back to article Fatal flaw found in PricewaterhouseCoopers SAP security software

A security tool built for SAP systems by PricewaterhouseCoopers has turned out to have worrying security holes of its own. German security research firm ESNC has been analyzing the Automated Controls Evaluator (ACE), which extracts relevant security and configuration data from an SAP system, analyzes it, and generates …

  1. Anonymous Coward
    Anonymous Coward

    Plug your holes... with lawyers!

    HAHA! Nice try PwC. You're nicked, mate. Get as many lawyers as you can, and stuff them down the hole! WAY DOWN!!1!

    note to self; add PwC to the target list.

  2. Anonymous Coward
    Anonymous Coward

    "Instead of fixing the issue, PwC lawyered up"

    And this unhelpful behaviour comes as a surprise to anyone, because?

  3. Zippy's Sausage Factory
    Facepalm

    PWC didn't think this through...

    ...because if they can do that, then SAP can do exactly the same to them...

  4. Anonymous Coward
    Anonymous Coward

    I'm at a bit of a loss to understand this one.. can anyone tell me why an audit extraction app would need anything other than read only access? I can see how it could access and export sensitive data but why would anyone ever give it rights to inject anything into the SAP environment at all?

    1. tfewster

      Agreed, read-only access to the configs and metadata would be sensible, but maybe the ACE software is so badly written that it will only run as the "superuser"? Or maybe reading configs in SAP needs full rights (in which case SAP Corp have questions to answer as well)?

      If the audit software has an access vuln itself, it could then be modified to read and change anything.

    2. Anonymous Coward
      Anonymous Coward

      I'm at a bit of a loss to understand this one.. can anyone tell me why an audit extraction app would need anything other than read only access? I can see how it could access and export sensitive data but why would anyone ever give it rights to inject anything into the SAP environment at all?

      Well, duh, it's simply PwC planning ahead. Just do a search for "PwC scandal" and you'll find fun stuff such as what happened at Tesco and Petrobras, things like LuxLeaks and various other tax evasion scandals (which feature that other frequently appearing company when anything dodgy happens, HSBC) - the list goes on and on.

      (From the article) "This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money."

      By leaving a giant hole, PwC appears to have been planning for the Shaggy defence when caught again, planning to claim "it wasn't us but them dodgy hackers and we're shocked about the evidently shoddy security but that should certainly absolve us from any responsibility (yada yada)".

      That also explains why the people who discovered this got a lawyer's letter instead of the reward they deserved - they probably just ruined the purchase of a couple more yachts for management..

      Not all security problems are by accident, and neither are badly executed audits.

      1. Destroy All Monsters Silver badge

        Luxleaks is not a tax evasion scandal, dude.

        It may be classed under "unfair practices" and "sweetheart deals" as apparently in Europe states are supposed to not deal those out.

      2. ecofeco Silver badge

        Damn AC! Good find! Wow!

    3. Adam Trickett
      Holmes

      Because it's just software, and within SAP there is BUGGER all to stop a program from doing stuff once it's running. If you are properly configured some system calls (functions and classes) will check authorisation objects, but if your ABAP is running then your already on the inside and all bets are off. It should have been audited, but that is easier said than done and you can bet most companies don't have the will or resources to do it.

      Basically SAP assume that the writer of ABAP knows what they are doing, if the code is shite on the security front (which is usually is) then the result is shite on the security front. Having seen what SAP and most third party vendor write I'm not surprised. It is possible to write good ABAP for SAP systems and have a program with decent security and the right functions, but it's a rare thing to see... To be honest most code I've seen is dire on more than just security: crap usability, crap performance, eats memory like it's going out of fashion and impossible to debug or extend fix. Most companies don't see the code that's on their SAP boxes and most never audit a thing.

  5. Anonymous Coward
    Facepalm

    Because PWC is run by accountants and management consultants

    I bet PWCs technologists wanted a more proactive technical response, but they got overruled by the dominant business side of the company, who wanted to clamp down on reputational damage and unscheduled delays and expenditures to fix the vulnerability in ACE.

    1. a_yank_lurker

      Re: Because PWC is run by accountants and management consultants

      Unfortunately probably the exact reason PWC shystered up. Software will have bugs and these bugs will be discovered by someone over time. The question is it a white hat or black hat who found it. This has been reported by a white hat but what we do not know is if any black hats found it first. To many security incident reports indicate the hack was not discovered until much later. In cases when the hackers leaked information to the dark web was it ever discovered.

    2. ecofeco Silver badge

      Re: Because PWC is run by accountants and management consultants

      You would win that bet as that's SOP almost everywhere.

    3. Dagg Silver badge
      Mushroom

      Re: Because PWC is run by accountants and management consultants

      Any good technologists got sold off to IBM when PWC got rid of PWCC.

      1. 's water music

        Re: Because PWC is run by accountants and management consultants

        Any good technologists got sold off to IBM when PWC got rid of PWCC.

        Hahahahahahahahah. Wait wat?

  6. Refugee from Windows

    So what happens when the lawyers get hit? Wh are they going to run to when their data is being rifled?

    1. Anonymous Coward
      Mushroom

      Watch out PWC!

      (Or whoever)

    2. elDog

      In the fine ole U.S.of A. they'll run for the legislature

      Either to get their buddies to write laws exempting them from those nasty accusations;

      or run for a seat in one of the houses. Lots of perks such as accepting $$$$s from people like PwC.

  7. Anonymous Coward
    Anonymous Coward

    Really, what you you expect from one of the most morally bankrupt companies in the world?

    1. lglethal Silver badge
      Trollface

      Hey SAP isnt that bad! :P

    2. Anonymous Coward
      Anonymous Coward

      Careful that you don't upset Morgan Stanley. Sometimes I get the the impression they are actually proud of being thus referred to..

  8. Anonymous Coward
    Anonymous Coward

    PricewaterhouseCoopers makes software?

    Whoever uses software by such companies deserves what it gets.

    1. Anonymous Coward
      Anonymous Coward

      Re: PricewaterhouseCoopers makes software?

      Arthur Andersen did. It was the accounting side that led to the débacle.

      1. Steve Davies 3 Silver badge
        Devil

        Re: PricewaterhouseCoopers makes software?

        Shudders at the memories of AA's 'Method 1'.

        Horrendously expensive door stops. Well that's what the Volumes of 'Method 1' books ended up as IMHE.

        PWC == Pricey Woeful Crap

        SAP == Shockingly Awful Product.

        A marriage made in Hell perhaps?

  9. Anonymous Coward
    Anonymous Coward

    Cease and Decist?

    That'll show em.

    Oh wait.

  10. Anonymous Coward
    Anonymous Coward

    Wow even for cutthroat corporate motherfuckers...

    That's a motherfucking shitty thing to do....

    1. ecofeco Silver badge

      Re: Wow even for cutthroat corporate motherfuckers...

      This is the century of ever lowered expectations.

      Theyre just trying to close the bastard gap.

  11. Anonymous Coward
    Anonymous Coward

    I once had to go to a meeting with a PWC consultant to provide technical details if required...

    He said to me, and these are his exact words, "Don't look at me when I'm lying." Anon because lawyers.

    1. Anonymous Coward
      Anonymous Coward

      Re: I once had to go to a meeting with a PWC consultant to provide technical details if required...

      "Of course. I'll require a specific written warning before every lie, to be received no later than thirty days in advance"

  12. BristolBachelor Gold badge

    So what would happen if they thought that the potential legal action might have an impact on their year end accounts? Would they have to file a report with the securities exchange committee saying "After we found a security hole in XXXXs application and informed them and offered to help, they threatened us with legal action, which may be a risk for our year end accounts".

    Obviously they haven't done anything wrong! If there wasn't the threat of legal action, they wouldn't have had to do it, and the bug could have remained undisclosed while it was being fixed. Instead, at least it's existence would have to be disclosed instantly.

  13. Anonymous Coward
    Anonymous Coward

    Why do people give deadlines anymore, better to say please fix this in a timely manner. If they don't act in a reasonable time then release the vuln anonymously. If the company doesn't fix it then you can still claim you notified them and someone else also recognised the issue, that's what finding vulns is all about, saying that other people are also capable of finding them but not disclosing. Even anonymous posting is better than keeping it to yourself, it warns the public about issues and the company sees that providing a good product is more profitable than hoping vulns don't get discovered and that hushing up subsequent security breaches isn't good business.

    1. Alan Brown Silver badge

      "If they don't act in a reasonable time then release the vuln anonymously"

      1: They'll still lawyer up

      2: Even if you release anonymously past that point they'll still lawyer up on you, on the basis that you probably did it.

      The one thing PWC have absolutely guaranteed is that NOBODY will ever bother giving them advance notice of vulnerabilities again.

      Further, they've provided ammunition for the camp that argues immediate disclosure is in the best interest.

  14. Blitheringeejit
    Mushroom

    Are we sure these are bugs?

    PWC have a long history of book-cooking and tax-juggling (http://www.bbc.co.uk/news/business-31147276 , http://www.taxjustice.net/tag/pwc/ etc etc) ...so why assume these "features" are actually bugs? Surely "...manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money..." is exactly the kind of functionality you'd want if you're running an operation as shady and disreputable as PWC.

    1. Anonymous Coward
      Thumb Up

      Re: Are we sure these are bugs?

      Certainly explains why they got so uppity when some poor kindly soul tried to help them "fix" their shit!

    2. Destroy All Monsters Silver badge
      Facepalm

      Re: Are we sure these are bugs?

      "tax juggling" is, however, above-board, constructed outrage to be consumed by the tax-victimized hoi polloi notwithstanding (one wonders whether they have been promised additional free money by their electioneering representatives? nah, can't be)

      Yeah BBC. "PwC promoted tax avoidance 'on industrial scale', say MPs" Shock horror, you don't say. Is that more or less bad than being Ghaddafi? Well, that's what PwC is getting paid for, innit.

      And with the usual truthiness of the BBC: " tax havens like Luxembourg". Yeah, no. It's a tax hell like every eurosocialist state.

      You may not like it but some people have the means to avoid the state's money grab (while you get saddled with high VAT, LOL!)

  15. Wedgie

    I'm not that surprised that something like this has been picked up, there are lots of vendor tools using exactly the same lazy techniques to auto generate code. PwC are unlucky as they are an easy target & their response was pretty crappy. They really should have been whiter than white. There will be plenty of vendors scrambling to check their code now. I would have imagined a fair few of them would have been scanned by VirtualForge who pretty much own the SAP code scanning space. They don't really need to publicise though. You have to also question SAP for remaining to make those techniques available, doing that would likely require a lot of refactoring (and vendors are "encouraged" to not scan SAP code outside of direct collaboration with them)

    For those commenting on the tool, ACE is the name of many junior SAP auditors lives. It uses client side ABAP programs to generate extract files which are taken processed separately to identify stuff like segregation of duties conflicts, change control settings, configurable control settings etc. From what I remember it can't be used to make updates though it sounds like the programs could be subverted.

  16. allthecoolshortnamesweretaken

    A security tool built for SAP systems by PricewaterhouseCoopers?

    A security tool built for SAP systems by PricewaterhouseCoopers.

    Guys, that "minus-times-minus-gives-plus" thing only works in proper maths.

    1. Anonymous Coward
      Boffin

      Rather,

      x × y > 0 ∀ x and y where x < 0 and y < 0

      only works because of multiplication, in this case, they're adding, thus the result is always going to be negative.

  17. Dwarf

    Security department

    I wonder if their security and compliance department knows about this (if anything)

    - What with all the regulatory requirements that they, like others are bound by.

  18. John Smith 19 Gold badge
    Unhappy

    "manipulate accounting documents and financial results,"

    Indeed.

    IIRC PwC picked up the remains of Arthur Andersen, the "auditors" of Enron.

    And it looks like been infected with some of their old corporate culture.

    Like others I'm gobsmacked this needs write authority on anything and I could certainly see someone playing the Shaggy defense if anything happens at any of their clients.

    I'm presuming they don't think anyone of any importance in their clients reads El Reg so they won't know.

    I think PwC may be surprised.

    1. Wedgie

      Re: "manipulate accounting documents and financial results,"

      In the U.K. Deloitte hoovered up the AA audit teams but it varied for other countries.

      Putting this into context, this is crappy coding but not uncommon among vendor or SAP code. I would also be surprised if this was remotely executable for any organisations following the standard security guidance provided by SAP.

  19. Doctor Syntax Silver badge

    The really depressing thing is that this is probably the right response. The sort of people who make the decisions to use this sort of software who hear about it aren't going to understand that shooting the messenger is a bad alternative to accepting the message and fixing the problem; in fact, they'd probably do the same thing themselves. And if it keeps the rest of the potential users from hearing about the problem it's served its purpose.

  20. adam payne

    "The bulletin describes a hypothetical and unlikely scenario – we are not aware of any situation in which it has materialized."

    Being unaware if any situation in which is unlikely scenario has been used is irrelevant. It should be fully investigated and patched, end of.

  21. Wedgie

    ESNC & PwC aren't in competition. PwC's ACE is an audit support tool. It extracts the information used to audit SAP systems, generally for the purposes of supporting statutory audit. Primarily ACE performs Segregation of Duties reviews. The ESNC products are more focused towards technical security - VAs etc.

  22. Anonymous Coward
    Anonymous Coward

    Borrowed from Techdirt...but good!

    The "Rebel Alliance" did not receive authorized access or a license to use the Death Star plans. The plans are not publicly available and are only properly accessed by those with licenses, such as Empire military staff working with trained Empire engineers," said the spokesperson. "The bulletin describes a hypothetical and unlikely scenario regarding a two-meter thermal exhaust port -- we are not aware of any situation in which it has materialized," the spokespersons said.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like