By Freya Purnell
Enterprise application security specialist ERPscan has identified a number of vulnerabilities in the SAP Mobile Platform.
One of the issues discovered by ERPscan researchers related to critical healthcare information disclosures in SAP EMR Unwired application for Android.
The application allows medical professionals to access patient information such as x-ray and CT images, lab results, charts and clinical orders. Due to a SQL injection vulnerability in the mobile application, by uploading a malicious app to a victim’s phone, an attacker could gain access to critical information stored in a local application database.
ERPscan also found multiple buffer overflow vulnerabilities in the Sybase SQL Anywhere database used by the SAP Mobile Platform, which could be exploited for denial-of-service attacks and potentially for remote command execution in a sabotage attack.
A third issue was discovered in the SAP Mobile Platform Portal, with an XML External Entity vulnerability opening up the Portal to multiple attack vectors. This makes it possible for attackers to execute denial-of-service attacks which could stop all interactions between mobile devices and the ERP system or other mission-critical applications, as well as gaining access to the file system and possibly full control over the server.
ERPscan reported these issues to SAP, which has since closed the vulnerabilities, with patches available via SAP Security Notes through the SAP Portal.