ZDI has recently published the details of two buffer overflow vulnerabilities in the SAP Message Server. Both of them can be exploited remotely so the exploit code can be executed on the server. The vulnerabilities received respective ratings of 9 and 10 according to CVSSv2.
SAP released the Security Notes 1649840 and 1649838 back in February 2012 and responsible administrators had a chance to install the updates before details were published. Nevertheless, many companies neglected security updates so their systems still stay vulnerable. It is believed that the main threats come from malicious insiders or cybercriminals who have found a way into corporate internal resources. However, according to a recent research by ERPScan, which is described in a report called “SAP security in figures: a global survey 2007-2011“, SAP Message Server is also accessible from the Internet.
Out of 1000 companies that use SAP worldwide, randomly selected in the course of the research, 4% expose SAP Message Server to the Internet. This can lead to critical consequences if the mentioned vulnerabilities exist in a corporate system.
Three countries were scanned in detail, in particular Germany, Russia and Portugal. The results are available at sapscan.com and are updated regularly. Exposed SAP Message Servers have amounted to:
- Portugal: 18
- Germany: 9
- Russia: 6
It is highly recommended to install the mentioned updates as soon as possible.