Your workplace is now in the hands of computer fraud.
Experts of SEC Consult has discovered a rather annoying flaw in the system of recruiting SAP E-Recruiting, which allows attackers to interfere in the recruitment process and to block the filings of the applicants.
Usually, when the applicant is logged in the enterprise application E-Recruiting, it comes link to the e-mail asking you to confirm the access to the mailbox. However, this procedure can be circumvented, because malicious users can register and confirm the email address to which they have no access.
That is, an attacker could register a mail address that does not belong to him, which could have significant implications for business — to-business processes is largely dependent on the accuracy of the information about postal addresses.
Moreover, since the mail address can be registered only once, the attacker can prevent the legitimate registration of applicants in E-Recruiting.
The vulnerability affects version 605, 606, 616, and 617. It was revealed in July 2017, SAP responded fairly quickly and confirmed the problem. Patch and a security Bulletin was released simultaneously on September 12.
Non-unique value
As described by the experts of SEC Consult, the letter of proof of address contains a link with a parameter of an HTTP GET, which is Base64-encoded parameters “candidate_hrobject” and “corr_act_guid”. The first one is the user ID specified in the increment; the second is an arbitrary value to be used when confirming the email address. However, this value is not tied to any particular application, and therefore, you can reuse the value from any previous registration of the user. And because the value of “candidate_hrobject” increases steadily, an attacker could cause this value to guess.
An attacker who wants to register a postal address that does not belong to him, may do the following steps: register with your own email address; immediately after that, to register a foreign address; to consider the value of “candidate_hrobject” from the url given at registration; increase this value by one; to introduce in the HTTP GET request in the letter of confirmation of the second address this value and add there parameter “corr_act_guid” from the letter to confirm their source address (the victim’s address will be deemed confirmed, and she will lose the opportunity to work with the recruiting system). If that doesn’t work, you can try to increase the value of “candidate_hrobject” — the system could have time to register and verify their addresses by other people.
“This attack is possible because the link on the confirmation is given a unique identifier, says George Lagoda, Director General of SEC Consult Services. — Simplicity of operation makes this vulnerability is quite dangerous for both job seekers and businesses. Applicants can suffer particularly badly — there was nothing to prevent criminals to start a “register” of the same applicant in many companies use for recruiting SAP development. Except, of course, in time patches”.
© 2017 – 2019, paradox. All rights reserved.
