RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

SAP E-Recruiting

Product
Developers: SAP SE
Technology: HRM

The solution for human capital management of the company and optimization of procedures of workforce recruiting based on SAP E-Recruiting. This solution allows to develop an end-to-end system of interaction with the most perspective and talented specialists, to provide personnel recruitment in the company, planning of career development and succession.

2017: Vulnerability detection

In September, 2017 in the system of personnel recruitment SAP E-Recruiting detected vulnerability which allows malefactors to interfere with process of hiring of applicants negatively. It is quite simple to operate vulnerability, and it does it even more dangerously.

As experts of SEC Consult company found out, at registration of the new applicant in corporate SAP application of E-Recruiting, on e-mail the link with a request at the applicant arrives to confirm him or her access to the specified mailbox. However this procedure can be bypassed.

Vulnerability of a recruiting system SAP allowed to block set of employees
File:Aquote1.png
Malefactors have an opportunity to register and simulate confirmation of the e-mail addresses to which they have no access — Roman Ginyatullin, the information security expert of SEC Consult Services company says. — For this purpose it is enough to make several simple actions. In addition, because SAP E-Recruiting provides only single registration of the same postal address, malefactors can block application from the specific applicant in principle if only it does not use an anycast address.
File:Aquote2.png

According to the description of experts of SEC Consult ([1]), in the letter on confirmation of the address the reference with the HTTP GET parameter in which two keyword parameters - candidate_hrobject and corr_act_guid are coded is contained.

The candidate_hrobject parameter represents the unique number user ID. Value, per unit of big is appropriated to each following applicant.

In turn, the corr_act_guid parameter is the any value used at confirmation of the specific postal address. However this value has no binding to each specific event (i.e., applications).

As a result, this value can be used several times. And the malefactor can easily guess candidate_hrobject value. The sequence of actions at the attack looks as follows. The malefactor registers the request of the applicant on its own behalf, using the postal address. Right after it it can try to register the address of the potential victim. Then, schitav the value candidate_hrobject from the link in the letter to confirmation of the first address, and having increased it per unit of, it can send to a system the letter with confirmation again, having implemented former corr_act_guid value and the increased candidate_hrobject value in a request of HTTP GET. In this case the postal address of the potential victim is considered confirmed, and its real owner will not be able to work with a system any more, using the same address.

The lack of "binding" - a unique disposable identifier - in the link to confirmation of the address also does the attack possible. It should be noted that the specified parameters in the reference are coded (using base64), but to decode them does not make special work.

Vulnerability was for the first time revealed in July of this year in version 617. SAP confirmed existence of similar vulnerabilities in three more versions: 605, 606 and 616. The patch is published on September 12, 2017

Notes