In the recruiting system of SAP E-Recruiting, an unpleasant vulnerability has been discovered that allows you to block the process of applying from applicants to work. The exploit of this vulnerability is extremely simple, which makes it even more dangerous.
Bug as a hiring factor.
Experts at SEC Consult found a very unfortunate vulnerability in the recruiting system of SAP E-Recruiting, which allows attackers to interfere with the hiring process and block applicants from applying.
Usually, when the applicant is registered in the corporate E-Recruiting application, he receives a link to an email asking him to confirm access to the mailbox. However, this procedure can be circumvented, since attackers may well register and "confirm" e-mail addresses to which they do not have access.
That is, an attacker can register a mailing address that does not belong to him, which can have significant consequences for business - business processes largely depend on the reliability of information about mailing addresses.
Moreover, since the mailing address can be registered only once, an attacker can prevent the registration of legitimate applicants in E-Recruiting.
Vulnerability affects versions 605, 606, 616, and 617. It was detected in July 2017. SAP responded fairly quickly and confirmed the problem. The patch and security bulletin were released simultaneously on September 12.
Non-unique quantity.
According to the description of the SEC Consult experts, the address confirmation letter contains a link with the HTTP GET parameter, in which Base64 encodes the parameters "candidate_hrobject" and "corr_act_guid". The first of them is the user identifier, specified in increments; the second is an arbitrary value used for the confirmation of the postal address. However, this value is not tied to a particular application, which means that you can reuse the value from any previous user registration. And since the value of "candidate_hrobject" is gradually increasing, an attacker can guess this value.
An attacker who wants to register a postal address that does not belong to him can take the following steps: register with his own mailing address; immediately afterwards register a foreign address; consider the value of "candidate_hrobject" from the reference received during its registration; increase this value by one; insert this value into the HTTP GET request in the letter of confirmation of the second address and add the "corr_act_guid" parameter from the letter to confirm your original address (then the victim's address will be considered confirmed and she will lose the opportunity to work with the recruiting system). If this does not work, you can try to increase the values ??of "candidate_hrobject" - the system might be able to register and confirm your addresses with other people.
"This attack is possible because there is no unique one-time identifier in the confirmation link," says George Lagoda, CEO of SEC Consult Services. - The ease of operation makes this vulnerability quite dangerous for both applicants and business. Applicants can suffer particularly badly - nothing will prevent intruders from starting to "register" the same applicant in a variety of companies that use SAP development for recruitment. Except, of course, in time for the installed patch ».