ZDI has recently published the details of two buffer overflow vulnerabilities in SAP Message Server. Both of them can be exploited remotely so that exploit code can be executed on the server. The vulnerabilities have received respective ratings of 9 and 10 according to CVSSv2.
SAP released the security notes 1649840 and 1649838 back in February 2012, so responsible administrators had the chance to install the updates before the details were published. Nevertheless, many companies neglect security updates so their systems still stay vulnerable. It is believed that the main threats come from malicious insiders or cybercriminals who found a way into corporate internal resources. However, according to a recent research by ERPScan, which is described in a report called "SAP security in figures: a global survey 2007-2011", SAP Message Server is also accessible from the Internet.
Out of 1000 companies that use SAP worldwide, randomly selected in the course of the research, 4% expose SAP Message Server to the Internet. This can lead to critical consequences if the mentioned vulnerabilities exist in a corporate system.
Three countries were scanned in detail, namely Germany, Russia and Portugal. The results are available at sapscan.com and updated regularly. Exposed SAP Message Servers have amounted to:
- Portugal: 18
- Germany: 9
- Russia: 6
It is highly recommended to install the mentioned updates as soon as possible.