The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.
- The first set of SAP Security Notes of 2017 consist of 23 security patches. Most of them address XSS and Missing authorization check vulnerabilities.
- The most dangerous security issue was assessed 9.8 (of 10) by CVSS base score v.3.0.
- SAP SSO has a DoS vulnerability. This mechanism provides access for cloud and on-premises solutions, web applications, via mobile devices, and native SAP clients. Thus, by exploiting the vulnerability, an attacker can prevent numerous SAP customers from accessing applications required to their work.
SAP Security Notes – January 2017
4 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 2 of all the Notes are updates to a previously released Security Notes.
1 of the released SAP Security Notes has a Hot News priority rating. The highest CVSS score of the vulnerabilities is 9.8.
The most common vulnerability type is Missing Authorization check.
Issues that were patched with the help of ERPScan
This month, 4 critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli and Vahagn Vardanyan were closed.
Below are the details of the SAP vulnerability, which was identified by ERPScan researchers.
- A Denial of service vulnerability in SAP Single Sign-On (CVSS Base Score: 7.5). Update is available in SAP Security Note 2389042. An attacker can use Denial of service vulnerability to terminate a process of vulnerable component. For this time, nobody would be able to use this service, which negatively influences on a business processes, system downtime, and, as a result, business reputation.
- An XML external entity vulnerability in SAP Netweaver Visual Composer (CVSS Base Score: 6.4). Update is available in SAP Security Note 2347439. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests that will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS file system.
- A Cross-Site Scripting vulnerability in SAP Enterprise Portal Real Time Collaboration (CVSS Base Score: 6.1). Update is available in SAP Security Note 2341302. The component does not sufficiently encode user input, resulting in a Cross-Site Scripting vulnerability
- An SQL Injection vulnerability in SAP Netweaver UDDI Server (CVSS Base Score: 4.1). Update is available in SAP Security Note 2356504. An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information from a database, execute administration operations on a database, removedata or make it unavailable. Also, in some cases, an attacker can access system data or execute OS commands.
About Denial of service vulnerability in SAP Single Sign-On
SSO (Single Sign-On) is a mechanism that allows a user to use one set of login credentials instead of numerous sets of passwords, which may be weak, reused, or written down somewhere, to access multiple applications the user has rights to access. Thus, it enhances the security level and protects sensitive company and personal data.
SAP states that SAP SSO technology provides SAP customers with a secure access to SAP and non-SAP business applications across the whole landscape. It also “supports both cloud and on-premises scenarios, providing simple and secure single sign-on access through the web, via mobile devices, and using native SAP clients” (source).
Unfortunately, sometimes security measures implemented by a vendor could pose another security risk. This month, SAP closed a DoS vulnerability in the SAP SSO solution identified by ERPScan’s researcher. The issue allows an attacker to crash or flood the service, as a result, legitimate users won’t be able to access all linked applications. A downtime may prevent a victim company of profit.
It is not the first time ERPScan researchers discover vulnerabilities in solutions introducing security measures. For example, there is a vulnerability in PeopleSoft SSO and several critical security issues in SAP Afaria (an MDM solution from SAP).
The most critical issues closed by SAP Security Notes January 2017 identified by other researchers
The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2407862: SAP Sybase Asset Management has Multiple buffer overflows vulnerabilities (CVSS Base Score: 9.8), CVE-2015-8277. An attacker can use a Buffer overflow vulnerability to inject specially crafted code into a working memory that will be executed by a vulnerable application. Executed commands will run with the same privileges as the service that executed the command. This can lead to taking complete control of the application, denial of service, command execution, and others. Install this SAP Security Note to prevent the risks.
- 2361633: SAP Business Intelligence platform has an SQL Injection vulnerability (CVSS Base Score: 6.4). An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information from a database, execute administration operations on a database, remove data or make it unavailable. Also, in some cases, an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
- 2377626: SAP Enterprise Portal Theme Editor has an Cross-Site Scripting vulnerability (CVSS Base Score: 6.1). An attacker can use Cross-site scripting vulnerability for injecting a malicious script into a page. Install this SAP Security Note to prevent the risks.
Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.