SAP's TREX exposed HANA, NetWeaver

SAP has rushed out a patch for its TREX search engine, after security researchers found bugs in a 2015 patch.

TREX is a search engine used in several SAP products, including its HANA database and its venerable NetWeaver application and integration platform.

According to ERPScan, SAP thought it had patched the code injection vulnerability in December 2015.

Not so: ERPScan’s Mathieu Geli looked into the TREXNet communication protocol and found it ran without authentication.

He’s quoted in the ERPScan advisory as saying “I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the exploit has been easily adapted. SAP fixed some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX.”

The post says CVE-2017-7691 lets an attacker send a crafted request to TREXNet ports to read or create operating system files.

The bug was one of fifteen patched on Tuesday in SAP’s April security release. ®