Fatal flaw found in PricewaterhouseCoopers SAP security software
Instead of fixing the issue, PwC lawyered up
A security tool built for SAP systems by PricewaterhouseCoopers has turned out to have worrying security holes of its own.
German security research firm ESNC has been analyzing the Automated Controls Evaluator (ACE), which extracts relevant security and configuration data from an SAP system, analyzes it, and generates exception reports by review. But there appears to be a high-risk hole in the software.
"This security vulnerability may allow an attacker to manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," ESNC said in an advisory.
"This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money."
The flaw affects version 8.10.304, but earlier versions might also be affected. It allows an attacker to inject malware into SAP's Advanced Business Application Programming code systems either remotely or onsite. That could potentially allow the entire server to be backdoored.
"The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients," a PwC spokeswoman told The Reg. "The bulletin describes a hypothetical and unlikely scenario – we are not aware of any situation in which it has materialized."
What's potentially worrying about this case is, however, what ESNC said happened when they got in contact with PwC. The team sent an advisory to PwC on August 18, and had a meeting with PwC officials three days later.
After hearing nothing for two weeks, they contacted PwC again to check on progress. They didn’t get a response, they said, but eight days later they got some – a cease and desist letter from PwC's lawyers.
ESNC got a similar legal letter in November, after they informed PwC that they were planning to disclose the vulnerability in November. It appears some companies haven't heard the latest ideas on responsible disclosure and are lawyering up rather than fixing faults. ®