Hana systems, and for running ABAP code security analysis to reduce risks
affecting critical business processes and data.

ESNC Security Suite's real-time SAP security monitoring module Enterprise
Threat Monitor allows SAP specific enterprise threat detection and
integrating SAP security with SIEM solutions such as IBM QRadar, HP
ArcSight, and Splunk Enterprise.

For more information about our products and services, please visit our web
page at or

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists