SAP finally patches critical, remotely exploitable bugs in GRC solution

More than a year and a half after they have been reported to SAP AG, the company has issued a patch for a number of critical exploitable security vulnerabilities in its Governance, Risk and Compliance (GRC) software.

“SAP GRC Access Control has multiple remote vulnerabilities, which may allow an attacker to elevate privileges, bypass SoD restrictions and execute arbitrary programs. An attacker can also exploit these vulnerabilities remotely using RFC protocol or if SOAP-RFC is active, through http/https,” German-based SAP security research company ESNC reported in a security advisory issued on Tuesday.

Discovered by ESNC founder Ertunga Arsal and SAP security consultant Mert Suoglu and reported to the company on April 1, 2013, the vulnerabilities affect a single function. Exploitation requires authentication, but the bug’s severity score is nevertheless very high.

“We recommend SAP customers to apply the security patch [SAP Note 2039348] and implement manual instructions supplied by the vendor,” ESNC researchers advised, and noted that customers of its Security Suite were protected against the exploitation of this vulnerability since April, 2013. Also, that an exploit for this vulnerability is available in the solution’s Penetration Testing Module.