Email Verification Bypass In SAP E-Recruiting

Title

Email verification bypass

Product

SAP E-Recruiting

Vulnerable Version

605, 606, 616, 617

Fixed Version

see SAP security note number 2507798

CVE Number

CVE-2017-14511

Impact

medium

Found

12.07.2017

By

Marc Nimmerrichter (Office Vienna) / SEC Consult Vulnerability Lab

E-Recruiting is an SAP module for the administration of job vacancies and applications. Email verification during the applicant registration can be bypassed.

Vendor Description

“SAP E-Recruiting” has recruitment and succession planning instruments that will help your company find new employees, employ them in positions that suit their capabilities, promote their professional development, and retain them in the long term.
As well as enabling you to handle your company’s applicant tracking activities, “SAP E-Recruiting” ensures that you drive up-to-date human resources management, by proactively maintaining contact with applicants, potential candidates, and consequently, with your employees.

Source: https://help.sap.com/saphelp_erp60_sp/helpdata/en/73/8bcf535b804808e10000000a174cb4/frameset.htm

Business Recommendation

Email address verification during the applicant registration can be bypassed. Businesses using the vulnerable component are advised to estimate the impact of insufficient email address verification on their business processes and react accordingly. It is recommended to install a patched version as soon as possible.

Vulnerability Overview/ Description

When an external applicant registers to the E-Recruiting application, he/she receives a link by email to confirm access to the provided email address. However, this measure can be bypassed and attackers can register and confirm email addresses that they do not have access to.

An attacker could register email addresses not belonging to him/her. This could have a business impact, because business processes might rely on a verified email address. Furthermore, since an email address can be registered only once, an attacker could prevent other legitimate users from registering to the
E-Recruiting application.

Proof Of Concept

The email verification link contains the “param” HTTP GET parameter with base64 encoded data. When decoded, this data contains the parameters “candidate_hrobject” and “corr_act_guid”. candidate_hrobject is an incremental user ID. corr_act_guid is a random value that needs to be provided during the email verification. However, this value is not bound to the current registration, which means that the value of a previous registration can be reused. Since candidate_hrobject is incremental, it can be guessed by an attacker. An attacker who wants to register with an email address not belonging to him/her, could simply do the following:

  1. Register with his own email address
  2. Directly afterwards register with someone else’s email address
  3. Read the current value of candidate_hrobject in the confirmation link from the first registration
  4. Increment this value by 1
  5. Send the new value in the HTTP GET request, use the corr_act_guidparameter from the first registration
  6. If this did not work: go back to step 4 to try the next ID (maybe other people registered in between the two registrations)

This attack works because there is no per-registration nonce in the confirmation link.

Vulnerable / Tested Versions

The vulnerability was found in the following release of E-Recruiting (ERECRUIT):
Release: 617

According to the vendor, the following versions are affected:
Release: 605, 606, 616, 617

Vendor Contact Timeline

2017-07-12: Contacted vendor via encrypted email with vulnerability description and Responsible Disclosure Policy attached at secure@sap.com
2017-07-13: Vendor confirmed the receipt of the email
2017-07-25: Vendor confirmed the vulnerability
2017-07-31: Contacted vendor to ask for patch release date and versions affected
2017-08-01: Vendor stated they are working on the fix and requested “adequate time”. Link to SAP Responsible Disclosure Policy was provided.
2017-08-01: Discussing release date, requested planned patch release date and versions affected.
2017-08-02: Vendor stated that the patch cannot be published until 2017-08-31 and requested more time before advisory publication.
2017-08-23: Contacted vendor to request current patch status, planned patch release date and versions affected.
2017-08-24: Vendor stated that the patch is planned to be published on 2017-09-12.
2017-08-24: Contacted vendor to request versions affected.
2017-08-28: Vendor provided versions affected.
2017-08-29: Defined 2017-09-12 as the actual advisory publication date.
2017-08-30: Vendor confirms advisory publication date.
2017-09-07: Contacted vendor to confirm patch release date and to request number of fixed release / patch.
2017-09-07: Vendor provided security note number for the patch.
2017-09-12: Public release of advisory.

Solution

A patched version of SAP E-Recruiting should be installed, as the vendor has rated this vulnerability with CVSS 6.5 base score.

Please refer to SAP Security Note 2507798 for further information.

 

Workaround

None

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF Marc Nimmerrichter / @2017

Contact

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.