BlackHat talk hibernated over 0-day in SAP's Afaria mobile manager
Researcher has form as a gent: he held back disclosure of medical records leak
Updated Alexander Polyakov has been forced to withdraw a talk detailing dangerous vulnerabilities into SAP's mobile device management product Afaria scheduled to be given at BlackHat Asia Pacific this week.
The prolific SAP hacker and chief technology officer of ERPScan says his talk was scuppered after SAP failed to patch the vulnerabilities after being informed some 12 months ago.
Polyakov has not disclosed specific details of the flaws, as he is acting under responsible disclosure rules, but says it places businesses at risk.
"The vulnerabilities are pretty dangerous and not easy to fix,' Polyakov told The Register.
"We can't deliver the talk because they (SAP) were unable to fix some issues."
Afaria is used in Australia by the likes of Powercor and Hewlett Packard, according to SAP.
Polyakov says the flaws relate to an unexpectedly privileged level of control attackers can achieve on mobile devices under management, rather than data theft.
The hacker would have also revealed tardy patching efforts for a dangerous flaw in SAP's Electronic Medical Records Unwired application that until last week could grant attackers access to sensitive medical records.
He found a second flaw in the app that meant attackers could force it to connect to malicious servers.
It took SAP six months to fix the first flaw but nearly two years to patch the second after it first acknowledged it in April 2013, despite Polyakov considering the issues an "easy" fix.
"Attackers could potentially access X-rays and medical images, laboratory results, and all types of healthcare data that could be stored," Polyakov says.
He says attackers could upload fake patient records to medical servers.
It contained a local SQL injection vulnerability allowing attackers to access the app's database if they are able to get staff to install malicious apps on their Android phones.
Polyakov also planned to discuss a third since-fixed flaw he found recently in SAP's mobile device management platform.
The buffer overflow vulnerabilities exposed businesses to distributed denial of service attacks. Polyakov says it could be most damaging if attackers targeted manufacturing plants or executives from connecting to mission critical systems. ®
SAP contacted The Reg after publishing to make the following statement: "SAP addressed the two vulnerabilities identified in SAP’s Electronic Medical Records (EMR) Unwired database in 2013. SAP continues to be committed to ensuring all of its product offerings are safe and reliable." ®