During SAP assessments, Nicolas Schickert, in charge of usd SAP-Pentests, discovered so-far unknown vulnerabilities in SAP products. These so-called zero-day vulnerabilities can have devastating effects. If these vulnerabilities were to become known, attackers could exploit them before the manufacturer can provide a suitable security patch. Our pentest professionals are aware of this responsibility and support manufacturers in developing timely solutions and closing critical security gaps. Therefore, the identified vulnerabilities were promptly reported to SAP within the "usd Responsible Disclosure" process and subsequently included in the "Acknowledgements to Researcher" document on the SAP website.
Nicolas Schickert emphasizes the importance of a specialized approach: "The discovery of these vulnerabilities in seemingly secure and standard-configured services highlights the importance of thoroughly examining such products not only through a security scan, but also through pentests. While a security scan can only identify known vulnerabilities, a pentest allows a deeper, individual and targeted search for vulnerabilities even beyond known gateways."
Especially in highly complex SAP landscapes, in-depth expertise and detailed knowledge of the products are necessary to perform a comprehensive analysis of the current security standard. New security vulnerabilities often arise in this context due to configuration errors or individual circumstances.
"Thanks to the open communication and efficient exchange between our colleagues and the development teams of SAP, the vulnerabilities could be fixed promptly. In this way, we were able to make an important contribution to the security of SAP products," Schickert adds.
Detailed information about the advisories can be found here.