Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical flaw in PricewaterhouseCoopers SAP security tool, but PwC tries downplay it

A PricewaterhouseCoopers SAP software, the Automated Controls Evaluator (ACE), is affected by a critical security flaw that could be exploited by hackers. A software developed by PricewaterhouseCoopers for SAP systems, the Automated Controls Evaluator (ACE), is affected by a critical security flaw. The vulnerability was discovered by the security firm ESNC who analyzed the tool. The Automated Controls […]

bugcrowd

A PricewaterhouseCoopers SAP software, the Automated Controls Evaluator (ACE), is affected by a critical security flaw that could be exploited by hackers.

A software developed by PricewaterhouseCoopers for SAP systems, the Automated Controls Evaluator (ACE), is affected by a critical security flaw.

The vulnerability was discovered by the security firm ESNC who analyzed the tool. The Automated Controls Evaluator (ACE) is a diagnostic SAP tool that extracts security and configuration data from SAP systems in order to analyze them in order to discover backdoors (such as configuration, customization and security settings) and misconfiguration that could be exploited by attackers to commit fraud.”

“The purpose of this tool is to analyze SAP security settings and identify privileged access and potential segregation of duties issues accurately and efficiently”; and – “The ABAP files introduce no changes to the production systems and settings”. states the PricewaterhouseCoopers website.

The researchers from ESNC have discovered that the PwC ACE software is affected by a remotely exploitable security flaw that could be exploited to inject and execute malicious ABAP code on the remote SAP system. The potential impact on the companies that uses the tool is critical, the vulnerability may allow an attacker bypass change management control, bypass segregation of duty restrictions, and of course, manipulate accounting documents and financial results exposing the business to fraudulent activities.

“This security vulnerability may allow an attacker to manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions,” states the advisory published by ESNC.

“This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money.” “The attacks may be executed from the local network via SAPGui, or from the public Internet via http/https ICF services such as WebGui and Report, if the systems are accessible.”

The vulnerability affects version 8.10.304, and potentially also earlier versions might also be affected.

A PricewaterhouseCoopers spokeswoman tried to downplay the issue by explaining that the company is not aware of any problem with his software.

“The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients,” a PwC spokeswoman told The Reg. “The bulletin describes a hypothetical and unlikely scenario – we are not aware of any situation in which it has materialized.”

The Reg highlighted the difficulties faced by ESNC in reporting the issue to PricewaterhouseCoopers. The flaw was reported in August, but PwC initially didn’t provide a response, then its lawyers sent an email to the security researchers to “desist” their investigation.

Below the Vulnerability Timeline shared by ESNC

  • 19.08.2016 PwC contacted
  • 22.08.2016 Meeting with PwC, informed them about the impact and the details of the vulnerability and responsible disclosure
  • 05.09.2016 Asked PwC about updates and whether a patch is available
  • 13.09.2016 Received a Cease & Desist letter from PwC lawyers
  • 18.11.2016 Informed that 90 days have passed and ESNC is planning to release a security advisory; asked for any details PwC can share about this matter including risk, affected versions, how to obtain a patch
  • 22.11.2016 Received another Cease & Desist letter from PwC lawyers
  • 07.12.2016 Public disclosure

This is a wrong approach to cyber security.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PricewaterhouseCoopers SAP tool, hacking)